EnCase Forensic Version 6.11 User's Guide

EnCase Forensic Version 6.
11
User's Guide
Copyright2008GuidanceSoftware,Inc.Allrightsreserved.
EnCase,EnScript,FastBloc,GuidanceSoftwareandEnCEareregisteredtrademarksor
trademarksownedbyGuidanceSoftwareintheUnitedStatesandotherjurisdictionsandmay
notbeusedwithoutpriorwrittenpermission.Allothermarksandbrandsmaybeclaimedasthe
propertyoftheirrespectiveowners.
Nopartofthisdocumentmaybecopiedorreproducedwithoutthewrittenpermissionof
GuidanceSoftware,Inc.Productsandcorporatenamesappearinginthismanualmayormay
notberegisteredtrademarksorcopyrightsoftheirrespectivecompanies,andareusedonlyfor
identificationorexplanationintotheownersbenefit,withoutintenttoinfringe.Anyuseand
duplicationofthismaterialissubjecttothetermsofthelicenseagreementbetweenyouand
GuidanceSoftware,Inc.Exceptasstatedinthelicenseagreementorasotherwisepermitted
underSections107or108ofthe1976UnitedStatesCopyrightAct,nopartofthispublication
maybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,
electronic,mechanical,photocopying,recording,scanningorotherwise.Productmanualsand
documentationarespecifictothesoftwareversionsforwhichtheyarewritten.Forpreviousor
outdatedmanuals,productreleaseinformation,contactGuidanceSoftware,Inc.at
http://www.guidancesoftware.com.Specificationsandinformationcontainedinthismanualare
furnishedforinformationaluseonly,andaresubjecttochangeatanytimewithoutnotice.
Contents
CHAPTER 1 Introduction
15
Introduction................................................................................................................................................... 16
CHAPTER 2 New Features
17
LEFEFSEncryptionEnhancement............................................................................................................. 18
WinEn............................................................................................................................................................. 18
SnapshottoDBModuleSet......................................................................................................................... 19
LotusNotesLocalDatabaseEncryption.................................................................................................... 19
EnCaseExaminerSupportforMicrosoftVista ......................................................................................... 19
64BitEnCaseServlet.................................................................................................................................... 19
SendtoHBGaryResponderEnScript ........................................................................................................ 20
CHAPTER 3 Installing EnCase Forensic
21
TheEnCaseInstaller ..................................................................................................................................... 22
MinimumRequirements ........................................................................................................................ 22
InstallingtheExaminer........................................................................................................................... 23
InstalledFiles ........................................................................................................................................... 25
UninstallingtheExaminer ..................................................................................................................... 26
ReinstallingtheExaminer ...................................................................................................................... 28
InstallingSecurityKeys ............................................................................................................................... 29
TroubleshootingSecurityKeys ................................................................................................................... 29
ObtainingUpdates........................................................................................................................................ 30
ConfiguringYourEnCaseApplication...................................................................................................... 30
CaseOptionsTab .................................................................................................................................... 32
GlobalTab ................................................................................................................................................ 33
ColorTab .................................................................................................................................................. 35
FontsTaboftheOptionsDialog ........................................................................................................... 36
EnScriptTab............................................................................................................................................. 38
StoragePathsTab .................................................................................................................................... 39
SharingConfigurationFiles......................................................................................................................... 40
VistaExaminerSupport ............................................................................................................................... 40
DisablingMicrosoftWindowsVistaUserAccountControl ............................................................. 41
Runninga32bitApplicationona64bitPlatform .................................................................................. 43
CHAPTER 4 Using LinEn
45
Introduction................................................................................................................................................... 46
ViewingtheLicenseforLinEn.................................................................................................................... 46
CreatingaLinEnBootDisc.......................................................................................................................... 47
ConfiguringYourLinuxDistribution ........................................................................................................ 48
ObtainingaLinuxDistribution ............................................................................................................. 48
i
EnCaseForensicVersion6.11UsersGuide
Contents
LinEnSetUpUnderSUSE ..................................................................................................................... 49
LinEnSetUpUnderRedHat ................................................................................................................ 49
PerformingAcquisitionswithLinEn ......................................................................................................... 50
SetupforaDrivetoDriveAcquisition ................................................................................................ 50
DoingaDrivetoDriveAcquisitionUsingLinEn .............................................................................. 51
AcquiringDeviceConfigurationOverlays(DCO)andHostProtectedAreas(HPA)................... 54
AcquiringaDiskRunninginDirectATAMode ................................................................................ 54
ModeSelection......................................................................................................................................... 55
DoingaCrossoverCablePrevieworAcquisition .............................................................................. 56
HashingtheSubjectDriveUsingLinEn .................................................................................................... 58
CHAPTER 5 Navigating the EnCase Interface
59
TheMainWindow ........................................................................................................................................ 60
SystemMenu ........................................................................................................................................... 61
FileMenu.................................................................................................................................................. 62
EditMenu................................................................................................................................................. 63
Copy/UnErase.......................................................................................................................................... 64
ViewMenu............................................................................................................................................... 66
TheTreePaneanditsTabandSubTabMenus.................................................................................. 70
TheTablePaneanditsTabBarandViewMenu................................................................................ 71
TablePaneMenu..................................................................................................................................... 72
TheViewPaneanditsTabBarandViewMenu ................................................................................ 73
ViewPaneMenu ..................................................................................................................................... 74
TheFilterPaneanditsTabBarandViewMenu ................................................................................ 75
FilterPaneMenu ..................................................................................................................................... 76
AutoFit..................................................................................................................................................... 76
ToolsMenu............................................................................................................................................... 77
HelpMenu ............................................................................................................................................... 78
Toolbar...................................................................................................................................................... 80
Panes ......................................................................................................................................................... 82
PanesintheAnalysisCycle ................................................................................................................... 83
PanesasSeparateWindows .................................................................................................................. 84
PaneFeatures ........................................................................................................................................... 86
PaneTabBarandPaneTabBarMenu ................................................................................................. 87
TabRightClickMenu ............................................................................................................................ 88
IndividualPanes...................................................................................................................................... 88
TreePane .................................................................................................................................................. 89
TablePane ................................................................................................................................................ 91
SortingaTable ......................................................................................................................................... 92
FiltersPane............................................................................................................................................... 93
FilteringEffectsinTablePane ............................................................................................................... 94
ViewPane................................................................................................................................................. 96
StatusLine ................................................................................................................................................ 96
PanesandtheirSpecificTabs ...................................................................................................................... 98
TreePaneTabs......................................................................................................................................... 99
TablePaneTabs ....................................................................................................................................... 99
TableTabColumns ............................................................................................................................... 102
ii
Contents
FiltersPaneMenu.................................................................................................................................. 105
ViewPaneTabs ..................................................................................................................................... 106
TheTextTab........................................................................................................................................... 109
TheHexTab ........................................................................................................................................... 110
TheDocTab ........................................................................................................................................... 111
TheTranscriptTab ................................................................................................................................ 112
ThePictureTab...................................................................................................................................... 112
TheReportTab ...................................................................................................................................... 113
TheConsoleTab .................................................................................................................................... 114
TheDetailsTab ...................................................................................................................................... 114
TheOutputTab ..................................................................................................................................... 115
NavigatingtheTreePane .......................................................................................................................... 115
OpeningandClosingFolderswithExpand/Contract...................................................................... 116
ExpandAll.............................................................................................................................................. 116
ContractAll............................................................................................................................................ 117
DisplayingTreeEntryInformationforOneBranch......................................................................... 118
DisplayingExpandedTreeEntryInformation.................................................................................. 119
SelectingTreeEntriesforOperations ................................................................................................. 120
UsingtheDixonBox ............................................................................................................................. 121
ModifyingtheTablePane.......................................................................................................................... 122
ShowingColumns................................................................................................................................. 123
HidingColumns.................................................................................................................................... 125
AutoFitAllColumns ........................................................................................................................... 125
FittingColumnstoData ....................................................................................................................... 125
ResettingColumns ................................................................................................................................ 126
SettingaLockonColumns .................................................................................................................. 126
ExcludingSearchHits........................................................................................................................... 127
DeletingItems........................................................................................................................................ 128
Filters....................................................................................................................................................... 129
CreatingaFilter ..................................................................................................................................... 130
EditingaFilter ....................................................................................................................................... 131
RunningaFilter..................................................................................................................................... 132
CombiningFilters.................................................................................................................................. 134
AND/ORFilterLogic ............................................................................................................................ 135
ChangingFilterOrder .......................................................................................................................... 135
TurningFiltersOff ................................................................................................................................ 136
DeletingaFilter ..................................................................................................................................... 137
ImportingFilters.................................................................................................................................... 137
ExportingFilters .................................................................................................................................... 137
Conditions .............................................................................................................................................. 138
CreatingConditions.............................................................................................................................. 139
EditingConditions ................................................................................................................................ 141
RunningConditions.............................................................................................................................. 142
ImportingConditions ........................................................................................................................... 143
ExportingConditions ........................................................................................................................... 144
Queries.................................................................................................................................................... 145
GalleryTab............................................................................................................................................. 146
iii
Contents
ViewingMoreColumns ....................................................................................................................... 146

