Professional Documents
Culture Documents
Forensic
Version 6.18
User's Guide
Copyright 1997-2010 Guidance Software, Inc. All rights reserved.
EnCase, EnScript, FastBloc, Guidance Software and EnCE are registered trademarks or trademarks owned by Guidance Software in the
United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as
the property of their respective owners. Products and corporate names appearing in this work may or may not be registered trademarks or
copyrights of their respective companies, and are used only for identification or explanation into the owners' benefit, without intent to
infringe. Any use and duplication of this work is subject to the terms of the license agreement between you and Guidance Software, Inc.
Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act, no
part of this work may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical,
photocopying, recording, scanning or otherwise. Product manuals and documentation are specific to the software versions for which they
are written. For previous or outdated versions of this work, please contact Guidance Software, Inc. at http://www.guidancesoftware.com.
Information contained in this work is furnished for informational use only, and is subject to change at any time without notice.
Contents
Overview 7
EnCase Forensic ................................................................................................................................................. 8
Version 6.18 New Features 11
PGP 10 Whole Disk Encryption (WDE) Support ............................................................................................... 12
Enhanced CREDANT Support ........................................................................................................................... 12
GuardianEdge Hard Disk and Symantec Endpoint Encryption Support ........................................................... 12
Windows 7 BitLocker and BitLocker to Go Support ......................................................................................... 12
Enhanced Oracle Outside In Technology Support ........................................................................................... 12
ext3 Support..................................................................................................................................................... 12
Enhanced S/MIME Encryption Support ........................................................................................................... 12
National Software Reference Library (NSRL) Hash Sets RDS Support .............................................................. 13
Enhanced Rights Management Services (RMS) Support .................................................................................. 13
Enhanced EnCase Help Menu .......................................................................................................................... 13
Installing EnCase Forensic 15
EnCase Installer ................................................................................................................................................ 16
Obtaining Updates ........................................................................................................................................... 21
Configuring EnCase .......................................................................................................................................... 21
Sharing Configuration (INI) Files ...................................................................................................................... 30
Vista Examiner Support .................................................................................................................................... 31
Running a 32-bit Application on a 64-bit Platform .......................................................................................... 31
The EnCase Interface 33
Overview .......................................................................................................................................................... 34
System Menu Bar ............................................................................................................................................. 34
Toolbar ............................................................................................................................................................. 39
Panes Overview ................................................................................................................................................ 39
Tree Pane ......................................................................................................................................................... 41
Table Pane ........................................................................................................................................................ 46
View Pane ........................................................................................................................................................ 54
Filter Pane ........................................................................................................................................................ 61
Status Bar ......................................................................................................................................................... 72
Case Management 75
Overview of Case Structure ............................................................................................................................. 76
Case Related Features ...................................................................................................................................... 80
New Case Wizard ............................................................................................................................................. 86
Using a Case ..................................................................................................................................................... 87
Opening a Case ................................................................................................................................................ 92
Saving a Case .................................................................................................................................................... 92
Closing a Case .................................................................................................................................................. 93
Working with Evidence 95
Overview .......................................................................................................................................................... 96
Supported File Systems and Operating Systems.............................................................................................. 98
Using Snapshots ............................................................................................................................................. 101
Getting Ready to Acquire the Content of a Device ........................................................................................ 101
Acquiring ........................................................................................................................................................ 111
Delayed Loading of Internet Artifacts ............................................................................................................ 145
Hashing .......................................................................................................................................................... 148
Logical Evidence Files ..................................................................................................................................... 151
Recovering Folders ......................................................................................................................................... 154
Recovering Partitions ..................................................................................................................................... 156
Restoring Evidence......................................................................................................................................... 158
Snapshot to DB Module Set ........................................................................................................................... 162
WinEn ............................................................................................................................................................. 172
Wipe Drive ..................................................................................................................................................... 176
Source Processor 179
Overview ........................................................................................................................................................ 180
Collection Jobs ............................................................................................................................................... 186
Modules ......................................................................................................................................................... 196
Analysis Jobs .................................................................................................................................................. 210
Reports ........................................................................................................................................................... 219
Managing EnCase Portable ............................................................................................................................ 222
Analyzing and Searching Files 231
Signature Analysis .......................................................................................................................................... 232
EnScript Programming Language ................................................................................................................... 240
Hash Analysis ................................................................................................................................................. 241
File Hashing .................................................................................................................................................... 242
Hash Sets ........................................................................................................................................................ 243
Keyword Searches .......................................................................................................................................... 246
Encode Preview.............................................................................................................................................. 268
Indexing ......................................................................................................................................................... 270
Searching for Email ........................................................................................................................................ 274
Tag Records .................................................................................................................................................... 287
App Descriptors ............................................................................................................................................. 288
Viewing File Content 293
Viewing Files .................................................................................................................................................. 294
File Viewers .................................................................................................................................................... 301
View Pane ...................................................................................................................................................... 304
Viewing Compound Files ................................................................................................................................ 307
Viewing Base64 and UUE Encoded Files ........................................................................................................ 318
NTFS Compressed Files .................................................................................................................................. 319
Gallery Tab ..................................................................................................................................................... 319
Bookmarking Items 323
Bookmarks Overview ..................................................................................................................................... 324
Bookmark Features ........................................................................................................................................ 327
Creating a Bookmark ...................................................................................................................................... 335
Using Bookmarks............................................................................................................................................ 344
Copying Selected Items from One Folder to Another .................................................................................... 363
Reporting 365
Reporting ....................................................................................................................................................... 366
Report User Interface..................................................................................................................................... 366
Creating a Report Using the Report Tab ........................................................................................................ 368
Creating a Report Using Case Processor ........................................................................................................ 383
EnScript Analysis 385
EnScript Analysis ............................................................................................................................................ 386
Enterprise EnScript Programs ........................................................................................................................ 386
Forensic EnScript Code................................................................................................................................... 396
EnScript Example Code .................................................................................................................................. 413
Enhanced EnScript Tab ................................................................................................................................... 419
Packages ......................................................................................................................................................... 419
Working with Non-English Languages 427
Working with Non-English Languages ............................................................................................................ 428
Non-English Language Features ..................................................................................................................... 428
Options Dialog Font Tab ................................................................................................................................. 429
Configuring Non-English Language Support .................................................................................................. 433
Using LinEn 445
Introduction ................................................................................................................................................... 446
Viewing the License for LinEn ........................................................................................................................ 446
Creating a LinEn Boot Disk ............................................................................................................................. 446
Configuring Your Linux Distribution ............................................................................................................... 447
Performing Acquisitions with LinEn ............................................................................................................... 448
LinEn Evidence Verification and Status Reporting ......................................................................................... 466
Hashing the Subject Drive Using LinEn........................................................................................................... 468
LinEn Manual Page ......................................................................................................................................... 470
EnCase Decryption Suite 473
Overview ........................................................................................................................................................ 474
EDS Features .................................................................................................................................................. 474
Product Matrix ............................................................................................................................................... 476
Using EDS ....................................................................................................................................................... 477
Secure Storage Tab ........................................................................................................................................ 480
Secure Storage Items ..................................................................................................................................... 485
SafeBoot Encryption Support (Disk Encryption) ............................................................................................ 486
Utimaco SafeGuard Easy Encryption Support ................................................................................................ 490
BitLocker Encryption Support (Volume Encryption) ...................................................................................... 497
WinMagic SecureDoc Encryption Support ..................................................................................................... 504
GuardianEdge Encryption Support ................................................................................................................ 507
PGP Whole Disk Encryption (WDE) Support .................................................................................................. 510
CREDANT Encryption Support (File-Based Encryption) .................................................................................. 514
S/MIME Encryption Support .......................................................................................................................... 520
NSF Encryption Support ................................................................................................................................. 525
Lotus Notes Local Encryption Support ........................................................................................................... 527
Windows Rights Management Services (RMS) Support ................................................................................ 532
Windows Key Architecture ............................................................................................................................ 537
Dictionary Attack ........................................................................................................................................... 537
Physical Disk Emulator 541
Physical Disk Emulator ................................................................................................................................... 542
Using Physical Disk Emulator ......................................................................................................................... 542
Third-Party Tools ............................................................................................................................................ 547
Boot Evidence Files and Live Systems with VMware ..................................................................................... 548
VMware/EnCase PDE FAQs ............................................................................................................................ 552
PDE Troubleshooting ..................................................................................................................................... 554
Virtual File System 555
Virtual File System ......................................................................................................................................... 556
Mounting Evidence with VFS ......................................................................................................................... 556
Dismount the Network Share ........................................................................................................................ 565
Accessing the Share ....................................................................................................................................... 565
Third-Party Tools ............................................................................................................................................ 567
VFS Server ...................................................................................................................................................... 570
Troubleshooting ............................................................................................................................................. 574
FastBloc SE Module 577
FastBloc SE Module ........................................................................................................................................ 578
Background Information ................................................................................................................................ 578
ProSuite FastBloc SE/SATA/IDE Support for Vista 64-bit ............................................................................... 579
Installing the FastBloc SE Module .................................................................................................................. 580
Using the FastBloc SE Module........................................................................................................................ 580
Disk Caching ................................................................................................................................................... 586
Troubleshooting ............................................................................................................................................. 587
CD/DVD Module 591
CD/DVD Module............................................................................................................................................. 592
Burning Evidence Files During Acquisition ..................................................................................................... 592
Burning Logical Evidence Files During Acquisition ......................................................................................... 594
Burning Files and Reports .............................................................................................................................. 595
Burning Existing Evidence and Logical Evidence Files .................................................................................... 600
Glossary of Terms 603
Overview ........................................................................................................................................................ 603
Support 609
Technical Support .......................................................................................................................................... 609
Customer Service ........................................................................................................................................... 610
Professional Services ...................................................................................................................................... 610
Technical Manuals and Release Notes ........................................................................................................... 611
Online Support ............................................................................................................................................... 611
Training .......................................................................................................................................................... 615
Index 617
In This Chapter
EnCase Forensic
CHAPTER 1
Overview
8 EnCase Forensic Version 6.18
EnCase Forensic
EnCase Forensic provides investigators with a single tool capable of conducting large-scale and
complex investigations from beginning to end. It features an intuitive GUI, superior analytics,
enhanced email/Internet support and a powerful scripting engine.
EnCase Forensic enables you to:
Acquire data in a forensically sound manner using software with an unparalleled record in
courts worldwide
Investigate and analyze multiple platformsWindows, Linux, AIX, OS X, Solaris and more
using a single tool
Save analysis time by automating complex and routine tasks with prebuilt EnScript modules,
such as Initialized Case and Event Log analysis
Find information despite efforts to hide, cloak or delete
Easily manage large volumes of computer evidence, viewing all relevant files, including
"deleted" files, file slack and unallocated space
Transfer evidence files directly to law enforcement or legal representatives as necessary
Review options that allow non-investigators, such as attorneys, to review evidence with ease
Use reporting options for quick report preparation
Forensically Sound Acquisitions
EnCase Forensic produces an exact binary duplicate of the original drive or media, then verifies it by
generating MD5 hash values for related image files and assigning Cyclic Redundancy Check (CRC)
values to the data. These checks and balances reveal when evidence has been tampered with or
altered, helping to keep all digital evidence forensically sound for use in court proceedings.
Advanced Productivity Features
Examiners can preview data while drives or other media are being acquired. Once the image files are
created, examiners can search and analyze multiple drives or other media simultaneously. EnCase
Forensic also features a case indexer. This powerful tool builds a complete index in multiple
languages, allowing for fast and easy queries. Indices can also be chained together to find keywords
common to other investigations. This Unicode-supported index contains personal documents, deleted
files, file system artifacts, file slack, swap files, unallocated space, email and Web pages. In addition,
EnCase has extensive file system support for analyzing all types of data.
EnScript Programming
EnCase Forensic features EnScript programming capabilities. EnScript, an object-oriented
programming language similar to Java or C++, allows you to create custom programs to help automate
time-consuming investigative tasks, such as searching and analyzing specific document types or other
labor-intensive processes and procedures. Any level of investigator can harness these capabilities by
using one of Forensic's tools, such as the Case Developer or one of numerous built-in filters and
conditions.
Overview 9
Actionable Data and Reports
Once you have bookmarked relevant data, you can create a report suitable for:
Presentation in court
Management
Another legal authority
You can also export data in multiple file formats for review.
In This Chapter
PGP 10 Whole Disk Encryption (WDE) Support
Enhanced CREDANT Support
GuardianEdge Hard Disk and Symantec Endpoint Encryption Support
Windows 7 BitLocker and BitLocker to Go Support
Enhanced Oracle Outside In Technology Support
ext3 Support
Enhanced S/MIME Encryption Support
National Software Reference Library (NSRL) Hash Sets RDS Support
Enhanced Rights Management Services (RMS) Support
Enhanced EnCase Help Menu
CHAPTER 2
Version 6.18 New
Features
12 EnCase Forensic Version 6.18
PGP 10 Whole Disk Encryption (WDE) Support
EnCase now supports PGP 10 WDE for:
Windows
Mac OS 10.5
Mac OS 10.6
Enhanced CREDANT Support
EnCase now supports CREDANT Mobile Guardian versions 6.1 through 6.8.
GuardianEdge Hard Disk and Symantec Endpoint Encryption
Support
EnCase now supports these versions of Guardian Edge Hard Disk (GEHD) and the corresponding
versions of Symantec Endpoint Encryption (SEE):
GEHD 9.4.0 and SEE 7.0.4
GEHD 9.5.0 and SEE 7.0.5
GEHD 9.5.1 and SEE 7.0.6
Windows 7 BitLocker and BitLocker to Go Support
EnCase now provides the ability to detect and decrypt volumes encrypted using Windows 7 BitLocker
and Windows 7 BitLocker to Go.
Enhanced Oracle Outside In Technology Support
EnCase now supports Outside In version 8.3.5.
Enhanced ext3 Support
EnCase ext3 file system support now includes Ubuntu distribution.
Enhanced S/MIME Encryption Support
DecryptMsg in the S/MIME parser is now updated to work with 168-bit 3DES.
Version 6.18 New Features 13
National Software Reference Library (NSRL) Hash Sets RDS
Support
EnCase now supports NSRL Hash Sets RDS 2.29 and 2.30.
Enhanced Rights Management Services (RMS) Support
EnCase now provides the ability to decrypt any RMS encrypted attachment to an unencrypted email
in a single step.
Enhanced EnCase Help Menu
The EnCase Help menu now includes a link to Guidance Software Online Support:
In This Chapter
EnCase Installer
Obtaining Updates
Configuring EnCase
Sharing Configuration (INI) Files
Vista Examiner Support
Running a 32-bit Application on a 64-bit Platform
CHAPTER 3
Installing EnCase
Forensic
16 EnCase Forensic Version 6.18
EnCase Installer
The EnCase installer copies the program and its drivers to the end user's computer or client and
initializes drivers and services with the operating system.
You can specify where to install EnCase. The default is the Program Files folder. If you used the
selected directory for an previous installation of EnCase, the installer overwrites any existing program
files, logs, and drivers.
Minimum Requirements
For best performance, you should configure examination computers with at least the following
hardware and software:
An EnCase security key (also known as a dongle)
Certificates for all purchased modules (known as certs)
A current version of EnCase Examiner
Pentium IV 1.4 GHz or faster processor
One GB of RAM
Windows 2000, XP Professional, or 2003 Server
55 MB of free hard drive space
EnCase also supports these 64-bit version of Windows:
XP
Server 2003
Server 2008
Server 2008 R2 with the following applications and modules:
Examiner 32-bit and 64-bit
ProSuite 32-bit and 64-bit, consisting of these modules:
EnCase Decryption Suite (EDS)
Virtual File System (VFS)
Physical Disk Emulator (PDE)
FastBloc SE
Servlets 32-bit and 64-bit
Vista
Windows 7
Note: Intel Itanium processors are not supported. FastBloc SE supports only the USB interface with the 64-bit version.
Installing EnCase Forensic 17
Installing the Examiner
If you are using Local Processing, insert the CD and wait for autostart. Do this for each client. If you
are using Terminal Services, install the program using the Add/Remove programs wizard on the
application server.
The installation wizard opens:
Note: C:\Program Files\EnCase6 is the default install path.
1. Enter an installation path or accept the default, then click Next.
2. Read the EnCase Forensic License Agreement, click the I Agree checkbox, then click Next.
18 EnCase Forensic Version 6.18
3. The Installation Folder dialog opens:
4. Click Next. A progress bar displays during installation.
5. When installation finishes, a setup complete screen displays.
6. Click Finish.
Installed Files
During installation, the program copies itself and a collection of associated files to the target directory.
The installer places a startup icon on the desktop. In addition, a number of folders and files are
installed in the target folder during installation.
Certs Folder
EnCase.pcert
Config Folder
AppDescriptors.ini
FileSignatures.ini
FileTypes.ini
Filters.ini
Keywords.ini
Profiles.ini
TextStyles.ini
Installing EnCase Forensic 19
Storage Folder
CaseReport.ini
Compromise Assessment Module.ini
DifferentialReport.ini
SweepEnterpriseWEbReport.ini
Forensic EnScript Component Folder
Case Processor.EnScript
File Mounter.EnScript
Index Case.EnScript
Scan Local Machine.EnScript
Webmail Parser.EnScript
Uninstalling the Examiner
The uninstaller works only on identical software versions.
1. Have backups of evidence and case files prior to making any modifications to any software on
an examination machine.
2. Close any running versions of EnCase.
3. Open Windows Control Panel, then double click Change or Remove Programs.
4. Select the EnCase version to remove, then click Change/Remove.
5. The EnCase uninstall wizard runs and the first screen displays.
6. Enter or navigate to the software's location in the Install Path field. The default is
C:\Program Files\Encase6.
7. Click Next. The uninstall wizard opens.
20 EnCase Forensic Version 6.18
8. Click Next.
9. Select Uninstall, then click Next. A progress bar displays during the uninstall process.
10. The last page of the uninstall wizard displays.
11. Select Reboot Later or Reboot Now, then click Finish.
Reinstalling the Examiner
Reinstall refreshes certain files and settings and is a variation of the install program.
Reinstall creates a new log file and reinstalls the following items:
Application files
Registry keys
Needed user files
All EnScripts
Note: If you previously modified EnScripts without placing the modified EnScripts in another folder,
they are lost during reinstallation
Reinstall retains and does not change these items:
Licenses
Certificates
User settings
Installing EnCase Forensic 21
Obtaining Updates
When you receive your product, register with Guidance Software to receive updates. Registration is
located at https://www.guidancesoftware.com/myaccount/registration.aspx site.
If you have trouble registering your product, contact Customer Service on page 609. If you have
trouble downloading the updates once registered, contact Technical Support (see page 609).
Configuring EnCase
You can configure various aspects of EnCase according to your needs or preferences. These settings
are used each time you start EnCase. You are not required to open a case.
1. Click Tools > Options.
2. Click the desired tab and change the settings as needed, then click OK.
Note: Some changes made to the options settings take effect only after you restart EnCase, while
others take effect immediately.
The Options dialog contains these tabs:
Case Options (available only if a case is open)
Global
Debug
NAS
Colors
Fonts
EnScript
Storage Paths
Enterprise
22 EnCase Forensic Version 6.18
Case Options Tab
The Case Options tab contains settings that apply to the open case.
Name: The case name is the default filename when you save the case. You can change the filename
when you save the file.
Examiner Name is the name of the forensic examiner.
Default Export Folder is the path and name of the folder where files are exported.
Temporary Folder is the path and name of the folder where temporary files are created.
Index Folder is the file for any indexed file or collection of files.
Installing EnCase Forensic 23
Global Tab
The Global tab of the Options dialog contains settings that apply to all cases.
Auto Save Minutes (0 = None) indicates the number of minutes between automatic saves of case files.
Automatically saved data is written to *.CBAK files in the EnCase6 backup directory.
Backup Files shows the maximum number of files stored as backup files when you save a case. The
default is 9.
Use Recycle Bin for Cases determines whether the current case file is moved to the Recycle Bin or
overwritten when you save the file manually.
Show True indicates a value of true in table columns displayed in the Table tab of the Table pane.
Show False indicates a value of false in table columns displayed in the Table tab of the Table pane.
Flag Lost Files determines whether lost clusters are treated as unallocated space. This decreases the
amount of time required to access the evidence file. When selected, all lost clusters display in the Disk
tab as unallocated clusters.
Enable Picture Viewer uses the picture viewer for graphics of the appropriate formats.
Enable ART Image Display determines whether ART image files are displayed. When corrupt files of
this type are encountered, they can cause the program to crash. This setting enables you to limit the
impact of corrupted ART files.
24 EnCase Forensic Version 6.18
Invalid Picture Timeout (seconds) indicates the amount of time the program attempts to read a
corrupt graphics file before timing out. When the read times out, the corrupt file is sent to the cache
and no attempt is made to read it again.
Enable Pictures in Doc View displays graphics or image files using Oracle's Outside In technology in
the Doc tab of the View pane.
Date Format includes these options:
MM/DD/YY (for example, 06/21/08)
DD/MM/YY (for example, 21/06/08)
Other enables you to specify your own date format.
Current Day displays the current date in the specified date format.
Time Format includes these options:
12:00:00PM uses a 12 hour clock for the time format.
24:00:00 uses a 24 hour clock for the time format.
Other enables you to specify your own time format.
Current Time displays the current time in the specified time format.
Change Code Page opens the Global Code Page dialog, where you can specify a different code page.
The default is Western European (Windows).
Installing EnCase Forensic 25
Debug Tab
Use this tab to specify debugging information and options.
The Startup window displays information about the system and the particular instance of EnCase.
This information can be useful when you are troubleshooting issues.
Debug Logging determines what action is taken if EnCase crashes. There are three options:
Off: No debug logging is performed (default).
Stack: This option saves a stack dump if EnCase crashes. This file contains data that the
crashing subsystem used, the system .dlls that were loaded at the time, and the version of
EnCase. The information captured in a Stack dump log generally does not contain case specific
data, but it can.
Heap: This option saves a heap dump if EnCase crashes. It is the recommended option for
most EnCase crash issues. The heap is a superset of the stack, and also contains data from
process memory the program uses while running. This results in a considerably larger dump
file (potentially in the gigabyte range). Note that a heap dump frequently contains case
specific data, including data from the evidence.
Note: For quickest debugging of the crash, select the Heap option.
Detect FastBloc checkbox (checked by default): Clear this checkbox if a device is hanging during
FastBloc detection.
26 EnCase Forensic Version 6.18
Colors Tab
This tab enables you to associate colors with various case elements.
Double click a listed element to open the Edit dialog, which shows the current background and
foreground colors. Foreground refers to the color of text or numbers.
Installing EnCase Forensic 27
To change colors, double click Background or Foreground in the Edit dialog. A Color dialog opens,
where you can make a new color selection.
For a greater range of colors, click Define Custom Colors.
Fonts Tab
Use this tab to apply fonts to various case elements.
28 EnCase Forensic Version 6.18
Default Fonts contains a list of case elements where you can apply fonts. Double click an item in the
list to open the Font dialog.
The options are:
Font
Font style
Size
A preview of the options you select displays in the Sample box.
Use the Script dropdown menu to select a character set. Western is the default.
Installing EnCase Forensic 29
EnScript Tab
Use this tab to specify options for specifics used by EnScript programs.
Click the Show line numbers checkbox to display line numbers in the gutter area when viewing or
editing text in the EnScript code window.
Click the Debug runtime errors checkbox to automatically launch the debugger when an error is
encountered while executing an EnScript.
Include Path displays the name of the folder containing the include files. The default folder is
C:\Program Files\EnCase\EnScript\Include; however, you can store include files in a
diferent folder within ...\EnScript\.
Add only the folder name, not the complete path.
Separate multiple folder locations with a semicolon
In the Warning group box, click the checkboxes to select which warnings you want to display while
running a script.
30 EnCase Forensic Version 6.18
Storage Paths Tab
The Storage Paths tab captures paths for files used by EnCase.
The picture shows storage path default settings. You can change the index, cache, and backup folders
by entering a new path or navigating to and selecting the desired folder.
In the INI Files box, you can change an .ini folder's location and select whether it is writable. For more
information, see Sharing Configuration (INI) Files on page 30.
Sharing Configuration (INI) Files
INI files are plain text files containing configuration information. EnCase uses these files to store
settings such as file signatures and keywords.
Each INI file is populated by customizations the investigator makes while using EnCase. Keyword and
file signature files may be of particular interest. Investigators may find it useful to share these files
with other investigators.
To share startup files:
Click Tools Options and select the Storage Paths tab.
1. Double click the row containing the desired INI file.
Installing EnCase Forensic 31
2. The Edit <.ini file name> dialog containing the path to the INI file opens.
3. Enter the path of the INI file you want to use.
4. The Writable checkbox is selected by default. Clear it if you do not want the file to be writable.
5. Click OK.
Vista Examiner Support
EnCase must run as an administrator to view local devices on the local Vista computer.
To run as administrator:
1. Start EnCase.
2. Vista displays a prompt with the heading An unidentified program wants access to your
computer:
3. Click Allow.
Running a 32-bit Application on a 64-bit Platform
There are limitations in running a 32-bit application (for example, EnCase, SAFE, or Servlet) on a 64-bit
platform. You will only get basic snapshot information such as ports or processes. For full results, you
must run the application on the correct platform.