ViewingFewerColumns...................................................................................................................... 146
ViewingMoreRows ............................................................................................................................. 147
ViewingFewerRows............................................................................................................................ 147
TimelineTab .......................................................................................................................................... 147
ModifyingtheViewPane .......................................................................................................................... 148
Copy........................................................................................................................................................ 148
Goto......................................................................................................................................................... 148
Find ......................................................................................................................................................... 149
CHAPTER 6 Case Management
151
OverviewofCaseStructure....................................................................................................................... 152
CaseManagement ................................................................................................................................. 152
ConcurrentCaseManagement............................................................................................................ 153
IndexingaCase ..................................................................................................................................... 153
CaseFileFormat .................................................................................................................................... 154
CaseBackup........................................................................................................................................... 155
TheOptionsDialog ............................................................................................................................... 155
CaseRelatedFeatures ................................................................................................................................ 157
LogonWizard ........................................................................................................................................ 158
LogonWizardUsersPage.................................................................................................................... 159
UsersRightClickMenu ....................................................................................................................... 159
BrowseforFolderDialog ..................................................................................................................... 160
SAFEPageoftheLogonWizard......................................................................................................... 161
SAFERightClickMenu ....................................................................................................................... 161
BrowseforFolderDialog ..................................................................................................................... 162
EditSAFEDialog................................................................................................................................... 163
NewCaseWizard ....................................................................................................................................... 166
RolePageoftheNewCaseWizard .................................................................................................... 167
CaseOptionsPageoftheNewCaseWizard..................................................................................... 168
AddDevice............................................................................................................................................. 168
UsingaCase ................................................................................................................................................ 169
ModifyingCaseRelatedSettings ........................................................................................................ 169
TimeZoneSettings................................................................................................................................ 170
CaseFileTimeZones ............................................................................................................................ 171
EvidenceFileTimeZones .................................................................................................................... 172
SettingTimeZonesSettingsforCaseFiles ........................................................................................ 172
SettingTimeZoneOptionsforEvidenceFiles.................................................................................. 173
GeneralTimeZoneNotes .................................................................................................................... 174
FAT,HFSandCDFSTimeZoneSpecifics ......................................................................................... 174
TimeZoneExample .............................................................................................................................. 175
OpenaCase ................................................................................................................................................. 175
SavingaCase............................................................................................................................................... 176
SavingaCase ......................................................................................................................................... 176
SavingaCaseWithaNewNameorNewLocation......................................................................... 176
SavingaCaseandtheGlobalApplicationFiles ............................................................................... 177
CloseCase .................................................................................................................................................... 177
iv
Contents
CHAPTER 7 Working with Evidence
179
Overview...................................................................................................................................................... 180
TypesofEntries ..................................................................................................................................... 180
EnCaseEvidenceFiles .......................................................................................................................... 180
LogicalEvidenceFiles .......................................................................................................................... 181
RawImageFiles..................................................................................................................................... 181
SingleFiles.............................................................................................................................................. 181
SupportedFileSystemsandOperatingSystems.................................................................................... 182
UsingSnapshots.......................................................................................................................................... 182
GettingReadytoAcquiretheContentofaDevice ................................................................................ 183
Previewing ............................................................................................................................................. 183
LiveDeviceandFastBlocIndicators................................................................................................... 184
PreviewingtheContentofaDevice ................................................................................................... 184
AddDeviceWizard .............................................................................................................................. 185
SourcesPageoftheAddDeviceWizard ........................................................................................... 186
SessionsSourcesPageoftheAddDeviceWizard............................................................................ 188
ChooseDevicesPageoftheAddDeviceWizard ............................................................................. 190
PreviewDevicesPageoftheAddDeviceWizard............................................................................ 192
AddingaDevice.................................................................................................................................... 193
CompletingtheSourcesPage .............................................................................................................. 194
CompletingtheSessionsSourcesPage .............................................................................................. 195
CompletingtheChooseDevicesPage................................................................................................ 195
CompletingthePreviewDevicesPage .............................................................................................. 196
Acquiring ..................................................................................................................................................... 196
TypesofAcquisitions ........................................................................................................................... 197
DoingaTypicalAcquisition ................................................................................................................ 197
AcquisitionWizard ............................................................................................................................... 198
AfterAcquisitionPage ......................................................................................................................... 199
SearchPage ............................................................................................................................................ 201
OptionsPage.......................................................................................................................................... 204
AcquisitionResultsDialog................................................................................................................... 206
OpeningtheAcquisitionWizard ........................................................................................................ 207
SpecifyingandRunninganAcquisition ............................................................................................ 208
CompletingtheAfterAcquisitionPageoftheAcquisitionWizard............................................... 209
CompletingtheSearchPageoftheAcquisitionWizard.................................................................. 210
CompletingtheOptionsPageoftheAcquisitionWizard ............................................................... 212
CancelinganAcquisition ..................................................................................................................... 213
AcquiringaLocalDrive ....................................................................................................................... 214
AcquiringDeviceConfigurationOverlays(DCO)andHostProtectedAreas(HPA)................. 214
UsingaWriteBlocker ........................................................................................................................... 215
WindowsbasedAcquisitionswithFastBlocWriteBlockers .......................................................... 215
AcquiringinWindowsWithoutaFastBlocWriteBlocker.............................................................. 217
WindowsbasedAcquisitionswithanonFastBlocWriteBlocker ................................................. 217
PerformingaDrivetoDriveAcquisitionUsingLinEn ................................................................... 218
AcquiringaDiskRunninginDirectATAMode .............................................................................. 219
AcquiringaPalmPilot ......................................................................................................................... 220
v
Contents
LeavingConsoleMode......................................................................................................................... 222
AcquisitionTimes ................................................................................................................................. 223
AcquiringNonlocalDrives................................................................................................................. 223
WhentouseaCrossoverCable........................................................................................................... 223
PerformingaCrossoverCablePrevieworAcquisition ................................................................... 223
AcquiringDiskConfigurations ........................................................................................................... 225
SoftwareRAID....................................................................................................................................... 225
WindowsNTSoftwareDiskConfigurations .................................................................................. 226
DynamicDisk ........................................................................................................................................ 227
HardwareDiskConfiguration ............................................................................................................ 228
DiskConfigurationSetAcquiredasOneDrive................................................................................ 228
DiskConfigurationsAcquiredasSeparateDrives ........................................................................... 229
ValidatingParityonaRAID5 ............................................................................................................ 230
RAID10 .................................................................................................................................................. 230
AcquiringVirtualPCImages .............................................................................................................. 230
CDDVDInspectorFileSupport ......................................................................................................... 230
AcquiringSlySoftCloneCDImages ................................................................................................... 230
AcquiringaDriveSpaceVolume......................................................................................................... 231
AcquiringFirefoxCacheinRecords................................................................................................... 232
ReacquiringEvidence ........................................................................................................................... 233
ReacquiringanEvidenceFile .............................................................................................................. 233
AddingRawEvidenceFiles................................................................................................................. 234
RemoteAcquisition .................................................................................................................................... 235
RemoteAcquisitionMonitor ............................................................................................................... 237
SettingUptheStorageMachine.......................................................................................................... 238
Hashing ........................................................................................................................................................ 240
HashingtheSubjectDriveUsingLinEn............................................................................................. 240
HashingtheSubjectDriveOncePreviewedorAcquired ............................................................... 241
LogicalEvidenceFiles ................................................................................................................................ 242
CreateLogicalEvidenceFileWizard.................................................................................................. 243
SourcesPage .......................................................................................................................................... 244
TheOutputsPageoftheCreateLogicalEvidenceFile .................................................................... 245
CreatingaLogicalEvidenceFile......................................................................................................... 246
RecoveringFolders ..................................................................................................................................... 247
RecoverFoldersonFATVolumes ...................................................................................................... 248
RecoveringNTFSFolders..................................................................................................................... 248
RecoveringUFSandEXT2/3Partitions.............................................................................................. 250
RecoveringFoldersfromaFormattedDrive..................................................................................... 250
RecoveringPartitions ................................................................................................................................. 250
AddingPartitions.................................................................................................................................. 251
DeletingPartitions ................................................................................................................................ 253
RestoringEvidence ..................................................................................................................................... 254
Physicalvs.LogicalRestoration.......................................................................................................... 254
PreparingtheTargetMedia................................................................................................................. 254
PhysicalRestore..................................................................................................................................... 255
LogicalRestore ...................................................................................................................................... 258
BootingtheRestoredHardDrive ....................................................................................................... 258
vi
Contents
IftheRestoredDiskDoesNotBoot .................................................................................................... 259
SnapshottoDBModuleSet....................................................................................................................... 260
InitializingtheDatabase....................................................................................................................... 260
ChoosingDatabaseSources ................................................................................................................. 261
MaintainingtheDatabase .................................................................................................................... 262
UpdatingtheDatabase ......................................................................................................................... 263
SpecifyingDatabaseContent............................................................................................................... 265
GeneratingReportsontheDatabase .................................................................................................. 266
UsingtheSnapshotDBReportsDialog ............................................................................................. 268
WinEn........................................................................................................................................................... 270
RunningWinEn ..................................................................................................................................... 271
CommandLineOptions....................................................................................................................... 272
ConfigurationFile ................................................................................................................................. 273
ConfigurationFileNotes...................................................................................................................... 274
PromptforValue................................................................................................................................... 274
ErrorHandling ...................................................................................................................................... 274
AdditionalWinEnInformation ........................................................................................................... 274
CHAPTER 8 Viewing File Content
277
ViewingFiles ............................................................................................................................................... 278

CopyingandUnerasingFilesandFolders ........................................................................................ 279
CopyandUneraseFeatures................................................................................................................. 279
Copy/UnEraseWizard.......................................................................................................................... 280
FileSelectionPageoftheCopy/UnEraseWizard ............................................................................. 281
OptionsPageoftheCopy/UnEraseWizard ...................................................................................... 283
DestinationPageoftheCopy/UnEraseWizard................................................................................ 285
CopyFoldersDialog ............................................................................................................................. 286
CopyingandUnerasingFiles .............................................................................................................. 288
CompletingtheFileSelectionPage .................................................................................................... 289
CompletingtheOptionsPage.............................................................................................................. 290
CompletingtheDestinationPage ....................................................................................................... 290
CopyingandUnerasingBookmarks .................................................................................................. 290
CopyingFolders .................................................................................................................................... 291
FileViewers ................................................................................................................................................. 292
FileViewerFeatures ............................................................................................................................. 292
NewFileViewerDialog ....................................................................................................................... 293
ViewerFileTypeDialog....................................................................................................................... 293
AddingaFileViewertoYourEnCaseApplication.......................................................................... 294
AssociatingtheFileViewersFileTypeswiththeViewer............................................................... 295
ViewPane .................................................................................................................................................... 296
ViewingCompoundFiles .......................................................................................................................... 297
ViewingFileStructure.......................................................................................................................... 297
ViewingRegistryFiles.......................................................................................................................... 299
ViewingOLEFiles................................................................................................................................. 301
ViewingCompressedFiles .................................................................................................................. 302
ViewingLotusNotesFiles ................................................................................................................... 303
ViewingMSExchangeFiles................................................................................................................. 303
vii
Contents
ExchangeServerSynchronization....................................................................................................... 303
CleaninganEDBDatabase .................................................................................................................. 304
TestinganEDBFile............................................................................................................................... 305
RecoveringaDatabase.......................................................................................................................... 306
RepairingaDatabase ............................................................................................................................ 306
ViewingOutlookExpressEmail ......................................................................................................... 307
ViewingMSOutlookEmail ................................................................................................................. 310
ViewingMacintosh.paxFiles.............................................................................................................. 311
ViewingWindowsThumbs.db ........................................................................................................... 313
AmericaOnline.artFiles...................................................................................................................... 314
ViewingOffice2007Documents ......................................................................................................... 315
ViewingBase64andUUEEncodedFiles ................................................................................................ 316
NTFSCompressedFiles ............................................................................................................................. 318
GalleryTab .................................................................................................................................................. 318
BookmarkinganImage ........................................................................................................................ 319
ReducingtheNumberofImagesPerRow ........................................................................................ 320
IncreasingtheNumberofImagesPerRow....................................................................................... 320
ClearingtheInvalidImageCache....................................................................................................... 321
LotusNotesLocalEncryptionSupport ................................................................................................... 321
DeterminingLocalMailboxEncryption............................................................................................. 322
ParsingaLocallyEncryptedMailbox................................................................................................. 322
EncryptedBlock .................................................................................................................................... 323
DecryptedBlock .................................................................................................................................... 324
LocallyEncryptedNSFParsingResults............................................................................................. 325
CHAPTER 9 Analyzing and Searching Files
327
SignatureAnalysis ...................................................................................................................................... 328

FileSignatures ....................................................................................................................................... 328
FileSignatureswithSuffixes................................................................................................................ 329
ViewingtheFileSignatureDirectory ................................................................................................. 329
AddingaNewFileSignature .............................................................................................................. 331
EditingaSignature................................................................................................................................ 332
PerformingaSignatureAnalysis ........................................................................................................ 333
ViewingSignatureAnalysisResults(Part1)..................................................................................... 334
ViewingSignatureAnalysisResults(Part2)..................................................................................... 335
SignatureAnalysisLegend .................................................................................................................. 336
EnScriptProgrammingLanguage ............................................................................................................ 337
IncludedEnscriptComponents........................................................................................................... 337
EnScriptTypes....................................................................................................................................... 338
HashAnalysis.............................................................................................................................................. 338
FileHashing................................................................................................................................................. 339
HashaNewCase .................................................................................................................................. 339
HashSets...................................................................................................................................................... 340
CreateaHashSet .................................................................................................................................. 340
RebuildaHashLibrary ........................................................................................................................ 342
ViewingHashSearchResults .............................................................................................................. 342
KeywordSearches ...................................................................................................................................... 343
viii
Contents
CreatingGlobalKeywords .................................................................................................................. 344
AddingKeywords................................................................................................................................. 344
CreatingInternationalKeywords ....................................................................................................... 347
KeywordTester ..................................................................................................................................... 348
LocalKeywords..................................................................................................................................... 350
ImportKeywords .................................................................................................................................. 350
ExportKeywords .................................................................................................................................. 350
SearchingEntriesforEmailandInternetArtifacts........................................................................... 352
InternetHistorySearching................................................................................................................... 355
ComprehensiveInternetHistorySearch............................................................................................ 355
InternetSearching ................................................................................................................................. 356
PerformingaSearch.............................................................................................................................. 357
SearchOptions....................................................................................................................................... 357
ViewingRecordSearchHits ................................................................................................................ 359
ViewingSearchHits.............................................................................................................................. 360
ExcludeFiles .......................................................................................................................................... 360
ShowExcludedFiles ............................................................................................................................. 361
DeletingItems........................................................................................................................................ 362
ShowDeletedFiles................................................................................................................................ 363
EncodePreview........................................................................................................................................... 363
TurningOnEncodePreview ............................................................................................................... 363
Indexing ....................................................................................................................................................... 365
QueryinganIndexUsingaCondition ............................................................................................... 366
GeneratinganIndex ................................................................................................................................... 367
SearchingforEmail..................................................................................................................................... 369
WebMailParser .................................................................................................................................... 370
ExtractingEmail .................................................................................................................................... 371
SearchingEmail ..................................................................................................................................... 372
SearchingSelectedItems ...................................................................................................................... 373
ViewingAttachments ........................................................................................................................... 374
Exportto*.msg ...................................................................................................................................... 375
Exportingto*.msg................................................................................................................................. 376
AppDescriptors .......................................................................................................................................... 378
ManuallyCreateAppDescriptor........................................................................................................ 378
CreateanAppDescriptorwithanEnScriptProgram...................................................................... 380
EncryptionSupport .................................................................................................................................... 381
NSFEncryptionSupport ...................................................................................................................... 382
RecoveringNSFPasswords ................................................................................................................. 383
DiskEncryptionSupport...................................................................................................................... 384
SafeBootSetup ....................................................................................................................................... 385
ExportingaMachineProfilefromtheSafeBootServer ................................................................... 386
Authentication ....................................................................................................................................... 387
SafeBootEncryptionSupport(DiskEncryption) .............................................................................. 387
SupportedSafeBootEncryptionAlgorithms..................................................................................... 390
CREDANTEncryptionSupport(FileBasedEncryption) ............................................................... 390
SupportedEncryptionAlgorithms ..................................................................................................... 393
CREDANTEncryptionSupport(OfflineScenario) .......................................................................... 393
ix
Contents
EnablingtheForensicAdministratorRoleontheCREDANTServer ........................................... 395