In This Chapter
Overview
System Menu Bar
Toolbar
Panes Overview
Tree Pane
Table Pane
View Pane
Filter Pane
Status Bar
CHAPTER 4
The EnCase Interface
34 EnCase Forensic Version 6.18
Overview
All EnCase features are accessed from the main EnCase window. The components of this window are:
System menu bar
Toolbar
Four panes
Tree
Table
View
Filter
Status bar (GPS bar on left/status on right)
System Menu Bar
At the top of the main window, the system menu bar contains the following menu commands:
File
Edit
View
Tools
Help
The functions available for a menu selection may change depending upon your current task.
The EnCase Interface 35
File Menu
The File menu commands manipulate application files and global application settings:
New creates a new case.
Open opens a previously saved case file.
Save saves the current file.
Save As saves the current case file under a different name.
Save All saves the current file information for both the case file and in EnCase global settings.
Print defines the print settings and enables you to output to a printer or .PDF file.
Note: To display Asian language characters correctly, go to Tools > Fonts > Options and select
Arial Unicode MS.
Printer Setup selects a printer and defines printer settings. The printer must be connected and
functioning when you specify these values.
Add Device defines the preview and acquisition parameters for a device. This appears only when
a case is open.
Add Raw Image enables you to select image files to be added to the open case. This appears only
when a case is open.
Exit closes the program. If display settings or case configurations have changed, you are prompted
to save before exiting.
Edit Menu
The Edit menu commands work on the objects and content in the currently selected tab:
Export copies file data and attributes to a text file with a name and location of your choice. The
exported data can be imported into another application, such as a database or spreadsheet.
Copy/UnErase enables you copy recovered files and folders to one or more destination files. Files
are copied in a flat folder structure.
Copy Folders copies the contents of selected folders to a destination. The original structure is
retained.
Bookmark Data creates and defines a data bookmark.
Tag Records {research and document}
Activate Single Files enables you to add individual files to a case.
Create Hash Set creates and categorizes a hash set for selected files that have already been hashed.
Create Logical Evidence File enables you to create a new logical evidence file to contain selected
files.
Mount as Network Share mounts an acquired device as a network share. This appears when the
Virtual File System module is installed.
Expand/Contract expands or contracts the selected branch in the tree pane.
Expand All expands all branches of the tree.
Contract All contracts all branches of the tree.
Set Included Folders selects all objects in a tree and its branches. If all objects are selected, this
command clears all nodes.
36 EnCase Forensic Version 6.18
Include Sub Folders selects all objects in a tree and its branches.
Include Single Folder selects all objects in a tree, without its branches.
View Menu
The View menu commands provide access to every tab and sub-tab in the Tree pane. Unless otherwise
noted, tabs are not shown by default.
App Descriptors displays the App Descriptor tabs:
Home
Hash Properties
Archive Files displays the Archive File tab.
Cases displays the Cases tabs, shown by default.
Home
Entries
Bookmarks
Search Hits
Records
Devices
Secure Storage
Keywords
Encryption Keys displays the Encryption Keys tab, shown by default.
EnScript displays the EnScript tab.
EnScript Types displays the EnScript Types tab.
File Signatures displays the File Signatures tab.
File Types displays the File Types tab.
File Viewers displays the File Viewers tab.
Hash Sets displays the Hash Set tabs:
Home
Hash Items
Keywords displays the Keywords tab in the tree pane.
Machine Profiles displays the Machine Profiles tabs:
Home
Allowed
Packages displays the Packages tab.
Projects displays the Projects tab.
The EnCase Interface 37
SAFEs displays the SAFEs tabs:
Home
Network
Roles
Users
Events
Text Styles displays the Text Styles tab.
SAFEs/Cases Sub- Tabs displays, in menu form, the sub-tabs currently available in the tree pane.
The commands are the same regardless of how they are accessed.
Table Pane displays, in menu form, the tabs currently shown in the table pane tab bar.
View Pane displays, in menu form, the tabs currently shown in the view pane tab bar.
Filter Pane displays, in menu form, the tabs currently shown in the filter pane tab bar.
Close Tab hides the tab currently in use. You can show it again by using the tab commands on the
view menu.
Show Name toggles the display of the name of the tab currently in use.
Previous Tab selects the tab to the left of the current tab. When the leftmost tab is in use, the
rightmost tab is selected.
Next Tab selects the tab to the right of the current tab. When the rightmost tab is in use, the
leftmost tab is selected.
Autofit adjusts how the toolbar wraps. When Autofit is not selected, the commands extend
beyond the right boundary of the tree pane. When Autofit is selected, the toolbar wraps and
displays all commands
Reset View restores all defaults.
Tools Menu
The Tools menu commands enable you to perform analytical operations:
Index Case includes or excludes files in the indexing process. See Indexing on page 270.
Webmail Parser selects the Webmail vendors whose account files are to be parsed. See Web Mail
Parser on page 274.
Case Processor starts the EnScript Case Processor Enscript.
Sweep Enterprise starts the Sweep Enterprise EnScript.
Send to Responder sends the selected devices or notes to the HBGary Responder software for
threat analysis. See Threat Analyzer on page 403.
Search specifies:
files to be searched
keyword search criteria
email searches
hashing criteria
other search options
Logon/Logoff logs you on or off of the enterprise LAN.
38 EnCase Forensic Version 6.18
Wipe Drive selects media you want to completely erase.
Verify Evidence Files selects evidence files to be verified using the hash and the Cyclic
Redundancy Check (CRC) values.
Create Boot Disk creates a LinEn boot disk. See Creating a LinEn Boot Disk on page 446.
Mount as Network Share Client specifies the IP address of the server to be mounted.
FastBloc SE write blocks a USB, FireWire, or SCSI device using FastBloc SE. See Using the
FastBloc SE Module on page 580.
Options defines global settings for EnCase:
The Case Options tab enables you to modify the default values for the case. This tab only
displays when you have a case open.
The Global tab enables you to select options that establish the following global
configuration settings for a case:
Auto Save enables you to determine how frequently EnCase automatically backs up
your data. AutoSaved data is saved in the Backup folder where you installed
EnCase.
Use Recycle bin for cases moves the prior .CASE files to the Recycle bin rather than
permanently deleting them.
Show True/ Show False settings define the data that displays in Table view when a
condition is true or false.
Enable Picture Viewer allows pictures to be displayed in various views.
Enable ART and PNG image display enables you to exclude these images.
Invalid Picture Timeout indicates how long it will take before EnCase stops trying
to read a corrupted image file.
Enable Pictures in Doc View enables you to view pictures in the Doc tab of the
View pane.
Date/Time Formats provides formatting options for date and time display.
Flag Lost Files, when checked, tags all lost clusters in Disk view with a yellow
block and question mark. When cleared, lost clusters are treated as unallocated
space.
Debug is used by Technical Services to help solve abnormal EnCase behavior.
NAS is used in Enterprise installations and contains all of the settings needed to enable
multiple copies of EnCase to authenticate using a single hardware key. This is typically
used in lab environments with multiple examiners using multiple copies of EnCase.
Colors changes the colors for various elements of the interface. Double click a color bar to
display options.
Fonts changes the fonts for viewing convenience or to accommodate unicode or foreign
language character sets. To view unicode, you need to have the Ariel Unicode MS TTF
true type font installed.
EnScript provides options for EnScript usage, including specifying the location of the
EnScript libraries folder.
Storage Paths configures the location of files used to store, back up, and establish global
settings. Network paths may be used for global usage.
Enterprise is used by EnCase Enterprise users.
Refresh updates the views and shows any newly added content.
The EnCase Interface 39
Help Menu
The Help menu commands access information and perform tasks associated with running EnCase.
Help opens the EnCase User's Guide in help format.
EnScript Help opens the EnScript help for EnScript commands.
What's New displays the most current EnCase Release Notes.
Online Support provides a link to Guidance Software Online Support.
Register EnCase displays the application registration page, where you can:
Find your dongle serial number
Learn how to register online
Learn how to register offline
About EnCase tells you the version of EnCase and modules you have installed.
Toolbar
The toolbar appears below the system menu bar and provides options for frequently used
functionality. You can access many of these commands by right clicking and opening a context menu.
Some or all of these options are available, depending on your current task:
New defines a new case.
Open opens an existing case.
Save saves your current work.
Print provides print options and enables you to print.
Add Device enables a device to be previewed or acquired.
Search searches for evidence associated with the case.
Logon enables you to log on to the SAFE.
Logoff logs you off the SAFE.
Refresh updates the list or table to reflect recent changes.
Close removes the currently selected device. This only appears when a case has been loaded.
Acquire acuires the currently selected device. This only appears when a case has been loaded.
Panes Overview
The process of examining acquired evidence is cyclical in nature:
Select the evidence folders or devices you want to examine.
Examine the contents of the evidence files.
Search, filter, or automate the evidence you are working with.
Analyze a single piece of evidence more deeply.
40 EnCase Forensic Version 6.18
Continue refining and analyzing the evidence set until examination is complete.
This cyclical process is reflected in the relationship among the four panes of the EnCase interface.
These work interactively and change depending on what is being done in other panes.
The Tree pane shows evidence associated with a case in a hierarchical tree format.
The Table pane displays the selected evidence in a tabular data list. This display varies when
you select different viewing functions.
The Filter pane provides tools to filter the evidence, run EnScripts, and choose other display
options.
The View pane displays whatever is selected in the Table pane. This data can be viewed in
various formats, depending on the data type.
Tabs and Tab Bars
Tabs enable you to perform a set of actions on the content in the pane. Each tab displays a context
menu when you right click it. This menu enables you to perform certain functions on the tab,
including:
Elect to show the icon only, by Show Name.
Move back and forth between tabs, by selecting Previous Tab and Next Tab.
Wrap the tabs, rather than having them hidden, by selecting AutoFit.
Close the tab by selecting Close Tab.
Tabs are organized in tab bars. If a tab contains sub-tabs, they are organized by separate tab bars. The
scroll icon in the tab bar enables you to see tabs that may be hidden by the current width of the pane.
Each tab bar has its own context menu that displays when you right click the tab bar. This menu
enables you to perform certain functions on the tab bar.
The EnCase Interface 41
Sorting Tables
You can sort up to five columns of any table, in any pane:
1. Double click the column header to set the current sort order. A red triangle appears in the
column header. This indicates the primary sort order.
2. While pressing the shift key, double click the next column you wish to sort. The column with
the secondary sort order displays a double red triangle.
3. To sort another column, press the shift key and double click again. The third column to be
sorted displays a triple red triangle.
4. To reverse the sort order, double click the column a second time.
5. You can sort up to five columns in this way.
You can also use the Sort command on the table's dropdown menu to adjust sorting.
Undocking and Redocking Panes
Each pane can be separated or undocked from the main window and displayed as an individual
window.
Each pane has a drag handle at the top left edge of its toolbar that enables you to drag the pane outside
the main window.
Once all three panes are undocked, the remaining pane does not display any drag handles.
Panes can be dragged back into the main window. Click Reset View in the View menu to replace all
panes into one window in their default location.
Tree Pane
The Tree pane presents a structured view of all gathered evidence in a Windows-like folder hierarchy.
Using the options available within the tab and sub-tab structure, you use the Tree pane to find and
select the evidence you want to examine more closely in the Table pane.
Tree Pane Tabs
The Tree pane tabs and sub-tabs enable you to find the right set of information to examine in detail.
What you see displayed in the Tree pane or the Table pane depends on what tabs are selected.
Right clicking on any tab shows a context menu unique to that tab.
42 EnCase Forensic Version 6.18
The tab and sub-tab structure enables you to drill down into certain types or areas of data. You may
see up to three levels of tabs and sub-tabs at the top of the Tree pane. Each new line contains sub-tabs
of the tab selected in the line above it.
Tab Sub-Tab Sub-Tab Description
App Descriptors Home
Displays the hash files of a computer's
EXE and SYS files. See App Descriptors
on page 288.
Hash Properties
Displays whether the selected object is
part of a hash set and whether the object
has been categorized.
Cases Home
Causes the list of currently opened cases
to display in the Table pane.
Entries Home Shows the devices associated with the
case currently selected in the Table pane.
File Extents Lists the number of extents a fragmented
file occupies on a drive
Permissions Shows the security settings associated
with the currently selected entry.
References If an item is bookmarked, shows the
number of times the object is referred
to. More information can be found in the
View pane, under Cases > Entries >
References.
Hash Properties Displays whether the selected object is
part of a hash set and whether the object
has been categorized.
Bookmarks Home Displays all saved bookmarks.
Search Hits Home Shows results of keyword searches in
the Table pane.
Hash Properties Displays whether the selected object is
part of a hash set and whether the object
has been categorized.
Records Home Displays records such as Internet
The EnCase Interface 43
Tab Sub-Tab Sub-Tab Description
artifacts and email.
Additional Fields Shows additional details regarding a file
selected in the Table pane.
Devices Home Shows the physical devices associated
with the current case.
Acquisition Info Provides acquisition information for the
currently selected device.
Sources Displays the list of sources for a device.
Sources are the original locations of an
entry or set of entries. This is currently
only applicable for devices stemming
from LEFs.
Subjects Displays the list of subjects for a device.
Subjects can be set for a LEF to add
information about the data contained in
the LEF. This is currently only applicable
for devices stemming from LEFs.
Read Errors Shows sectors that encountered read
errors when acquiring the device.
Missing Sectors Shows missing sectors caused because
one or more segments of the evidence
file set are missing.
Disk Elements Provides information about the device
configuration in a RAID system. Disk
elements may contain LVM components
as well.
CRC Errors Shows any CRC errors encountered
while verifying a particular block of data
in the evidence file.
Secure Storage
To organize security data gathered using
Analyse EFS, this tab displays passwords,
keys, and other items parsed from the
system files and registry. See Secure
Storage Tab.
Keywords
Shows all previously-defined keywords in
the currently opened cases.
Encryption Keys
For EnCase Enterprise usage, this tab
provides a way to create and manage
encryption keys.
EnScript
Closes the EnScript tab in the Filters
pane and shows the EnScript programs in
44 EnCase Forensic Version 6.18
Tab Sub-Tab Sub-Tab Description
the Table pane. The information shown
in the table pane is more extensive than
shown in the filter pane.
EnScript Types
Displays a list of EnScript classes and
provides detailed information about each
one.
File Signatures
Shows a table of file signatures organized
by data types such as database,
application, document, etc.
File Types
Shows a table of file types organized by
type of file such as game, document,
internet, etc.
File Viewers
Shows all currently installed file viewers.
Hash Set Home
Displays a list of hash sets currently
included in the library.
Hash Items
Shows the list of items contained within
the currently selected hash set.
Keywords
Shows all keywords, organized in a folder
structure.
Machine Profiles Home
Show a listing of existing machine
profiles.
Allowed
Shows additional software that may be
allowed into a machine profile.
Packages
Shows all packages of bundled EnScript
programs.
Projects
Shows a list of projects used in EnScript
programming.
SAFEs Home
Shows all the SAFEs currently
configured.
Network
Shows the configuration of the netowrk
on the currently selected SAFE. Only
appears when logged onto a SAFE.
Roles
Shows the roles available on the
currently selected SAFE.
Users
Shows the configured users on the
currently selected SAFE.
Events
Shows log events for the currently
selected SAFE. Only appears when
The EnCase Interface 45
Tab Sub-Tab Sub-Tab Description
logged onto a SAFE.
Text Styles
Globally defines text styles.
Tree Pane Content
The folders and sub-folders shown in the Tree pane are organized in a hierarchical structure, much
like Windows Explorer. The file contents of folders are shown in the Table pane when their
containing folder is highlighted in the Table pane.
The Tree pane can display physical devices (such as a hard drive), logical devices (such as the C:
volume on a hard drive), and folders that these devices contain. If any single files are found on the
device, a Single Files folder also displays, containing such single files.
Any object displayed in the Tree pane can have attributes assigned to it, or actions performed on it, by
manipulating the icons appearing by the object name.
Expand/Collapse displays or hides any contained objects. A minus sign (-) indicates the object is
fully expanded; a plus sign (+) indicates that it contains further objects.
Set Include displays the contents of the selected folder or device, and all children of the folder or
device, in the Table pane. Use CTRL-click to select multiple objects.
Checkbox selects the contents of the selected folder, as well as all of its contents.
Category indicates the type of object.
Name is the name of the object. If the name is highlighted, the content it contains is displayed in
the Table pane.
Clicking on any part of an entry or object highlights it.
46 EnCase Forensic Version 6.18
There are three ways to choose items in the Tree pane:
Highlighting displays the contents of the highlighted folder in the Table pane.at the first level
only. If the highlighted folder has sub-folders, those are listed in the Table pane list. However,
any contents of the sub-folders are not displayed.
Including adds the contents of every included object to your Table pane list, including any
sub-folders that may exist and their contents. Clicking Set Include beside a folder name turns
the icon green and automatically adds the contents of that folder and all its sub-folders into
the list in the Table pane.
Selecting an object indicates you wish to perform an action on the contents of this object, such
as bookmarking, filtering, or finding its hash value. Clicking the checkbox beside any object's
name, causes a blue check to appear. Selecting an object does not change whether an item is
viewed in the Table pane or not.
Selecting an item in the Tree pane selects that item and all its children.
Selecting an item in the Table pane selects only that item.
Table Pane
The Table pane contains information about the files and entries contained in the objects you have
selected in the Tree pane. The Table pane tabs provide a variety of ways of learning more about this
data.
Except for when using the Gallery tab, the information you see in the Table pane describes rather than
portrays the actual contents of the evidence. To view the evidence directly, select the entry in the Table
pane to view it in the View pane.
Table Tab
The Table tab content is shown in rows and columns. You can manipulate these columns and refine
what data is being displayed in a number of ways.
A context menu is accessible by right clicking on any cell. The options available on the context menu
vary depending on the column, row, and value of the cell contents.
The EnCase Interface 47
Table Tab Columns
The function of each Table pane column is listed below:
Name is the name of the entry. Icons to the left of the file name indicate the type of entry, such as
device, folder, or document.
Filter displays the name of the applied filter options if the files meet the criteria set.
In Report indicates whether the item appears in the report. To include the file in a report, right
click the In Report column and select In Report. To include more than one entry in the report,
select each entry's checkbox, then right click the In Report header and select Invert Selected Items.
File Ext displays a file's extension, such as .exe, .jpg, or .doc.
File Type displays the description of the file type. EnCase determines this information from the
File Types table using the files extension. When you run a signature analysis, this information is
generated from the files header information encoded inside the file.
File Category classifies the category of the File Type (such as document, database, picture). The
File Type table is also used to generate this information.
Signature analyzes the file header compared to the file extension and identifies if they are
mismatched. See Analyzing and Searching Files on page 231 for more information on using file
signatures.
Description lists the entry properties and attributes (that is, whether it is a file or folder, deleted,
or deleted/overwritten).
Is Deleted displays TRUE if the file is marked as deleted by the file system.
Last Accessed displays the last accessed date/time. This typically reflects the last time the
operating system or any compliant application touched the file (such as viewing, dragging, or
right clicking). Entries on FAT volumes do not have a last accessed time.
File Created typically reflects the date/time the file/folder was created at that location. A notable
exception is the extraction of files/folders from a ZIP archive. Those objects carry the created
date/time as they existed when the objects were placed in the archive.
Last Written reflects the date/time the file was last opened, edited, then saved.
Entry Modified indicates when the administrative data for the file was last altered for NTFS and
Linux.
File Deleted shows the deletion time and date of files associated with a Recycle Bin record.
File Acquired displays the date and time the evidence file (where the selected file resides) was
acquired.
Logical Size displays the size of the file in bytes.
Initialized Size is the size of the initialized file, in bytes. This applies only to NTFS file systems.
Physical Size is the cluster size occupied by the file, that is, the physical disk space used by the
file. Given a cluster size of 4096 bytes, the physical size of any file with a logical size less than 4096
bytes has a physical size of 4096 bytes. A file with just one more byte, 4097 bytes, for example,
requires two clusters, or 8,192 bytes of physical disk space. The 4095 byte difference in the second
cluster is called slack space.
Starting Extent shows the starting cluster of every file in the case. The format displayed is
evidence file number, logical drive letter, cluster number. For example, a starting extent of
1D224803 means that the file is on the second evidence file (counting begins at zero), on the logical
D:\ drive, at cluster 224803.
File Extents lists the number of extents a fragmented file occupies on a drive. To view extents,
select the file in Table pane, then select the Cases > Entries > File Extents subtab in the Tree pane.
48 EnCase Forensic Version 6.18
Permissions displays security settings of a file or folder. TRUE indicates a security setting is
applied. To view security settings, click the cell, then click the Details tab in the View pane.
References is the number of times the file has been referenced in the case. For example, if you
bookmark a file three times, the references column shows that.
Physical Location is the number of bytes into the device where that entry begins.
Physical Sector lists the starting sector where the entry resides.
Evidence File is the name of the evidence file where the entry in the table resides.
File Identifier is a file table index number stored in the master file table. It is a unique number
allocated to files and folders in an NTFS file system.
Code Page is the character encoding table on which the file is based.
Hash Value displays the hash value of every file in the case. You must run the Compute Hash
Value command to generate this information.
Hash Set displays the hash set to which a file belongs. If the file does not match a value in the hash
library, the column is unpopulated.
Hash Category displays the hash category to which a file belongs. If the file does not match a
value in the hash library, the column is unpopulated.
Hash Properties displays whether the object is part of a hash set and whether that file is notable or
known. TRUE indicates that the file is part of a hash set. To view the details, select the column,
and click Details in the View pane.
Full Path displays the file location within the evidence file. The evidence file name is included in
the path, as is the case name.
Short Name is the name Windows assigns using the DOS 8.3 naming convention.
Unique Name is used to display the name for files mounted with the VFS module in Windows
Explorer.
Original Path displays information derived from the INFO2 file for deleted files in the Recycle
Bin. The path is where the deleted file was originally stored.
The column is blank for files that do not have a Recycle Bin entry.
The original location is shown for files in the Recycle Bin.
Symbolic Link provides information regarding file links in multiple file systems.
Is Duplicate displays TRUE if several circumstances are present:
The entry resides on a LEF
If the displayed file is a duplicate of another, that is, not the first instance of the file. For
example, if three files have the same hash value, in two of those files the Is Duplicate
column is marked.
Is Internal displays hidden files the OS uses internally but are hidden from the user (such as the
$MFT on an NTFS volume).
Is Overwritten displays TRUE if the original file is deleted and its space is occupied by another
file.
The EnCase Interface 49
Manipulating Columns
The Table pane scrolls horizontally, but there are various ways you can move and reconfigure the
columns to suit your needs:
You can drag and drop columns to change their positions.
Manually resize a column by dragging the column separator.
To restore columns to their default order, right click in the column, click Column, then Reset.
Showing/Hiding columns
To display or hide columns in the Table pane:
1. Right click the column and click Show Columns.
2. Clear the checkboxes for the columns you want to hide. By default, all the boxes are checked.
Note: To hide a single column, right click in the column, click Column, then Hide.
3. Click OK.
Sorting columns
You can sort columns up to six layers deep.
To sort by a column, double click the column heading.
To implement a secondary sort, hold down the shift key and double click the column heading.
Fitting Columns to Data
You may want to expand the width of one or more columns to see all its data.
1. Right click in the column and click Column.
2. To adjust the width of the current column only, select Fit to Data.
3. To adjust the width of all columns, select Auto Fit All.
Locking Columns in Place
You can lock a specific number of columns on the left side of the Table pane while still being able to
scroll through other columns on the right. The lock applies to a specific number of columns. If the
columns are reordered, columns in the locked positions still do not scroll.
To lock a column:
1. Right click in the column to be locked, click Column, then Set Lock.
2. To release the lock, right click the locked column, click Column, then Unlock.
50 EnCase Forensic Version 6.18
Report Tab
The Report tab generates a quick report for files currently being shown in the Table Pane. This report
can be exported as a text, .rtf, or .html file for further manipulation. To export, right click in the report
pane and click Export.
To include entries in the report, right click inside the In Report column and select In Report.
To toggle all values (for example, to include all entries in the report that are currently turned off),
select In Report - Invert Selected Items.
When the In Report column is turned off for all entries, the Report tab only displays a hierarchical tree
view of the folders in the Table pane. If items are selected, the table shows up at the end of the report.
The EnCase Interface 51
Gallery Tab
The Gallery tab enables you to view the images selected in the Tree pane in a thumbnail view.
If signature analysis is not yet run, the Gallery view displays files based on their file extension. For
example, if a JPG file is changed to DLL, it does not appear in the Gallery until you run a signature
analysis. See Signature Analysis on page 232.
Viewing Options in the Gallery Tab
You can adjust your view in the Gallery tab to show larger or smaller images by adjusting whether to
see more, or fewer, columns or rows.
To adjust how many columns you see, right click anywhere in the Gallery and select More
Columns to see smaller images in more columns. To expand the image and see fewer columns
select Fewer Columns.
To adjust how many rows you see, right click anywhere in the Gallery and select More Rows
to see smaller images in more rows. To expand the images and see fewer rows select Fewer
Rows.
Timeline Tab
The Timeline tab enables you to graphically view dates and times of computer use. Using this tab, you
can see all times that a file was:
Created
Written
Accessed
Modified
Deleted
Acquired
Each dot on the timeline represents a file. The position of the dot indicates the time that file was
accessed. So a file may display numerous times within the grid.
Clicking any dot in the timeline view causes the file represented by that dot to display in the
View pane.
Clearing one or more of these boxes removes that time for the presentation.
If you select a dot and change the scale of time, that dot stays in focus in the new resolution.