S/MIMEEncryptionSupport ............................................................................................................... 395
EFSFilesandLogicalEvidence(LO1)Files ............................................................................................ 399
CHAPTER 10 Bookmarking Items
401
BookmarksOverview................................................................................................................................. 402
HighlightedDataBookmarks.............................................................................................................. 403
NotesBookmarks .................................................................................................................................. 403
FolderInformation/StructureBookmarks.......................................................................................... 404
NotableFileBookmarks ....................................................................................................................... 404
FileGroupBookmarks.......................................................................................................................... 404
SnapshotBookmarks ............................................................................................................................ 405
LogRecordBookmarks ........................................................................................................................ 405
Datamarks .............................................................................................................................................. 406
BookmarkFeatures ..................................................................................................................................... 406
BookmarkDataDialogforHighlightedDataBookmarks............................................................... 407
BookmarkContentDataTypes ........................................................................................................... 407
Text.......................................................................................................................................................... 408
Picture ..................................................................................................................................................... 408
Integers ................................................................................................................................................... 409
Dates........................................................................................................................................................ 409
Windows ................................................................................................................................................ 410
Styles ....................................................................................................................................................... 410
AddNoteBookmarkDialog ................................................................................................................ 411
BookmarkFolderInformation/StructureDialog .............................................................................. 412
BookmarkDataDialogforFiles .......................................................................................................... 413
CreatingaBookmark.................................................................................................................................. 414
CreatingaHighlightedDataBookmark ............................................................................................ 415
CreatingaNotesBookmark................................................................................................................. 416
CreatingaFolderInformation/StructureBookmark ........................................................................ 417
CreatingaNotableFileBookmark...................................................................................................... 418
CreatingaFileGroupBookmark ........................................................................................................ 419
CreatingaLogRecordBookmark....................................................................................................... 420
CreatingaSnapshotBookmark........................................................................................................... 421
CreatingaDatamarkasaBookmark.................................................................................................. 422
UsingBookmarks........................................................................................................................................ 422
EditingaBookmark .............................................................................................................................. 423
BookmarkEditingDialogs................................................................................................................... 424
EditHighlightedDataBookmarksDialog......................................................................................... 425
EditNoteBookmarksDialog............................................................................................................... 426
EditFolderInformation/StructureBookmarksDialog .................................................................... 426
EditNotableFileBookmarksDialog .................................................................................................. 427
EditSnapshotBookmarksDialog ....................................................................................................... 427
EditLogRecordBookmarksDialog ................................................................................................... 428
EditDatamarksDialog ......................................................................................................................... 428
EditBookmarkFolderDialogs ............................................................................................................ 429
EditFolderDialog ................................................................................................................................. 430
x
Contents
UsingaFoldertoOrganizeaBookmarksReport ............................................................................. 431
OrganizingBookmarks......................................................................................................................... 432
CopyingaTableEntryintoaFolder................................................................................................... 433
MovingaTableEntryintoaFolderUsingtheRightClickDragMethod .................................... 434
MovingaTableEntryorFolderintoaFolderUsingtheDragMethod ........................................ 435
BookmarkReportsandReporting ...................................................................................................... 435
ViewingaBookmarkontheTableReportTab ................................................................................. 436
CustomizingaReport........................................................................................................................... 437
ExcludingBookmarks........................................................................................................................... 438
ExcludeFileBookmarks ....................................................................................................................... 438
ExcludeFolder ....................................................................................................................................... 439
ShowExcluded ...................................................................................................................................... 441
CHAPTER 11 Reporting
443
Reporting ..................................................................................................................................................... 444

CreatingaReportUsingtheReportTab ................................................................................................. 444
EnablingorDisablingEntriesintheReport...................................................................................... 445
ReportSingleFiles................................................................................................................................. 445
ReportMultipleFiles ............................................................................................................................ 446
ChangingReportSize ........................................................................................................................... 447
ViewingaBookmarkReport ............................................................................................................... 447
EmailReport .......................................................................................................................................... 448
InternetReport....................................................................................................................................... 449
CreatingaWebmailReport ................................................................................................................. 449
AlternativeReportMethod.................................................................................................................. 450
SearchHitsReport ................................................................................................................................ 451
QuickEntryReport ............................................................................................................................... 453
CreatinganAdditionalFieldsReport ................................................................................................ 454
ExportingaReport ................................................................................................................................ 455
CreatingaReportUsingCaseProcessor ................................................................................................. 456
CHAPTER 12 Working with Non-English Languages
457
WorkingwithNonEnglishLanguages ................................................................................................... 458

NonEnglishLanguageFeatures .............................................................................................................. 459
TheOptionsDialogFontTab .................................................................................................................... 460
UnicodeFonts ........................................................................................................................................ 461
TextStyles .............................................................................................................................................. 461
NewTextStylesDialog ........................................................................................................................ 462
NewTextStylesDialogAttributesTab.............................................................................................. 462
NewTextStylesDialogCodePageTab............................................................................................. 464
ConfiguringNonEnglishLanguageSupport ........................................................................................ 465
ConfiguringInterfaceElementstoDisplayNonEnglishCharacters ............................................ 466
ConfiguringtheKeyboardforaSpecificNonEnglishLanguage.................................................. 467
EnteringNonEnglishContentwithoutUsingNonEnglishKeyboardMapping....................... 468
CreatingandDefiningaNewTextStyle ........................................................................................... 469
CreatingNonEnglishKeywords........................................................................................................ 471
xi
Contents
TestingaNonEnglishKeyword......................................................................................................... 473
QueryingtheIndexforNonEnglishContent................................................................................... 474
BookmarkingNonEnglishLanguageText ....................................................................................... 475
ViewingUnicodeFiles.......................................................................................................................... 476
ViewingNonUnicodeFiles................................................................................................................. 477
AssociatingCodePages........................................................................................................................ 477
CHAPTER 13 EnScript Analysis
479
EnScriptAnalysis........................................................................................................................................ 480
EnterpriseEnScriptPrograms................................................................................................................... 481
DocumentIncident................................................................................................................................ 482
MachineSurveyServletDeploy.......................................................................................................... 484
QuickSnapshot...................................................................................................................................... 488
RemoteAcquisitionMonitor ............................................................................................................... 488
SnapshotDifferentialReport ............................................................................................................... 489
SweepEnterprise................................................................................................................................... 490
ForensicEnScriptCode ........................................................................................................................ 491
CaseProcessor ....................................................................................................................................... 492
CaseProcessorModules....................................................................................................................... 494
FileMounter........................................................................................................................................... 495
CompoundFiles .................................................................................................................................... 497
MountingCompoundFiles.................................................................................................................. 497
IndexCase .............................................................................................................................................. 497
ScanLocalMachine............................................................................................................................... 498
WebmailParser...................................................................................................................................... 498
EnScriptExampleCode ............................................................................................................................. 499
COMFolderEnScriptCode ................................................................................................................. 499
EnScriptDebugger ................................................................................................................................ 500
HelpforEnScriptModules .................................................................................................................. 502
EnScriptFileMounter........................................................................................................................... 503
IncludeEnScript .................................................................................................................................... 504
EnScriptHelp......................................................................................................................................... 505
EnScriptTypes....................................................................................................................................... 505
Packages ....................................................................................................................................................... 505
PackageFeatures ................................................................................................................................... 505
NewPackageDialog............................................................................................................................. 506
PackagePanel ........................................................................................................................................ 506
PropertiesPanel..................................................................................................................................... 507
CreateLicenseDialog ........................................................................................................................... 508
UsingaPackage..................................................................................................................................... 509
CreatingaPackage................................................................................................................................ 509
EditingaPackage .................................................................................................................................. 510
BuildingaPackage................................................................................................................................ 510
CreatingaLicense ................................................................................................................................. 510
RunningaPackage................................................................................................................................ 511
SendToHBGaryResponderEnScript ..................................................................................................... 511
xii
Contents
CHAPTER 14 Using EnCase Tools
515
Toolbar ......................................................................................................................................................... 516

ToolsMenu .................................................................................................................................................. 517
EnScriptProgramsShortcutSubmenu............................................................................................... 518
WipeDrive ............................................................................................................................................. 518
VerifyingEvidenceFiles....................................................................................................................... 521
CreatingaLinEnBootDisc .................................................................................................................. 522
Options ................................................................................................................................................... 523
CHAPTER 15 Glossary of Terms
525
CHAPTER 16 Guidance Software
535
LegalNotification ....................................................................................................................................... 536