52 EnCase Forensic Version 6.18
You can zoom in or out to different scales of time by using the +/- keys on your number pad, or right
clicking on a box and selecting Higher Resolution or Lower Resolution. Different scales of time that
are available are:
Year: The year displays at the top of each group of monthly columns; days are shown in rows.
Month: The monthly view shows days of the week, and hour of access.
Week: The weekly view shows Monday through Sunday, with Monday's date shown at the
top of the column.
Day: The daily view displays with hourly increments.
Hour: The hourly view breaks down computer usage to the minute. Each column reflects one
hour, and each row is equal to one minute.
Minute: The minute view breaks down computer usage to the second. Each column reflects
one minute, and each row is equal to one second.
You can find selections for modifying the legend colors under Options.
The EnCase Interface 53
Disk Tab
The Disk tab shows a graphic representation of the media you are viewing, and enables you to see
files and folders in terms of where the data physically appears on the media. Use the Disk view in
conjunction with the View pane to examine specific clusters and observe fragmentation of files.
The file selected in the table is highlighted in the Disk view, as dark blue squares.
Allocated sectors are shown in light blue
Unallocated sectors are shown in grey.
54 EnCase Forensic Version 6.18
Code Tab
The Code tab displays the source code of EnScripts and filters when editing or creating in the Table
pane.
View Pane
The View pane enables you to examine the content of the highlighted Table pane entry in a variety of
ways.
Using the tabs, you can examine specific evidence items in detail. You can also copy some viewed
information and export it for use in other applications.
View Pane Tabs
The View pane tabs display different representations of the entries highlighted in the Table pane.
While several entries can be blue checked in the Table pane, only one entry can be highlighted at a
time.
By default, the View pane displays the appropriate tab for the type of file selected in the Table pane.
Tabs are disabled when they do not apply to certain selected content.
Text Tab
The Text tab shows the highlighted file as ASCII text.
The EnCase Interface 55
To copy text from this tab, select the text, right click and select Copy.
Hex Tab
The Hex tab shows a split view of a file with the address and hexadecimal values on the left and ASCII
on the right.
To copy text from this tab, select the text, right click and select Copy.
56 EnCase Forensic Version 6.18
Doc Tab
The Doc tab displays text in its native format. The viewer technology supports more than 390 file
formats.
Transcript Tab
The Transcript tab extracts text from a file containing more than text. The transcript view is useful for
creating bookmarks inside files that are not normally stored as plain text, such as Excel spreadsheets.
The EnCase Interface 57
Picture Tab
The Picture tab of the View pane displays the contents of an image file.
58 EnCase Forensic Version 6.18
Report Tab
The Report tab displays a detailed list of attributes in report format.
The EnCase Interface 59
Console Tab
Use the Console tab to view output status messages when running EnScript programs. EnCase also
writes to the console.
Details Tab
The Details tab provides file extent, permissions, references, and hash property information.
To view file extents:
1. Open a case and display its contents.
2. Scroll to the file extents column in the Table pane and click File Extents in any row.
3. Click the Details tab in the Reports pane to view the file extents.
60 EnCase Forensic Version 6.18
Output Tab
Use the Output tab to obtain output from various EnScript programs.
Controls
The tab bar for the View pane also contains controls specific to the View pane. When selected, these
controls perform the following actions:
Lock prevents the tab from changing if the file type of the file selected in the Table pane changes.
For example, if you lock the View pane with the Hex tab in view, you can avoid having to change
the focus of the View pane every time you view a pictue in the Gallery view.
Codepage determines whether the detected, rather than the default, codepage is used in tabs that
display text. This functionality only works if you have previously opted to identify the codepage
in the Search dialog.
Selected/Total displays the number of entries you have selected out of a total number of entries
available in the current case. This indicator does not refer specifically to the view pane, but instead
acts as a global control. You can quickly select or deselect all items in a case by selecting or
deselecting this control. This control is sometimes called the Dixon box.
The EnCase Interface 61
Finding View Pane Content
To find specific content in the text, hex, and transcript tabs of the View pane, you can either skip to a
location using a specific offset, or search for specific strings of data.
To skip to a location by offset:
1. Right click in the View pane.
2. Select Goto.
3. Enter the file offset in the Other field and click OK.
4. To select between little-endian and big-endian data formatting, click the appropriate option.
To search for specific strings:
1. Display Text view in the View pane.
2. Right click the View pane and click Find.
3. Enter a string in the Expression field. To use a GREP expression, click the GREP check box.
4. Select either Whole Document, From Cursor, or Current Selection.
5. Select Case Sensitive if desired.
6. Choose whether to have results appear in the output window.
7. Click OK. The system finds the expression you entered.
Filter Pane
The Filter pane enables you to filter and refine the list of entries shown in the Table tab. This is done
by the creating and running filters, conditions, and queries.
The Filter pane contains the following tabs:
EnScript displays a list of available EnScripts, organized in tree form.
Hits displays the search hits for a file without leaving the Entries tab of the Tree pane.
Filters displays available filters.
Conditions displays available conditions.
Display shows currently running filters, conditions and queries.
Queries displays available queries.
Text Styles enables you to create, edit, and apply text styles to content in the View pane.
62 EnCase Forensic Version 6.18
EnScript Tab
The EnScript tab provides access to all available EnScript programs.
See EnScript Analysis on page 385 for a detailed description of EnScript and EnScript programs.
Hits Tab
This tab displays when the Search Hits tab in the Tree pane is not selected.
When you are looking at entries in cases, use the Hits tab in the Filter pane to view the search hits for a
file without leaving the Entries tab of the Tree Pane.
Filters Tab
Filters are EnScripts that modify what data is displayed in the Table pane. Filters do not remove any
items from the case; they simply hide them from the Table pane.
Depending on what tab is currently selected in the Tree pane, different types of filters are available.
For example, the filters available for search hits are different from those available for entries.
Filtering Behavior in the Table Pane
Both filters and conditions work the same way in terms of how they affect the items in the Table pane.
To run a filter or condition, double click its name in the Filters pane.
When a filter or condition is run, a Query button with a green plus displays on the main menu bar.
This indicates that only filtered items are currently displayed.
Clicking the Query button causes the non-filtered evidence to reappear in the Table pane. When you
are viewing both filtered and unfiltered evidence, the Query button displays with a red minus sign to
indicate the query is not applied.
The EnCase Interface 63
The filters and conditions being run display in the Filter column of all items that match the filtering
criteria. For example, if filtering for all files after a certain date, all files that match that criteria show a
Files after n date filter in the Filter column.
When a subsequent filter or condition is applied, it also displays in the Filter column of all items that
match the second filter criteria. For example, if filtering for all files that have been deleted, Deleted
Files shows on all files that have been deleted (but do not match the first criteria).
For all items that meet both criteria (in this example, have a date after "n" and have been deleted), both
filters display in the Filter column.
You can toggle between seeing only items that match all your filtering criteria (AND functional logic),
and items that match any of your filtering criteria (OR functional logic), by clicking the Matches
All/Matches Any button on the toolbar.
64 EnCase Forensic Version 6.18
The label on the button shows you its current state:
If you are seeing all items that match any filtering criteria, the button shows Matches Any:
If you are seeing only items that match all filtering criteria, the button shows Matches All:
Creating a Filter
In addition to using the filters already provided, you can create your own filters.
Note: You need a working knowledge of EnScript to make a new filter. If you do not have this working knowledge, you
may be able to create a condition to perform the same function. See Creating Conditions on page 66.
1. In the Filter pane, click the Filters tab.
2. Right click the root level Filters icon in the content area and click New. The New Filter dialog
displays.
The EnCase Interface 65
3. Enter a descriptive name in the Filter Name field and click OK. A source editor displays in the
Table pane.
4. Enter EnScript code as required to accomplish your task. The newly created filter displays at
the bottom of the filters list.
Editing a Filter
You can change an existing filter's behavior by editing it.
1. In the Filter pane, click the Filters tab.
2. Right click the filter you wish to edit area and click Edit Source. The existing code displays in
the Table pane.
Note: To edit the name of the filter, click Edit; the Edit dialog for the filter displays.
3. Edit the code as needed.
Deleting a Filter
To permanently delete a filter, right click it in the Filters tab and click Delete.
As a safeguard, a dialog displays. Click Yes to complete the deletion.
Exporting a Filter
You can send a filter as a text file to others.
To export a filter:
1. Right click in the Filter pane, with the Filters tab selected.
2. Select Export.
3. Navigate to or enter the path where the exported filter file should be created, then click OK.
66 EnCase Forensic Version 6.18
Importing a Filter
You can import filters created by others into your collection.
1. Right click in the Filter pane, with the Filters tab selected.
2. Select Import.
3. Navigate to or enter the path where the filter is located and click OK.
Conditions Tab
Conditions are similar to filters in that they limit Table pane content. Both conditions and filters are
EnScript codes that perform a filtering process on your data.
The difference between filters and conditions is that creating a condition does not require that you can
program in EnScript. Through a special interface you can create them without coding directly in
EnScript.
Several predefined conditions come with EnCase. Like filters, they vary depending on the Tree tab you
select.
To see how conditions affect the data in the Table pane, see Filtering Behavior in the Table Pane on
page 62.
Creating Conditions
1. To create a new condition, right click a folder in the Conditions tab in the Filter pane, then
select New. The New Condition wizard displays.
2. In the Conditions tab, enter a name in the Name field.
The EnCase Interface 67
3. Right click Main on the conditions tree and select New. The New Term dialog displays.
4. Select a property, an operator, and, if appropriate, a value and choice. Depending on the
property and operator chosen, other options appear, including
Prompt for Value
Case Sensitive
GREP
5. If you want to edit the source code directly, click Edit Source Code.
6. To nest terms, create a folder by right clicking on the parent condition folder in the Tree pane
and choosing New Folder. Place the nested terms inside the parent folder.
7. If you want to change the AND/OR logic within the condition, right click the term and select
Change Logic. This changes the AND operator to an OR, and vice versa.
8. If you want to negate the logic of a term, right click the term and select Not.
9. To use a filter inside a condition, click the Filters tab and create a filter. Once created, click the
Conditions tab and the filter displays in the properties list.
10. Repeat the steps above to create as many terms as you want to make the condition as detailed
as possible.
11. Click OK to save the condition.
Note: For any condition using a literal comparison (such as Matches), make sure there are no spaces at the end of any value
string. For example, if the condition is Extension matches: "txt,rtf,doc ,xls," the space at the end of the
doc string makes the condition invalid and the condition does not return DOC files.
68 EnCase Forensic Version 6.18
Editing Conditions
1. In the Filter pane, open the Conditions tab and select the condition you want to edit.
Note: You can edit conditions when there are no open cases.
2. Right click the condition and select Edit. The edit wizard opens.
3. Right click the property and select Edit to see the Edit Term wizard.
4. Make the selected changes to the terms or source code, then click OK.
Exporting Conditions
You can send a condition as a text file to others.
To export a condition:
1. Right click in the Filter pane, with the Conditions tab selected.
2. Select Export.
The EnCase Interface 69
3. Navigate to or enter the path where the exported condition file should be created, then click
OK.
Importing Conditions
You can import conditions created by others into your collection.
1. Right click in the Filter pane, with the Conditions tab selected.
2. Select Import.
3. Navigate to or enter the path where the condition is located and click OK.
Reporting on Conditions
The Report tab provides a plain text representation of the condition. When in an Edit dialog for a
condition, the Report tab displays a text representation of the condition. You can print or export this
report by right clicking within this tab and selecting Print or Export.
Display Tab
The Display tab shows you what filters and conditions you have currently running.
Turning Specific Filters Off
When you have more than one filter or condition in operation, you can use the Display tab to turn off
one or more filters and conditions. This changes what displays in the Table pane.
To turn off specific filters:
1. In the Filter pane, click Display. The list of currently active filters and conditions displays,
showing a blue check in their checkbox.
2. To remove a filter from operation, click the checkbox to deselect that filter or condition. In the
example below, only Selected Files Only and Deleted Files are in operation; File Extension is
not being used to filter the Table pane contents.
70 EnCase Forensic Version 6.18
Changing Filter Order
Filters modify the data shown in the Table pane in the order in which you select them.
To change this order:
1. In the Filter pane, click Display to show the active filters.
2. Select the filter you want to move using the left mouse button.
3. Drag and drop the selected filter to a new position.
Queries Tab
The Queries tab enables you to create queries, which are combinations of two or more filters or
conditions into one item.
Creating a Query
1. Right click the Queries tab in the Filter pane, then click New in the dropdown menu. The New
Query dialog displays.
2. Enter a name for the query in the Name field.
3. Right click In the Display settings for shown items area, then click New in the dropdown
menu. The New Display dialog displays.
a. Click Filters or Conditions.
The EnCase Interface 71
b. Select a filter or condition from the list.
c. Enter text in the Text field. This text displays in the filter column of the Table pane when a
file meets the specified criteria.
d. To change the color element, click Text Color or Frame Color. The Edit Text Color dialog
displays.
e. Double click Background or Foreground to see a color selection dialog. Select the color for
the background or foreground and click OK.
f. When you are finished selecting colors, click Close on the Edit Text Color dialog.