Support......................................................................................................................................................... 537
ReferenceManualsandReleaseNotes............................................................................................... 537
TechnicalSupport ................................................................................................................................. 538
CustomerService................................................................................................................................... 543
Training .................................................................................................................................................. 543
ProfessionalServices............................................................................................................................. 544
Index
545
xiii
CHAPTER 1
Introduction
In This Chapter
Introduction
15
16
Introduction
ThankyouforpurchasingyourGuidanceSoftwareapplication.Younowowntheworlds
leadingtechnologyforcomputerandenterpriseinvestigation.Thisapplicationisjustoneofthe
manycourtvalidatedGuidanceSoftwaresolutionsusedbygovernmentagencies,corporate
organizations,andlawenforcementinvestigatorsaroundtheworld.
GuidanceSoftwaresolutionsprovideanenterpriseinvestigativeinfrastructurethatenables
corporations,governmentandlawenforcementagenciestoconducteffectivedigital
investigations,respondpromptlytolargescaledatacollectionneeds,andtakedecisiveactionin
responsetoexternalattacks.
GuidanceSoftwareproductshavechangedthelandscapebyprovidingcomplete,immediate
responseandcomprehensive,forensiclevelanalysisofinformationfoundanywhereona
computer.Theseproductsarescalableplatformsthatintegrateseamlesslywithexistingsystems
tocreateaninvestigativeinfrastructure.
CHAPTER 2
New Features
In This Chapter
LEF EFS Encryption Enhancement 17
WinEn 18
Snapshot to DB Module Set 19
Lotus Notes Local Database Encryption
19
EnCase Examiner Support for Microsoft Vista

64-Bit EnCase Servlet
19
Send to HBGary Responder EnScript
20
19
18
LEF EFS Encryption Enhancement

ThereweredifferentscenariosfrompreviousEnCaseversionsforaddingEFSfilestoalogical
evidence(L01)case:
1. Thefileisencryptedandthe$EFSstreamismissingfromthesamefolderwithintheL01:the
filecannotbedecrypted.
2. Thefileisencryptedandthe$EFSstreamisinthesamefolder:thefilecanbedecrypted
(exceptfortheremainderofthefile,ifany).
3. Thefileisdecryptedandthe$EFSstreamisinthesamefolder:thefilewillbedecrypted
twice.Thefileisdecryptedandthe$EFSstreamismissing:thefileremainsdecrypted.
twice.
Alloftheabovescenariosarenowhandledgracefullybecausethe$EFSstreamisadded
internally.
WinEn
WinEnisastandalonecommandlineutilitythatcapturesthephysicalmemoryonalive
computerrunningaWindowsoperatingsystem(Windows2000orhigher).Thephysical
memoryimagecapturedbyWinEnisplacedinastandardevidencefile,alongwiththeuser
suppliedoptionsandinformation.
WinEnrunsfromacommandpromptonthecomputerwhereyouwanttocapturethememory.
WinEnhasaverysmallfootprintinmemory,anditistypicallyrunfromaremovabledevice
suchasathumbdrive.Althoughthismethodmakesminorchangestothecomputerrunning
WinEn,thisisthemosteffectivewaytocapturephysicalmemorybeforeshuttingdowna
computer.
NewFeatures
19
Snapshot to DB Module Set

ThisscripttakessnapshotsofnodesacrossanetworkandstoresthesnapshotsinaSQL
database.Italsoreadsfromthedatabasetocreatereportsonthesnapshotstaken.Itallowsfor
minimalmaintenanceonthedatabasesothatyoucancontroltheamountofdatastored.
ThreeEnScriptsworkwiththedatabasetoperformtheirtasks:
InitializeDatabase.EnScript
SnapshottoDB.EnScript
SnapshotDBReports.EnScript
Lotus Notes Local Database Encryption

EnCasecannowdecryptalocalLotusNotesusermailbox(NSFfilesuffix).Thelocalmailboxisa
replicaofthecorrespondingencryptedmailboxontheDominoserver.

EnCaseExaminernowsupportstheWindowsVistaoperatingsystem.
EnCasemustrunasanadministratortoaccessthelocalVistacomputer.
64-Bit EnCase Servlet

EnCasenowincludesaservletforthe64bitversionsofWindowsXP,2003,andVistaoperating
systems.
If not installed as a service, you must Run as Administrator.
20
Send to HBGary Responder EnScript

ThisEnScriptpassesamemoryobjectgatheredbyEnCasetoHBGarysRespondersoftware.
EnScriptdropsthephysicalevidencedeviceinformation,byteforbyte,intoaflatfileandsends
ittoResponder.
CHAPTER 3
Installing EnCase
Forensic
In This Chapter
The EnCase Installer 21
Installing Security Keys
29
Troubleshooting Security Keys

Obtaining Updates
29
30
Configuring Your EnCase Application

Sharing Configuration Files
40
Vista Examiner Support
40
30
Running a 32-bit Application on a 64-bit Platform
43
22
The EnCase Installer

TheEnCaseinstallercopiestheprogramanditsdriverstotheenduserscomputerorclientand
initializesdriversandserviceswiththeoperatingsystem.
TheinvestigatorcanselectwheretoinstalltheEnCaseExaminer.ThedefaultistheProgram
Filesfolder.Ifaselecteddirectoryexists,theinstalleroverwritesanyexistingprogramfiles,logs,
anddrivers.
Minimum Requirements
Forbestperformance,examinationcomputersshouldbeconfiguredwithatleastthefollowing
hardwareandsoftware:
AnEnCasesecuritykey(alsoknownasadongle)
Certificatesforallpurchasedmodules(knownascerts)
AcurrentversionofEnCaseExaminer
PentiumIV1.4GHzorfasterprocessor
OneGBofRAM
Windows2000,XPProfessional,or2003Server
55MBoffreeharddrivespace
Theprogramalsosupportsthe64bitversionofWindows.
Note: Intel Itanium processors are not supported.
Note: FastBloc SE supports only the USB interface with the 64-bit version.
InstallingEnCaseForensic
23
Installing the Examiner

IfyouareusingLocalProcessing,installtheprogrambyinsertingtheCDintoaplayerand
waitingforautostart.Dothisforeachclient.IfareusingTerminalServices,installtheprogram
usingtheAdd/Removeprogramswizardontheapplicationserver.
Onceinstallationbegins,awizarddisplays:
Note: C:\Program Files\EnCase6 is the install path default.
1. EnteraninstallationpathoracceptthedefaultandclickNext.
2. ReadandagreewiththeEnCaseLicenseAgreementandclickNext.
3. ClickNext
24
4. SelectRebootLaterorRebootNowandclickFinish.
25
Installed Files
Duringinstallation,theprogramcopiesitselfandacollectionofassociatedfilestothetarget
directory.
Theinstallerplacesastartupicononthedesktop.Inaddition,anumberoffoldersandfilesare
installedinthetargetfolderduringinstallation.
Certs Folder
EnCase.pcert
Config Folder
AppDescriptors.ini
FileSignatures.ini
FileTypes.ini
Filters.ini
Keywords.ini
Profiles.ini
TextStyles.ini
Storage Folder
CaseReport.ini
CompromiseAssessmentModule.ini
DifferentialReport.ini
SweepEnterpriseWEbReport.ini
Forensic EnScript Component Folder
CaseProcessor.EnScript
FileMounter.EnScript
IndexCase.EnScript
ScanLocalMachine.EnScript
WebmailParser.EnScript
26
Uninstalling the Examiner

Theuninstallerworksonlyonidenticalsoftwareversions.
Havebackupsofevidenceandcasefilespriortomakinganymodificationstoany
softwareonanexaminationmachine.Anupdateoftheprogramisalsorequired.
CloseanyrunningversionsoftheEnCaseprogram,insertthesoftwaresinstallation
mediaandwaitfortheinstallertocomeonline.
1. OpenWindowsControlPanelanddoubleclickChangeorRemovePrograms.
2. SelecttheEnCaseversionbeingremovedandclickChange/Remove.
TheEnCaseuninstallwizardrunsandthefirstscreendisplays
3. EnterornavigatetothesoftwareslocationintheInstallPathfield.Thedefaultis
C:\Program Files\Encase6.
4. ClickNext.TheEnCaseuninstallwizardruns.
5. ClickNext.
Page2oftheuninstallwizarddisplays.
6. SelectUninstallandclickNext.Progressshowsonthedialog.
7. Whenthecompletionnotificationdisplays,clickFinish.
27
28
Softwareisremovedandpage3oftheuninstallwizarddisplays.
8. SelectRebootLaterorRebootNowandclickFinish.
Reinstalling the Examiner

Note: Reinstall does not overwrite existing user files.
Reinstallrefreshescertainfilesandsettingsandisavariationoftheinstallprogram.
Reinstallcreatesanewlogfileandreinstallsthefollowingitems:
Applicationfiles
Registrykeys
Userfilesthatdonotexist
29
Installing Security Keys