4. To add more filters or conditions to the query, repeat step 3 as needed.
Editing a Query
To edit a query:
1. Right click the query, then click Edit in the dropdown menu.
2. Select the row to edit, then right click.
3. In the dropdown menu, select the action you want to perform (Edit, New, Delete, etc.).
4. Make the needed changes, then click OK.
Deleting a Query
To delete a query:
1. Right click the query and click Delete in the dropdown menu.
2. In the Delete dialog, click Yes.
72 EnCase Forensic Version 6.18
Text Styles Tab
The Text Styles tab enables you to determine how file contents display in the Text and Hex tabs of the
View pane. See Text Styles on page 430.
Text styles are defined globally on the Text Styles tab. When defined, these text styles are not
associated with a case. In this tab, you can:
Create text styles
Edit text styles
Apply text styles to content in the View pane
Status Bar
The status bar displayed at the bottom of the main window is divided into two sections: the GPS area,
and the status area.
The GPS area displays on the left of the status bar, and provides detailed information on the location
of the item currently selected in your Table pane, as well as about the sectors and clusters of the file
itself.
The GPS area of the status bar includes:
Name of the case
Name of the device
Name of the volume
Path to the file
Filename
The status bar also shows sector and cluster information about the file being examined:
Physical sector (PS) displays the sector number of the physical sector relative to the beginning
of the physical disk.
Logical sector (LS) displays the sector number of the logical sector relative to the beginning of
the logical disk.
Cluster number (CL) displays the cluster number.
The information relative to the location of the cursor within the file being examined includes:
Sector offset (SO) displays the number of sectors, in bytes, between the start of the cluster and
the start of the current cursor location.
File offset (FO) displays the number of bytes between the start of the file and the start of the
current cursor location.
Length (LE) displays the length, in bytes, of the content currently selected by the cursor.
When one or more processes are being run, their progress is shown on the right side of the status bar.
Double clicking on a process name brings up a dialog that enables you to cancel without completing
the process.
The EnCase Interface 73
In This Chapter
Overview of Case Structure
Case Related Features
New Case Wizard
Using a Case
Opening a Case
Saving a Case
Closing a Case
CHAPTER 5
Case Management
76 EnCase Forensic Version 6.18
Overview of Case Structure
An evidence case has a tripartite structure consisting of an evidence file, a case file, and EnCase
configuration files.
The case file contains information specific to one case. It contains:
Pointers to one or more evidence files or previewed devices
Bookmarks
Search results
Sorts
Hash analysis results
Signature analysis reports
Note: You must create a case file before you can preview any media or analyze evidence files.
One of the most powerful features of the program is its ability to organize different media so they can
be searched as a unit rather than individually.
Administrator Credentials
Some features of EnCase (for example, physical disk access) are available only if you are logged on as
an administrator. For this reason, Guidance Software recommends that EnCase users are local users
with Windows administrator credentials.
Examples of the types of activities requiring administrative access are:
Setup: The setup program needs administrator privileges to configure devices and services during
install and uninstall. On Vista, the setup program needs these privileges to write files to the \Program
Files directory.
Reading Local Devices: To add a local drive to EnCase (the Add Device command) and read it at the
sector level, Windows requires that EnCase run as an administrator.
Configuring PDE: PDE is dependent on a virtual device driver that needs to be installed at the time of
running. This installation process requires administrator privileges.
Neutrino: Neutrino configures devices to use its device drivers. The configuration of devices on the
operating system requires administrator access.
EnCase Options Files (Vista and later only): The EnCase options files are currently saved in the
Program Files folder. On Vista and later operating systems, administrator access is required to
modify files in these folders.
Wipe and Restore: The wipe and restore functionality requires sector-level access to disk drives, for
which Windows requires administrator privileges.
Write Blocking: To set a device as write blocked you must configure the EnFilter driver to write block
devices. Windows requires administrator privileges to communicate with the device driver.
Case Management 77
Case Management
Before starting an investigation, give consideration to how the case is accessed once it is created. For
example, more than one investigator may need to view the information. To accomplish this, evidence
files can reside on a central server.
Creating temporary export and evidence folders allows file segregation and control. A temporary
folder holds any transient files created during an investigation. The export folder provides a
destination for data copied from the evidence file.
Create an evidence folder to store evidence. Temp and Export folders are built when a case is created.
Concurrent Case Management
The program can open more than one case at a time. Each case appears in the Table pane, and is
analyzed independent of the other.
To switch case analysis from one case to another:
1. Click View Cases Sub-Tabs Home.
2. Select a case for analysis from the Table tab.
The Devices column of the table indicates how many devices are associated with the case in the Name
column.
Note: To look at the devices associated with a particular case, highlight the case in the Table pane, then click the Entries
sub-tab below Cases.
Indexing a Case
Managing the index files associated with evidence files in a case is an important part of case
management.
For detailed information, see Indexing (on page 270).
78 EnCase Forensic Version 6.18
Case File Format
Version 6 has a new case file format. As a result, case files created in version 6 do not open in previous
versions. Version 6, however, does support cases created with version 5.
If a version 5 case file is opened in version 6, it can be saved as either a version 5 or a version 6 case
file. You have this option in the File Save As menu.
For example, a case is created in version 5, then opened and worked on in version 6. To select the
version in which to save the file:
1. Select File Save As.
2. Expand the Save as type field and make a selection.
Case File saves the file as version 6.
Version 5 Case File saves the file as version 5.
Backup Case File saves the file as a version 6 backup file.
Case Backup
By default, a backup copy of the case file is saved every 10 minutes.
By default, backup files (.cbak) are saved to C:\Program Files\EnCase\Backup. With the
exception of the extension, this file has the same name as the parent file.
To change the default save time:
1. Select Tools Options Global.
2. Change the number in the Auto Save text field.
Note: Selecting 0 disables the autosave function. Guidance Software recommends you not do this.
Case Management 79
Options Dialog
The Options menu allows you to customize the software.
To access the menu, select Cases Options from the toolbar.
A tabbed dialog opens. The tabs are:
Case Options (when a case is open)
Global
NAS
Colors
Fonts
EnScript
Storage Paths
80 EnCase Forensic Version 6.18
Enterprise
Note: All fields on the Case Options tab are mandatory.
The Case Options fields in the illustration show the default values.
Name holds the case name.
Examiner Name is the investigator's name.
Default Export Folder is the location to which exported data are sent.
Temporary Folder is the location to which temporary data are sent.
Index Folder is the location of case indices.
Case Related Features
Cases use these processes:
Logon wizard
New Case wizard
Options dialog
Case Time Setting dialog
Logon Wizard
The Logon wizard captures the user name, password, and SAFE to use for the current session. The
user and password are established by the administrator, or those granted administrator level
permissions.
Case Management 81
The Logon wizard displays the following pages:
Users page
SAFE page
Logon Wizard Users Dialog
The Users dialog of the Logon wizard captures the current user's password and user name.
Password captures the user password.
User contains the User tree listing users' private keys and any subfolders in the current root path.
A valid user has a matching public key in the SAFE they log on to.
Root User Object provides additional functionality through a dropdown menu including:
Updating the list of users displayed
Changing the root path
Commands that expand or collapse the User tree.
User Objects provides additional functionality through a dropdown menu, including updating
the list of users displayed and changing the root path.
Users Dropdown Menu
The Users dropdown menu provides additional functionality. The menu displays from the Users tree
in the User's Page.
82 EnCase Forensic Version 6.18
The Update command updates the Users tree display. When a user's private key is added to the
default C:/Program Files/EnCase6/Keys folder or any other folder specified by the current
root path, the tree does not immediately display the new user. The new user appears when the
wizard is opened again, or when the User tree is updated.
Use the Change Root Path command to specify a folder that contains the private keys of users
other than the default folder. Specify the root path in the Browse for Folder dialog. The Users tree
contains only those users in the folder specified as the new root path.
Browse for Folder Dialog
Use this dialog to change the root path in the Users tree and the SAFE tree to specify the path to
folders containing keys for users or SAFEs. The default path is C:/Program Files/EnCase6/Keys.
The Users tree is based on the private keys contained in the folder defined by the root path. The SAFE
tree is based on .SAFE files contained in the folder defined by the root path. Both types of files are in
the C:/Program Files/EnCase6/Keys folder.
Moving these key files while the trees are displayed requires a refresh to update the trees.
Path displays a tree to navigate to the folder containing the keys.
Case Management 83
SAFE Dialog of the Logon Wizard
The SAFE dialog of the Logon wizard determines if a SAFE is associated with and used by the current
user.
SAFE contains the SAFEs tree that organizes all the SAFEs that are installed. Select a SAFE to
complete the logon.
SAFEs Root Object provides additional functionality through a dropdown menu, such as:
Editing the settings of the SAFE.
Changing the root directory.
Logging on to a remote SAFE.
Additional commands that expand or collapse the SAFEs tree
SAFE Objects provides additional functionality through a dropdown, menu such as:
Editing the settings of the SAFE.
Changing the root directory.
Logging on to a remote SAFE.
SAFE Dropdown Menu
The SAFE dropdown menu provides additional functionality.
Edit opens the Edit SAFE Dialog where SAFE settings are defined and remote logons are enabled.
Update updates the Users tree display. When a user's private key is added to the default
C:/Program Files/EnCase6/Keys folder or any other folder specified by the current root
path, the tree does not immediately display the new user. The new user appears when the wizard
is opened again, or when the User tree is updated.
84 EnCase Forensic Version 6.18
Use the Change Root Path command to specify a folder that contains the private keys of users
other than the default folder. Specify the root path in the Browse for Folder dialog. The Users tree
contains only those users in the folder specified as the new root path.
Browse for Folder Dialog
Use this dialog to change the root path used in the Users tree and the SAFE tree to specify the path to
folders containing keys for users or SAFEs. The default path is C:/Program Files/EnCase6/Keys.
The User's tree is based on the private keys contained in the folder defined by the root path. The SAFE
tree is based on .SAFE files contained in the folder defined by the root path. Both types of files are
found in the C:/Program Files/EnCase6/Keys folder.
Moving these key files while the trees are displayed requires a refresh to update the trees.
Change Root Path displays a tree to navigate to the folder containing the keys.
Editing the SAFE Dialog
The Edit SAFE dialog contains settings that define connections to the SAFE and enable remote login.
Case Management 85
When EnCase prompts you to choose a SAFE, right click the desired SAFE and select Edit from the
dropdown menu.
Machine Name contains the IP address to the machine or subnet that constitutes the SAFE or
SAFEs accessed using the named SAFE.
Remote SAFE determines if communications with the node are routed through the SAFE, so the
SAFE stands between the client and the node. Enabling this setting allows you to provide a value
for Inbound Port and to use its value communicating with the remote SAFE.
Inbound Port determines which port is used when communicating with the remote SAFE at the IP
address specified in Machine Name.
Attempt Direct Connection contains settings that determine what kind of connection is made to
the specified SAFE.
Enable None when the target system cannot establish a connection with an EE client. Then all
traffic is redirected through the SAFE server to increase communication times. It also provides the
investigator the ability to obtain data otherwise not available.
Enable Client to Node (Local) when the client (Examiner) and the node (servlet) reside on the
same network, and the SAFE resides on a different network. This allows data to transfer directly
from the node to the client, after the client successfully authenticates through the SAFE. Also, the
client will use the IP address that the node believes it has, rather than the IP address the SAFE has
for the node. In this configuration, design the network so that all the companys employees are
located on the corporate desktop network, and employ routing/NATing.
Client to Node (SAFE) enables NAT, where a private IP address is mapped to a public IP address.
Typically, the SAFE and node reside on the same subnet, and the client on another. This way, data
transfers directly from the node to the client, after the client successfully authenticates through the
SAFE. The client also uses the IP address that the SAFE believes the node has, rather then the IP
address the node reports it has to allow a direct connection between the client and node machine.
This option is enabled by default.
Node to Client operates similarly to the Client to Node (SAFE) mode, except that the node
attempts the direct connection to the client. Use it when you want direct data transfer between the
node and the client, and there is NATing or a firewall prohibiting the node from sending data
directly to the local IP/default port of the client. Once you check this option, the Client return
address configuration box becomes available to enter the NATed IP address and custom port (for
example, 192.168.4.1:1545).
86 EnCase Forensic Version 6.18
Priority enables you to throttle a servlet's resource usage for the thread that controls the connection--
but not the servlet process itself--when conducting a preview, acquisition, or sweep. The options
are Low, Normal, or High. This feature is useful for investigating machines when the examination
is very sensitive, or with production servers constantly running CPU-intensive processes.
New Case Wizard
The New Case wizard captures role and case settings. A case is associated with a specific role. Roles
are established by the administrator.
The New Case wizard consists of two dialogs:
Role dialog
Case Options dialog
Roles Dialog of the New Case Wizard
The Roles dialog of the Login wizard associates the case being created with a role. Roles are
established by the administrator.
Note: Once you select a role for a case, you cannot change it.
Roles contains the Roles tree, which organizes the available roles. Select the role associated with the
case you are creating.
Case Management 87
Case Options Page of the New Case Wizard
The Case Options page of the New Case Wizard is where you enter the name of the case, the
examiner's name and paths to folders associated with the case.
Name contains the name of the case associated with the case options set on this tab. The case name
is used as the default filename when the case is saved. You can change this filename when you
save the case.
Examiner Name is the name of the investigator.
Default Export Folder contains the path to and name of the folder where files are exported.
Temporary Folder contains the path to and name of the folder where temporary files are created.
Index Folder contains the index file for any indexed file or collection of files.
Add Device
Once a case is open, add evidence in accordance with the information in the Working with Evidence
section.
Using a Case
A case is central to an investigation. Before you can add a device, preview content, or acquire content,
you must open a case. This may be a new case or an existing case.
Once you create a file, you can add a device, proceed with the device preview and acquisition, and
subsequent analysis.
Use the Case Options page to define a case. The settings on this page are the same as those on the Case
Options tab of the Options dialog.
Once a case is open, you can establish its time zone settings.
88 EnCase Forensic Version 6.18
Modifying Case Related Settings
Use the New Case wizard, Case Options dialog to modify case related settings after the case is created.
1. Open the case.
2. Click Tools Options.
The Case Options tab displays.
3. Change the settings through the various tabs in the Options dialog.
4. Click OK.
For more information, see the Installing EnCase Forensic chapter.
Time Zone Settings
The Energy Policy Act of 2005 (Public Law 109-058) amends the Uniform Time Act of 1966 by
changing the start and end dates of daylight saving time beginning in 2007. Clocks are set ahead one
hour on the second Sunday of March, and set back one hour the first Sunday in November.
This resulting extra four weeks is called extended daylight saving time period. EnCase
software uses
time zone definitions stored in the examiner's Windows registry to adjust for daylight saving time and
time zone adjustments. Microsoft released a patch altering how these adjustments are stored.
The Windows registry contains a subdirectory of dynamic daylight savings time entries for different
years. This allows the operating system to apply current daylight savings time settings to new files,
and the corresponding year's daylight savings time for older files.
On patched machines, the root entry for daylight saving time settings is updated to the 2007 time zone
settings, and that is currently the entry EnCase software uses. Therefore, if the examiner machine is
patched, EnCase software uses the new 2007 rules for entries whose dates lie in the new four week
extended daylight saving time period. Consequently all file dates, even those for previous years, apply
the new daylight savings time settings.
Setting the time zone settings is accomplished two different ways. If you have an entire case where
you want to use one time zone, you can set the time zone for the entire case. If you have several pieces
of media that use different time zones, you want to set the time zones individually for each device in
your case.
Case Management 89
Case File Time Zones
Set the time zone for the entire case with the Case Time Settings dialog.
The features of the Case Time Settings dialog are:
Account for Seasonal Daylight Savings Time applies DST rules as defined by the registry
settings. If you want to use the new 2007 DST rules, ensure your machine is patched.
Convert All Dates to Correspond to One Time Zone enables the Daylight Setting and the Time
Zone list. This allows you to convert all times to match one time zone.
Daylight Setting is disabled unless Convert All Dates to Correspond to One Time Zone is
checked. Use the option buttons to select Standard or Daylight Savings time adjustments.
Time Zone List is also disabled unless Convert All Dates to Correspond to One Time Zone is
checked. This captures the time zone you want to use with your case.
Evidence File Time Zones
Use the Time Properties dialog to set the time zone for each evidence file.
90 EnCase Forensic Version 6.18
The features of the Time Properties dialog are:
Time Zone List captures the time zone the subject device was set to.
Details provide rules used for the time zone selected in the Time Zone list. The rules listed here
populate using Dynamic Daylight Savings Time, which requires that your computer is properly
patched in order to use the new DST rules described above.
Use Single DST Offset is available for time zones with different settings, depending on the year.
For example, in 2007 the United States changed the date for switching to and from Daylight
Savings Time; therefore, there are different rules for 2006 and before, and 2007 and after.
By default EnCase applies the proper rules for these changes.
You can, however, apply only one rule set across the board. For example, you could have evidence
from 2008 but with the 2006 rules applied because the original user did not install Windows
updates. Note that this does not apply one DST to the entire device.
Year Selection List is disabled until Use Single DST Offset is checked. You can select which DST
rules to base the DST adjustment on:
Use 2006 for machines using pre-2007 DST rules
Use 2007 only on computers using the new 2007 DST rules
Setting Time Zones Settings for Case Files
1. Open a case.
2. Click View Cases Sub-Tabs Home.
The open cases appear in the Table pane.
3. Right click the case where you want to set the time zone, then select Modify Time Settings.
The Case Time Settings dialog displays.
4. If you want to account for seasonal daylight savings time rules, select Account for Seasonal
Daylight Saving Time.
5. If you want to convert all dates to a particular time zone:
a. Select Convert All Dates to Correspond to One Time Zone.
b. Select a Daylight Setting.
c. Select a Time Zone.
6. When you are finished, click OK.
Setting Time Zone Options for Evidence Files
1. Open a case to display its contents
2. Select a Device from the Tree pane, right click it and choose Modify time zone settings.
The Time Properties dialog appears.
3. Select a Time Zone from the Time Zone list.
Case Management 91
The details of the time zone appear in the Details text box.
4. If you want to use a single DST offset, select Use Single DST Offset and select the year of the
DST rules you want to apply.
5. When you are finished, click OK.
General Time Zone Notes
FAT, HFS, and CDFS times are not associated with any time zone when stored on a target
machine. The investigator assigns a time zone to the evidence at the device level. This
assignment does not change displayed dates unless a case time is set and it is different from
the device time.
NTFS and HFS+ times are associated to Greenwich Mean Time (GMT) when stored on a target
machine.
Set device time zones associates a time zone with the stored FAT times, and for NTFS displays
the correct offset from GMT.
Note: By default, all time zones are set to the examiner machine time zone.
Modifying the case time zone to convert all times to one time zone changes the FAT, HFS, and
CDFS times if the device time zone is different from that of the case time zone. All NTFS and
HFS+ times are adjusted to the case GMT-offset if convert all times is applied.
At the case level, the daylight settings respond this way:
If standard is selected, no change is made to any times.
If daylight is selected, one hour is added to all display times regardless of the time of year.
The investigator's system clock date in standard or daylight time should have no effect on
displayed times.
FAT, HFS and CDFS Time Zone Specifics
FAT, HFS, CDFS: All times are stored initially as the system time of the acquired machine. For
instance, if a file is saved at 3 p.m., the time stored is 3 p.m. There is no time zone associated to 3 p.m.
when the time is stored.
Setting the time zone at the device or volume level identifies the time zone in which the recorded times
occurred. When the evidence is added to the program it is assumed to be in the investigator's local
time.
Modifying the device level does not change times because the device time zone associates a time zone
only to the times stored.
Time Zone Example
The target computer has an HFS in New York (-5 GMT).
The file is created at 3 p.m. The stored time in the computer is 3 p.m.
The drive is imaged and the investigator writes that the computer displayed the correct local
time.
An investigator in California opens the evidence file. EnCase initially assigns a time zone to
the device level of -8 GMT since that is the time zone setting of the West coast investigator's
machine. The time still displays 3 p.m. because EnCase software knows the stored time is 3
p.m. and the local time zone of the examiner is -8 GMT.
92 EnCase Forensic Version 6.18
Opening a Case
Open a case to continue analysis or to review a case.
1. Select File Open.
2. Browse to or select the case from the recent files list at the bottom of the menu, then click
Open.
Note: You can also open a case by double clicking the case file in Windows Explorer.
Saving a Case
You can save a case:
To its current filename and location: see Saving a Case on page 92.
With a new filename or a new location: see Saving a Case with a New Name or New Location
on page 92.
To its current filename and location along with the application's current references, conditions,
and filters: see Saving a Case and the Global Application Files on page 93.
Saving a Case
To save a case:
1. Click File Save or click Save on the toolbar.
The Save dialog appears.
2. If you want to use the case name as the file name and use the default path in My Documents,
click Save.
3. You can also navigate to or enter a different file name and path, then click Save.
Case Management 93
Saving a Case with a New Name or New Location
You can save any case with a new name or save it in a new location.
1. Click File Save As.
The Save dialog appears.
2. If you want to use the case name or current file name and use the default path in My
Documents, click Save.
3. You can also navigate to or enter a different file name and path, then click Save.
Saving a Case and the Global Application Files
You can save the global application files containing preferences, conditions, and filters in the locations
specified in the Storage Paths tab of the Options dialog.
1. Click File Save All.
The Save dialog appears.
2. If you want to use the current file name and the default path in My Documents, click Save.
3. You can also navigate to or enter the desired file name and path, then click Save.
Closing a Case
Protect the integrity of cases by closing them when they are not being worked on.
1. Save the open case.
2. In Tree view, place the cursor on an open case.
3. Click Close.
Click Yes to close the case.
Note: Close is also available from the dropdown menu.
In This Chapter
Overview
Supported File Systems and Operating Systems
Using Snapshots
Getting Ready to Acquire the Content of a Device
Acquiring
Delayed Loading of Internet Artifacts
Hashing
Logical Evidence Files
Recovering Folders
Recovering Partitions
Restoring Evidence
Snapshot to DB Module Set
WinEn
Wipe Drive
CHAPTER 6
Working with Evidence
96 EnCase Forensic Version 6.18
Overview
EnCase organizes digital evidence into an associated case. Digital evidence is previewed, then possibly
acquired. Once evidence is acquired or added to a case, it can be analyzed. This section focuses on
previewing, acquiring, and adding digital evidence to the case.
Administrator Credentials
Some features of EnCase (for example, physical disk access) are available only if you are logged on as
an administrator. For this reason, Guidance Software recommends that EnCase users are local users
with Windows administrator credentials.
Examples of the types of activities requiring administrative access are:
Setup: The setup program needs administrator privileges to configure devices and services during
install and uninstall. On Vista, the setup program needs these privileges to write files to the \Program
Files directory.
Reading Local Devices: To add a local drive to EnCase (the Add Device command) and read it at the
sector level, Windows requires that EnCase run as an administrator.
Configuring PDE: PDE is dependent on a virtual device driver that needs to be installed at the time of
running. This installation process requires administrator privileges.
Neutrino: Neutrino configures devices to use its device drivers. The configuration of devices on the
operating system requires administrator access.
EnCase Options Files (Vista and later only): The EnCase options files are currently saved in the
Program Files folder. On Vista and later operating systems, administrator access is required to
modify files in these folders.
Wipe and Restore: The wipe and restore functionality requires sector-level access to disk drives, for
which Windows requires administrator privileges.
Write Blocking: To set a device as write blocked you must configure the EnFilter driver to write block
devices. Windows requires administrator privileges to communicate with the device driver.
Types of Entries
Entries include evidence and other file types containing digital evidence that are added to a case.
There are four classes of evidence containing files that EnCase applications support:
EnCase Evidence Files (E01)
Logical Evidence Files (LEF/L01)
Raw images
Single files, including directories
These files are acquired or added to a case. Before digital evidence can be added to a case, it is
previewed.
Working with Evidence 97
EnCase Evidence Files
EnCase evidence files (E01) contain the contents of an acquired device and provide the basis for later
analysis.
Encase evidence files integrate investigative metadata, the device-level hash value, and the content of
an acquired device. This integration simplifies evidence handling and investigative efforts by keeping
the device-level hash value and content together, and by simplifying the effort required to verify that
the evidence has not changed since it was collected from a subject device.
Dragging and dropping an E01 file anywhere on the EnCase interface adds it to the currently opened
case.
Logical Evidence Files
Logical Evidence Files (LEF/L01) are created from files seen in a preview or existing evidence file. They
are typically created after an analysis finds some noteworthy evidence.
When LEFs are verified, the stored hash value of the file is compared to the entry's current hash value.
If the hash of the current content does not match the stored hash value, the hash is followed by
an asterisk (*).
If no content for the entry was stored when creating the LEF, but a hash was stored, the hash is
not compared to the empty file hash.
If no hash value was stored for the entry when creating the LEF, no comparison is done, and a
new hash value is not populated.
Raw Image Files
Raw image files contain a collection of files but lack the integration of metadata and compression hash
values that the EnCase evidence file provides.
Before you can acquire raw image files they must be added to a case. The Linux dd command is
typically used to produce raw image files. During acquisition, the raw image file can be hashed and
compressed. Once acquired, raw image files are incorporated into an EnCase evidence file.
Single Files
Individual files can be added to the case once you select Activate Single Files.
You can add any file type supported by an EnCase application to a case. Do this using the interface, or
drag and drop. When files are added, they appear in the View pane.