NASprovideslicensingtotheclientseliminatingtheneedforsecuritykeysonclientmachines,
however,youmuststillinstallthesecuritykeydriversforyourSAFEmachine.
Beforeyoubegin,ensureyourEnCaseapplicationisclosed.
To install your security keys:
1. InserttheinstallationCDROM.
2. Ifautorunisenabled,thesplashscreenappears.
3. Clickthesecuritykeydriverslink.
4. ClickNextwhenHASPinstallationwizarddisplays.
5. ClickNextwhenthesummarydisplays.
6. ClickFinishwhentheinstallationiscomplete.
7. InsertthesecuritykeyandWindowswillfindthesecuritykey.
8. OpentheEnCaseapplication.
Note: If the security key is inserted before clicking Finish, the drivers will not be installed properly.
Remedy this condition by reinstalling the driver with the security key removed.
Troubleshooting Security Keys

Installationisusuallytroublefree,butifthereareproblemswithinstallation,gotothe
troubleshootingpage
http://www.guidancesoftware.com/support/articles/articles.asp
(http://www.guidancesoftware.com/support/articles/articles.asp)onourWebsite.
Navigatetothemessageboardtoresearchyourproblem.
30
Obtaining Updates
Version6isthelatestandmostcurrentversionofthesoftwaresuite.Updatescontainingnew
andupgradedfeatures,however,arepublishedonaregularbasis.
Toprotectyourchainofcustodyandtoensureyouhavethelatestupdatesinstalled,itis
importanttoensuretheinstalledprogramisuptodate.
SeetheDownloadstopicintheEnCaseEnterpriseAdministrationGuideformoreinformationon
obtainingsoftwareupdates.
Configuring Your EnCase Application

YoucanconfigurevariousaspectsoftheEnCaseapplicationaccordingtoyourneedsor
preferences.ThesesettingsareusedeachtimeyoustartEnCase.Youarenotrequiredtoopena
case.Whenacaseisopen,aCasesOptionstabdisplaysintheOptionsdialog.
31
To configure EnCase:
1. ClickTools>Options.TheOptionsdialogappears.
2. Clickthedesiredtabandchangethesettingsasneeded,thenclickOK.
Note: Some changes made to the options settings take effect when you restart EnCase. Some
take effect immediately.
TheOptionsdialogcontainsthefollowingtabs:
CaseOptions
Global
Colors
Fonts
EnScriptPrograms
StoragePaths
TheCaseOptionstabdisplaysonlywhenacaseisopen.
32
Case Options Tab

TheCaseOptionstabcontainssettingsthatapplytotheopencase.
Namecontainsthenameofthecaseassociatedwiththecaseoptionssetonthistab.Thecase
nameisusedasthedefaultfilenamewhenthecaseissaved.Thefilenamecanbechangedwhen
thefileissaved.
ExaminerNamecontainsthenameoftheuseractingastheinvestigator.
DefaultExportFoldercontainsthepathandnameofthefolderwherefilesareexported.
TemporaryFoldercontainsthepathandnameofthefolderwheretemporaryfilesarecreated.
IndexFoldercontainstheindexfileforanyindexedfileorcollectionoffiles.
Global Tab
TheGlobaltaboftheOptionsdialogcontainssettingsthatapplytoallcases.
33
34
AutoSaveMinutes(0=None)containsthenumberofminutesthatconstitutetheinterval
betweenautomaticsavesofcasefiles.Theautomaticallysaveddataiswrittento*.CBAKfiles.
UseRecycleBinforCasesdetermineswhetherbackupfilesaremovedtotherecyclebinandnot
overwrittenwhenafileisautomaticallysaved.
EnablePictureViewerdetermineswhetherthepictureviewerisusedforgraphicsofthe
appropriateformats.
EnableARTandPNGImageDisplaydetermineswhetherARTandPNGimagefilesare
displayed.Whenthesefilesarecorrupted,theycancausetheprogramtocrash,sothissetting
enablesyoutolimittheimpactofcorruptedARTandPNGfiles.
FlagLostFilesdetermineswhetherlostclustersaretreatedasunallocatedspace.Doingso
decreasestheamountoftimerequiredtoaccesstheevidencefile.Whenselected,alllostclusters
appearinthedisktabasunallocatedclusters.
EnablePicturesinDocViewdetermineswhetherpicturesthatarenativelydisplayedby
EnCasedisplayusingOracleOutsideIntechnologyintheDoctaboftheViewpane.
InvalidPictureTimeout(seconds)containstheamountoftimetheprogramattemptstoreada
corruptimagefilebeforetimingout.Whenthereadtimesout,thecorruptfileissenttothecache
andnoattemptismadetoreaditagain.
DateFormatincludestheseoptions:
MM/DD/YY(forexample,06/21/08)
DD/MM/YY(forexample,21/06/08)
Otherenablesyoutospecifyyourowndateformat.
CurrentDaycontainsthecurrentdateinthespecifieddateformat.
TimeFormatincludestheseoptions:
12:00:00PMdetermineswhetheratwelvehourclockisthebasisofthetimeformat.
24:00:00determineswhetheratwentyfourhourclockisthebasisofthetimeformat.
Otherenablesyoutospecifyyourowntimeformat.
CurrentTimecontainsthecurrenttimeinthetimeformatselected.
ShowTruecontainsthesymbolindicatingavalueoftrueintablecolumnsdisplayedinthe
TabletaboftheTablepane.
ShowFalsecontainsthesymbolusedindicatingavalueoffalseintablecolumnsdisplayedinthe
TabletaboftheTablepane.
35
BackupFilescontainthemaximumnumberoffilesstoredasbackupfileswhenacaseissaved.
DebugLoggingcontainsthevarioussettingsthatdeterminewheredebuggingislogged.
Color Tab
Thistabenablesyoutoassociatecolorswithvariouscaseelements.
Figure2
DefaultColorscontainsalistofcaseelementsthatcanbeassociatedwithacolor.Double
clickingonalistedelementopenstheColorPalettedialogsoyoucanchooseandassociatea
colorwiththelistedcaseelement.
36
Fonts Tab of the Options Dialog

Thistabenablesyoutoassociatefontswithvariouscaseelements.
37
DefaultFontscontainsalistofcaseelementsthatyoucanassociatewithafont.Doubleclicking
onalistedelementopenstheFontdialogsoyoucanchooseandassociateafontwiththelisted
caseelement.Thefontcanbedefinedintermsof:
Font
Fontstyle
Size
Script
Thescriptattributeenablesyoutoselectthecharactersetused.
38
EnScript Tab
ThistabenablesyoutospecifythelocationoftheincludefileslibraryusedbyEnScript
programs.
IncludePathdisplaysthepathandnameofthefolderthatcontainstheincludefileslibrary.
39
Storage Paths Tab

ThestoragepathstabcapturespathsusedforseveralfilesusedbytheEnCaseapplication.
Thepictureshowsstoragepathdefaultsettings.Youcanchangetheindex,cache,andbackup
foldersbyenteringanewpathorbynavigatingtoandselectingthedesiredfolder.
Inthe.inifilesbox,youcanchangean.inifolderslocationandselectwhetheritiswritable.
40
Sharing Configuration Files

Customizationcanbesharedamonginvestigatorsassignedtoaninvestigation.EachoftheseINI
filesispopulatedbycustomizationstheinvestigatormakeswhilesearchingforevidence.The
keywordandfilesignaturefilesmaybeofparticularinterest.Thesecaseelementsare
distributedbysharing.INIfiles.
Theapplicationmustbeinstalledontherecipientmachines.
To share startup files:
1. ClickTools>Options>StoragePath.
TheStoragePathtaboftheOptionsdialogdisplays.
2. DoubleclickontherowcontainingthedesiredINIfile.
TheEdit<.inifilename>dialogopenscontainingthepathtotheinifile.
3. Tonavigatetothe.INIfile,copythepathtothe.INIfileandpasteitintoWindows
Explorer.
4. Copythefileanddistributeitasdesired.
Vista Examiner Support

EnCasemustrunasanadministratorinordertoaccessthelocalVistacomputer.
1. StartEnCase.
2. VistadisplaysapromptwiththeheadingAnunidentifiedprogramwantsaccesstoyour
computer:
41
3. ClickAllow.
Vistadoesnotallowdraganddropbetweenapplicationswithdifferentsecuritylevels.You
mustdisabletheUserAccountControl(UAC)todragfilestoEnCasefromtheWindowsshell.
Fordetails,seeDisablingMicrosoftWindowsVistaUserAccountControl(onpage41).
Disabling Microsoft Windows Vista User Account Control

YoucanusetheUserAccountControl(UAC)securityfeatureinMicrosoftWindowsVistato
performcommontasksasanonadministrator(calledstandarduser)andasanadministrator
withouthavingtoswitchusers,logoff,oruseRunAs.
InpriorversionsofWindows,themajorityofuseraccountswereconfiguredasmembersofthe
localadministratorsgroupbecauseadministratorprivilegesarerequiredtoinstall,update,and
runmanysoftwareapplicationswithoutconflictsandtoperformtypicalsystemleveltasks.
WithUACenabled,youcanrunmostapplications,components,andprocesseswithalimited
privilege,buthaveelevationpotentialforspecificadministrativetasksandapplicationfunctions.
To disable UAC, you must be logged on with a credential that is a member of the local administrator group.
1. FromtheStartmenu,selectControlPanel.
42
2. IntheControlPanelHomewindow,enterUACinthesearchfield.TheUserAccounts
optionautomaticallydisplaysunderthesearchfield.
3. IntheControlPanelHomewindow,selectTurnUserAccountControl(UAC)onoroff.
4. TheUserAccountControlmessagedisplays,promptingyoutocontinueorcancel.
5. ClickContinue.
6. IntheTurnUserAccountControlOnorOffwindow,cleartheoptionforUseUser
AccountControl(UAC)tohelpprotectyourcomputer,thenclickOK.
43
7. Amessagedisplayspromptingyoutorestartyourcomputertoapplythesechanges.
ClickRestartNoworRestartLatertoclosetheUserAccountsTaskwindow.
Running a 32-bit Application on a 64-bit Platform

Therearelimitationsinrunninga32bitapplication(forexample,EnCase,SAFE,orServlet)ona
64bitplatform.Youwillonlygetbasicsnapshotinformationsuchasportsorprocesses.Forfull
results,youmustruntheapplicationonthecorrectplatform.
CHAPTER 4
Using LinEn
In This Chapter
Introduction
45
Viewing the License for LinEn

Creating a LinEn Boot Disc
46
47
Configuring Your Linux Distribution 48

Performing Acquisitions with LinEn 50
Hashing the Subject Drive Using LinEn
58
46
Introduction
TheLinEnutilityrunsontheLinuxoperatingsystemandfacilitatesthefollowingfunctions:
Performingdrivetodriveacquisitions
Performingcrossoveracquisitions
LinEnrunsindependentlyoftheLinuxoperatingsystemthusimprovingacquisitionspeeds,and
runsin32bitmode(ratherthan16bitmode).BecauseLinuxprovidesgreaterdevicesupport,
LinEncanacquiredatafromalargersetofdevices.
Aswithotheroperatingsystems,topreventinadvertentdiskwrites,modificationstothe
operatingsystemneedtobemade.Linuxtypicallyhasafeaturecalledautofsinstalledby
default.Thisfeatureautomaticallymounts,andthuswritesto,anymediumattachedtothe
computer.Instructionsinthischapterdescribehowtodisablethisfeaturetoprotecttheintegrity
ofyourevidence.
Viewing the License for LinEn

LinEnmustberunning,andyoumustbeontheLinEnmainscreen.
To view the license for LinEn:
1. PressL.
Thelicensedisplays.
2. PressEnter.
TheLinEnmainscreendisplays.
UsingLinEn
47

IfyouwanttorunLinEnonthesubjectmachine,youneedtocreateaLinEnbootdisc.When
youcreateaLinEnbootdisc,itisimportanttochooseaLiveLinuxdistribution,asthesetypes
ofdistributionsaredesignedtorunstraightfromtheCDorDVDanddonotinstallthemselves
onthesubjectmachine.
YoumusthaveanISOimageoftheliveLinuxdistributionyouwanttouse,suchasKnoppix.
Knoppixisoneofthepopularlivedistributions.
Note: As it is not practical to modify the settings of a live Linux distribution, ensure that the live distribution
does not automatically mount detected devices.
TocreateaLinEnBootdisc
1. UsingyourEnCaseapplicationontheinvestigatorsmachine,clickTools>CreateBoot
Disc.
TheChooseDestinationpageoftheCreateBootDiskwizarddisplays.
2. ClickISOImage,andclickNext.
TheFormattingOptionspageoftheCreateBootDiskwizarddisplays.
3. ProvideapathandfilenametotheISOimageyoudownloadedearlier,optionallyclick
AlterBootTable,andclickNext.
TheCopyFilespageoftheCreateBookDiskwizarddisplays.
4. RightclickintherightpaneoftheCopyFilespage,andclickNew.
Thefilebrowseropens.
5. EnterorselectthepathtotheLinEnexecutable,normallyc:\program
files\encase6\linen,clickOK,thenclickFinish.
TheCreatingISOprogressbardisplaysontheCopyFilespage.OncethemodifiedISO
fileiscreated,thewizardcloses.
6. BurntheISOfileontoablankCD/DVDusingtheburningsoftwareofyourchoice.For
helpwiththis,refertotheinstructionsthatcamewithyoursoftware.
YounowhaveabootdisctorunLinuxandLinEnwhileyouacquirethesubjectLinuxdevice.
48
Configuring Your Linux Distribution

BeforeLinEncanrunonLinux,youmustconfigureLinuxdistribution.Duetothenatureof
Linuxanditsdistributions,onlythefollowingstandarddistributionsarediscussed:
SUSE9.1
RedHat
Knoppix
Note: Because of the dynamic nature of Linux distributions, It is recommended that you validate your Linux
environment before using it in the field.
TheprocessdescribesanidealsetupprocessthateffectivelyrunstheLinEnapplicationina
forensicallysoundmanner.
ManydistributionsprovideautofsasthemeansautomountinganythingattachedtotheLinux
system.Itisessentialthatautofsisdisabledtopreventautomounting.
Obtaining a Linux Distribution

ALinuxdistributioncanbeobtainedfromanyLinuxvendor.
IfyouintendtouseaLinEnbootdisc,youwillneedalivedistribution,suchasKnoppix,in
ordertocreateabootdisc.IfyouintendtorunLinEnonainstalledversionofLinuxonyour
forensicmachine,werecommendusingSUSEorRedHat.
FortheLinuxdistributionsdiscussedinrelationtoLinEn,obtainadistributionfromoneofthe
following:
ForthelatestSUSEdistribution,gotothehttp://www.novell.com/linux/
(http://www.novell.com/linux/)website.
ForthelatestRedHatdistribution,gotothehttp://www.redhat.com/
(http://www.redhat.com/)website.
ForthelatestKnoppixdistribution,gotothehttp://knoppix.com/(http://knoppix.com/)
website.
UsingLinEn
49
LinEn Set Up Under SUSE

YoumustalreadyhaveSUSEinstalledonyourLinuxmachine.
1. CopytheLinEnexecutablefromC:\Program Files\EnCase6onyourWindows
machinetothedesireddirectory,/usr/local/encaseonyourLinuxmachine.
2. OpenacommandshellonyourLinuxmachine.
3. Enterchmod 777/usr/local/encase/linen.Thischangesthepermissionsonthe
LinEnexecutable,sothatitcanbeexecutedbyeveryone.
4. Closethecommandshell.
5. ClickMainMenu>System>Configuration>YaST.YetAnotherSetupTool(YaST)is
usedtoconfigurevarioussettingsforyourLinuxoperatingsystem.
6. OpentheRunlevelEditor.
7. Ensurethatautofsisdisabled
LinEn Set Up Under Red Hat

YoumusthaveRedHatinstalledonyourLinuxmachine.
1. CopytheLinEnexecutablefromC:\Program Files\EnCase6onyourWindows
machinetothedesireddirectory,/usr/local/encaseonyourLinuxmachine.
2. OpenacommandshellonyourLinuxmachine.
3. Enterchmod 777/usr/local/encase/linen.Thischangesthepermissionsonthe
LinEnexecutable,sothatitcanbeexecutedbyanyone.
4. Closethecommandshell.
5. ClickMainMenu>SystemSettings>ServerSettings.
6. Ensurethattheautofsisdisabled.
50
Performing Acquisitions with LinEn

TheEnCaseLinEnutilityprovidesthefollowingmethodsofacquiringevidencefromasubject
drive:
Drivetodriveacquisitions
Crossovercableacquisitions
Drivetodriveacquisitionsprovidethemeanstosafelypreviewandacquiredeviceswithout
usingahardwarewriteblocker.Drivetodriveacquisitionsuseeitherthesubjectmachineorthe
forensicmachinetoperformtheacquisitions.TheDrivetodriveacquisitionspeedcanbe
significantlyfasterthanEN.EXEandMSDOSfrompreviousversions,simplybecauseLinuxis
a32bitoperatingsystem.
Crossovercableacquisitionsrequirebothasubjectandforensicmachine.Thistypeofacquisition
alsonegatestheneedforahardwarewriteblocker;however,itlendsitselftosituationswhere
accesstothesubjectmachinesdrivearedifficultornotpractical.Thisistherecommended
methodforacquiringlaptopsandexoticRAIDarrays.ThismethodisslowerthanaDriveto
driveacquisitionbecausedataistransferredoveranetworkcable,andthusisespecially
sensitivetothespeedofthenetworkcardshousedinbothmachines.
Setup for a Drive-to-Drive Acquisition