You can add a folder containing files to a case. You must use drag and drop to do this. When you add
folders, the folders appear in the entries tree and the entries table. The individual files within the
folder appear only on the entries table.
98 EnCase Forensic Version 6.18
Supported File Systems and Operating Systems
For a matrix showing supported file systems, see the Snapshot File Systems Knowledge Base topic of the
Guidance Support Portal (https://support.guidancesoftware.com/).
For a matrix showing supported operating systems, see the Snapshot Information for Supported OSs
Knowledge Base topic of the Guidance Support Portal (https://support.guidancesoftware.com/).
Support for the DOS EN.EXE utility was dropped. You should do drive-to-drive and crossover cable
acquisitions using the LinEn utility.
HFS+ Permissions Support
EnCase supports HFS+ (Mac OS Extended Volume Hard Drive Format) permissions.
Unix/Linux Environment
EnCase uses these abbreviations for file and directory permissions:
Lst Fldr=List Folder
Rd Data=Read File Data
Crt Fl=Create Folder
W Data=Write File Data
Trav Fldr=Traverse Folder
X FL=Execute File
Characters to the left of a slash within brackets indicate folder permissions
Characters to the right of a slash within brackets indicate file permissions
For example, [Lst Fldr/Rd Data][Crt Fl/W Data][Trav Fldr/X Fl]= Full Permissions.
Working with Evidence 99
Windows Environment
The Windows environment abbreviations for HFS+ permissions are:
FC=Full Control
M=Modify
R&X=Read Execute
R=Read
W=Write
Sync=Contact an EnCase developer
Extended File Allocation Table (exFAT) Support
EnCase can acquire devices using the exFAT file system.
exFAT contains these files by default:
Primary FAT: identical to other FAT file systems.
$Boot0: VBR and associated sectors (for the boot loader).
$Boot1: backup of $Boot0 (right after $Boot0).
$UpCase: a map to apply uppercase to Unicode file names (identical to NTFS).
$Bitmap: cluster allocation map (indicates which cluster is in use).
exFAT also supports initialized file size.
EnCase detects exFAT volumes automatically. You can also add an exFAT volume manually: select the
exFAT option from the Add Partition dialog.
100 EnCase Forensic Version 6.18
Enhanced FAT Parsing
Not all implementations of the FAT file system can be automatically detected. For example, some FAT
16 volumes in certain removable mediamay be detected as FAT 12.
To address this issue, EnCase provides an option to specify the FAT type (FAT 12, FAT 16, or FAT 32)
to parse. This option is included in the Add Raw Image and Add Partition dialogs.
Add Raw Image Dialog
1. Click File > Add Raw Image. The Add Raw Image dialog opens.
2. Click the Volume option button, then select the Partition Type for the FAT volume you are
parsing.
3. Click OK.
Add Partition Dialog
1. Select the Disk tab in Table view, then right click for a dropdown menu.
2. In the dropdown menu, click Add Partition. The Add Partition dialog opens.
Working with Evidence 101
3. Select the Partition Type for the FAT volume you are parsing.
4. Click OK.
Fast File Transfer
EnCase provides improved performance when the servlet transfers files to EnCase. Before, EnCase
sent requests to obtain one chunk of data (32 kb) at a time, and transferring a large file involved
sending many read commands from the examiner. Although extremely robust, combined with
network latency, this protocol could cause significant delays on certain networks.
In the new approach, the examiner sends just one read command, and error handling is done by the
TCP/IP layer.
This functionality is built into the EnCase UI, and you can also access this function from EnScript,
where a new option, CopyFile, has been added to the file class. It contains two parameters:
Output file
Size (optional)
If size is not specified, the data from the current position to the end of the file is transferred.
Note: This is EnScript-specific and is not the default file transfer method for EnCase.
Using Snapshots
Snapshots collect a variety of information to create snapshot bookmarks. Snapshots are the output of
EnScript programs. In EnCase Forensic, only the Scan Local Machine EnScript program creates
snapshots. In EnCase Forensic, the following EnScript programs create snapshots:
Sweep Enterprise
Quick Snapshot
The Sweep Enterprise EnScript captures live information from a selected network tree without a case
or Enterprise logon needed before running.
The Quick Snapshot EnScript captures live information from a selected machine associated with a
device in an open case.
For more information on these EnScript programs, see Enterprise EnScript Programs (on page 386).
Getting Ready to Acquire the Content of a Device
Before you can acquire the contents of a device, you must add the device and preview the device's
content.
To add, preview, or acquire the content of a device, first open the case associated with the device.
To acquire the content of a device:
1. Using the Add Device wizard, add the device.
2. Using the EnCase main window, preview the contents of the device.
102 EnCase Forensic Version 6.18
You are ready to acquire the contents of the device as an EnCase evidence file in the currently opened
case.
Previewing
Previewing is done before an acquisition, so an investigator can determine if the device should be
acquired. A preview is not optional, although the investigator determines the extent of the preview.
During a preview, the content of the device can be analyzed just as if the content had been acquired.
Note: A write blocking device, such as the FastBloc
programs.
In EnCase Forensic, the Scan Local Machine program creates snapshot bookmarks.
The output of the program is always bookmarked. After Scan Local Machine is run, a bookmark
toolbar displays that contains the Home tab and the Snapshot tab. The Snapshot tab has a toolbar
associated with it. This toolbar displays a tab command for each type of snapshot bookmark created
by one of the EnScript programs.
Each type of snapshot bookmark has a Tree pane and Table pane associated with it. Each table
displays data specific to the class of the system component whose data is displayed in the Table pane.
Snapshot bookmarks include
Machines snapshot on the Home tab
Open ports
Processes
Open files
Network Interfaces
Network Users
DLLs
ARP
Routes
Log Record Bookmarks
These bookmarks are created whenever console and status dialog messages are sent to a log record.
Acquiring a device is one process that optionally sends its outputs to a log record, which results in a
log record bookmark.
Bookmarking Items 327
Datamarks
EnScript programs or EnScript modules that execute the Add Datamark method create a datamark.
When a datamark is created in a bookmark folder, that datamark can be used as a bookmark. Each
datamark has a tab associated with it. The tab displays when you select the datamark in the
Bookmarks table on the Bookmarks tab of the Tree pane.
Bookmark Features
Features that you use while working with bookmarks include:
Bookmark Data dialog for highlighted data bookmarks
Add Note Bookmark dialog
Edit Folder Information/Structure Bookmarks dialog
Bookmark Data dialog for files
328 EnCase Forensic Version 6.18
Bookmark Data Dialog for Highlighted Data Bookmarks
The Bookmark Data dialog is used when manually creating a bookmark. The dialog provides the
means to add comments to the bookmark, determine the data type of the bookmark, and to select a
destination folder where the bookmark is to be stored.
Comment contains text that describes the book marked content.
Data Type pane determines the data type of the book marked content.
Types tree contains objects representing the various formatting that can be used when displaying
book marked content.
Note: Details of the content of the tree are described in Bookmark Content Data Types.
Destination Folder determines the path to the folder where the bookmark is saved.
Contents displays the content of the bookmark in the format selected.
Bookmark Content Data Types
The Types tree in the Bookmark Data dialog provides a list of supported data types. The data types are
organized by parent objects representing each class of supported data types. Each specific data type is
represented by a child object. The formats interpret the underlying content. The formats change the
way that the data is bookmarked.
Bookmarking Items 329
Text
Text is a parent object that contains child objects representing the formatting that can be used when
displaying bookmarked content as text.
Do not Show hides the content of the bookmark. This works for all underlying data types.
High ASCII displays the text in 256-bit ASCII.
Low ASCII displays the text in 128-bit ASCII.
Hex displays the text as hexadecimal digits, rather than characters.
Unicode displays the text in Unicode encoding.
ROT 13 Encoding decodes ROT 13 encoded text to ASCII text.
HTML renders HTML coded as it appears in a browser.
HTML (Unicode) renders the HTML coded as it appears in a browser using Unicode encoding.
Picture
Picture is a parent object that contains child objects representing various file formats that can be used
when displaying bookmarked content as a picture or graphic.
Picture displays the bookmarked content of the following file formats:
JPG
GIF
EMF
TIFF
BMP
AOL
ART
PSD
This is based on the file extension or the file signature of the file that contained the book marked
content.
Base64 Encoded Picture displays the bookmarked content in Base64 (Unicode) format.
UUE Encoded Picture displays the bookmarked content in UUE format.
330 EnCase Forensic Version 6.18
Integers
Integers is a parent object that contains child objects representing integer encodings that can be used
when displaying bookmarked content.
8-bit displays the bookmarked content as 8-bit integers.
16-bit displays the bookmarked content as 16-bit Little-Endian integers.
16-bit Big Endian displays the bookmarked content as 16-bit Big-Endian integers.
32-bit displays the bookmarked content as 32-bit Little-Endian integers.
32-bit Big Endian displays the bookmarked content as 32-bit Big-Endian integers.
64-bit displays the bookmarked content as 64-bit Little-Endian integers.
64-bit Big Endian displays the bookmarked content as 64-bit Big-Endian integers.
Dates
A date is a parent object that contains the objects representing various file formats that can be used
when displaying bookmarked content.
DOS Date displays a packed 16-bit value that specifies the month, day, year, and time of day an MS-
DOS file was last written to.
DOS Date (GMT) displays a packed 16-bit value that specifies the time portion of the DOS Date as
GMT time.
UNIX Date displays a Unix timestamp in seconds based on the standard Unix epoch of 01/01/1970 at
00:00:00 GMT.
UNIX Text Date displays a Unix timestamp in seconds as text based on the standard Unix epoch of
01/01/1970 at 00:00:00 GMT.
HFS Plus Date displays a numeric value on a Power Macintosh that specifies the month, day, year,
and time when the file was last written to.
Windows Date/Time displays a numeric value on a Windows system that specifies the month, day,
year, and time when the file was last written to.
Lotus Date displays a date from a Lotus Notes database file.
Bookmarking Items 331
Windows
Windows is a parent object that contains objects representing the various file interpretations that can
be used when displaying bookmarked content.
Partition Entry displays the content of the bookmark as characters that conform to the header format
of a Windows partition entry.
DOS Directory Entry displays the content of the bookmark as characters that conform to the format of
a DOS directory entry.
Win95 Info File Record displays the content of the bookmark as characters that conform to the INFO
data structure definition.
Win2000 Info File Record displays the content of the bookmark as characters that conform to the
INFO2 data structure definition.
GUID displays the content of the bookmark as strings that conform to the Windows Globally Unique
Identifier (GUID) format.
SID displays the content of the bookmark in the Security Identifier (SID) format.
Styles
Use these text styles when working with non-English languages. For more information, see the chapter
Working with non-English Languages (on page 427).
332 EnCase Forensic Version 6.18
Add Note Bookmark Dialog
Use the Add Note Bookmark dialog to enter the note or text contained in a note bookmark. A note
bookmark can contain up to 1000 characters. You can format the bookmark content as a whole. A note
bookmark can annotate another existing bookmark, or add descriptions of events you want to include
in a report.
Notes contains up to 1000 characters.
Show in report when checked, the content of the note bookmark appears in the Report tab of the Table
pane.
Formatting contains the formatting controls for all characters that comprise the content of the note.
Bold makes all content of the note appear in bold.
Italic makes all content of the note appear in italics.
Increase font size sets the font size of all the content of the note.
Increase text indent sets the text indent of all of the text blocks in the note.
Bookmarking Items 333
Bookmark Folder Information/Structure Dialog
Use the Bookmark Folder Structure dialog to determine whether and how much device information to
include in the folder structure bookmark you are creating.
Include Device Information includes folder structure information.
Columns specifies the number of columns of folder structure information.
Destination Folder displays the Bookmarks tree, so you can navigate to the destination folder.
Bookmark Data Dialog for Files
Use the Bookmark Data dialog for files when creating notable files and file group bookmarks. The
dialog lets you:
Add a short comment to the bookmark
Create a folder
334 EnCase Forensic Version 6.18
Add a folder comment
Bookmark Selected Items appears when multiple files are selected on the Table pane. When checked,
selected files are bookmarked as one or more file group bookmarks, and the Folder Comment field is
disabled. When Bookmark Selected Items is cleared, only a single file was highlighted in the Table
pane, and that single file is bookmarked as a notable file. Any other selected files are not bookmarked.
Create new bookmark folder determines whether a new folder is created, and whether Folder Name
and Folder Comment are displayed.
Folder Name contains the filename for the new bookmark folder.
Folder Comment contains the comment describing the bookmarked files that the new folder contains.
Comment contains a short comment when using this dialog to create a notable file bookmark.
Destination Folder displays the Bookmarks tree so the destination folder can be selected.
Bookmarking Items 335
Creating a Bookmark
You can create these types of bookmarks:
Highlighted Data
Notes
Folder Structure
Notable File
File Group
Log Record
EnScript