Whenasubjectdrivefromthesubjectmachinecannotbeacquiredviaacrossovercable
acquisition,thesubjectdrivecanbeacquiredviaadrivetodriveacquisition.Drivetodrive
acquisitionscanbedoneinthefollowingways:
RunningaLinEnbootdiscontheforensicmachine
RunningtheLinEnutilityfromLinuxalreadyinstalledontheforensicmachine
RunningaLinEnbootdisconthesubjectmachine
Anyofthesecablescanbeusedasaharddiskcable:
IDECable
USBCable
Firewire
SATA
SCSI
UsingLinEn
51
Figure3 SetupsforDrivetodriveacquisitionswith1)theforensicmachine,runningLinEnfromthe
LinEnBootDisk,connectedtothesubjectharddrive;2)theforensicmachine,bootedtoLinuxand
runningLinEn,connectedtothesubjectharddrive;3)subjectmachine,runningLinEnfromtheLinEn
BootDisk,connectedtothetargetharddrive.
Doing a Drive-to-Drive Acquisition Using LinEn

OnceLinEnissetup,runLinEn,chooseAcquire,thenselectthedrivetobeacquiredandthe
storagepath.Optionally,provideadditionalmetadata.
ConfigureLinEnasdescribedinLinEnSetup,andverifythatautofsisdisabled(unchecked).
Theinvestigatorhasidentifiedthesubjectdrivetobeacquiredandthestoragedrivethatwill
holdtheacquiredevidencefile.
52
1. IftheFAT32storagepartitiontobeacquiredhasnotbeenmounted,mounttheFAT32
storagepartition.
2. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsoletorunLinEn.
TheLinEnMainScreendisplays.
3. SelectAcquire.
TheAcquirescreendisplays.
4. Choosethephysicaldriveorlogicalpartitionyouwishtoacquire.
UsingLinEn
53
TheAcquireDevice<drive>dialogdisplays.
5. ForthedataelementsrequestedbytheAcquiredialog,eitheracceptthedefault,orenter
avalueorchooseoneofthealternatives,asdescribedinSpecifyingandRunningan
Acquisition.
6. PressEnter.
TheAcquireDevicedialogrequestsadditionaldatavaluesuntilalldataelementshave
beenenteredorselected.Then,theCreatingFiledialogdisplays.
7. Whentheacquisitioniscomplete,clickOK.
TheLinEnmainwindowdisplays.Thesubjecthasbeenacquiredandisstoredonthe
storagedrive.
8. Connectthestoragedrivetoinvestigatorsmachine.
9. AddtheEnCaseevidencefileusingtheSessionsSourcespageoftheAddDeviceWizard,
asdescribedinCompletingtheSessionsSourcesPage
54
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)
EnCaseapplicationscandetectandimageDCOand/orHPAareasonanyATA6orhigherlevel
diskdrive.TheseareasaredetectedusingLinEn(Linux)ortheFastBlocSEmodule.EnCase
applicationsrunninginWindowswithahardwarewriteblockerwillnotdetectDCOsorHPAs.
TheapplicationnowshowsifaDCOareaexistsinadditiontotheHPAareaonatargetdrive.
FastBlocSEisaseparatelypurchasedcomponent.
HPAisaspecialarealocatedattheendofadisk.Itisusuallyconfiguredsothecasualobserver
cannotseeit,andcanonlybeaccessedbyreconfiguringthedisk.HPAandDCOareextremely
similar;thedifferenceistheSET_MAX_ADDRESSbitsettingthatallowsrecoveryofaremoved
HPAatreboot.Whensupported,EnCaseapplicationsseebothareasiftheycoexistonahard
drive.Formoreinformation,seetheEnCaseModulesManual.
Acquiring a Disk Running in Direct ATA Mode

IftheLinuxdistributionsupportsATAmode,youwillseeaModeoption.Themodemustbeset
beforethediskisacquired.AnATAdiskcanbeacquiredviathedrivetodrivemethod.The
ATAmodeisusefulforcaseswhentheevidencedrivehasahostprotectedarea(HPA)ordrive
controloverlay(DCO).OnlyDirectATAModecanreviewandacquiretheseareas.
LinEnisconfiguredasdescribedinLinEnSetup,andautofsisdisabled(unchecked).Linuxis
runninginDirectATAMode.
To acquire a disk running in Direct ATA Mode:
1. IftheFAT32storagepartitiontobeacquiredhasnotbeenmounted,mounttheFAT32
storagepartition.
2. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsole.
3. SelectMode,thenselectDirectATAMode.
ThediskrunninginATAmodecannowbeacquired.
4. ContinuethedrivetodriveacquisitionwithStep3ofDoingaDrivetoDriveAcquisition
UsingLinEn.
UsingLinEn
55
Mode Selection
LinEnstartsupinBIOSmode.Adiskacquiredinthismodereportsonlydisksizeseenbythe
BIOS.Asaresult,nodatacontainedinaDCOareseenorreported.TheModeselectioninLinEn
providesasolution.
NoticeDisk1inthefigure.Itshowsadisksizeof26.8GB.Ifthisisacquirednow,onlythat
quantityofdataisidentified.
TheLinuxdistributioninusemustsupportDirectATAmodeforthisfunctiontowork.
To test for the presence of a DCO,
1. StartLinEninthenormalmanneronacomputerthatsupportsDirectATA.Themain
screenshowsaModebutton.
2. EnterMtoselectMode.Asecondscreendisplaysofferingthreeacquisitionselections:
BIOS
ATA
Cancel
3. EnterAtoselectATAMode.
56
IfaDCOispresentonthedisk,theoriginalLinEnscreenreportsthecorrectdisksizeand
thecorrectnumberofsectors.Disk1inthefollowingillustrationshowsthetruedisksize,
75.5GB.
Acquirethediskaccordingtoprotocol.
Doing a Crossover Cable Preview or Acquisition

YouhaveaLinEnbootdisk.
Theinvestigatorhasidentifiedthesubjectdrivetobeacquired.
To do a crossover cable acquisition
1. BootthesubjectmachinefromtheLinEnbootdisk.
2. Connecttheforensicmachinetothesubjectmachineusingacrossovercable.
3. InLinux,ensurethatthesubjectmachinehasanIPaddressassignedandaNICcard
loadedappropriatelybytypingifconfig eth0,thenifnoIPaddressisassigned,
assignonebytypingifconfig eth0 10.0.0.1 netmask 255.0.0.0,andcheck
theIPaddressassignmentagainbytypingifconfig eth0.
4. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsoletorunLinEn.
UsingLinEn
57
5. SelectServer,andpressEnter.
ThemessageWaitingtoconnectshoulddisplay.
6. SpecifyanIPaddressof10.0.0.1ontheforensicmachineforthesubjectmachine.
7. LaunchtheEnCaseapplicationontheforensicmachine.
8. Createanewcase,oropenanexistingcase.
9. RightclickontheDevicesobject,andclickAddDevice.
10. SelectNetworkCrossover,andclickNext.
11. SelectthephysicaldiskorlogicalpartitiontoacquireorpreviewandclickNext.
12. ClickFinish.
Thecontentsoftheselecteddevicereachedthroughthenetworkcrossoverconnectionare
previewed.Toacquirethecontent,performanacquisitionasdescribedinSpecifyingand
RunninganAcquisition
58

Thisallowstheinvestigatortoknowthehashvalueofthedrive.
LinEnisconfiguredasdescribedinthesetuptopics,andautofsisdisabled.
Theinvestigatorhasidentifiedthesubjectdrivetobehashed.
To perform a hash using LinEn
2. SelectHash.
TheHashdialogdisplays.
3. Selectadrive,andclickOK.
TheStartSectordialogdisplays.
4. AcceptthedefaultorenterthedesiredStartSector,andclickOK.
TheStopSectordialogdisplays.
5. AcceptthedefaultorenterthedesiredStopSector,andclickOK.
The(HashResults)dialogdisplays.
6. Ifyouwantthehashresulttobewrittentoafile,clickYes.
Ifyouaresavingthehashvaluetoafile,theSaveHashValuetoaFiledialogdisplays;
otherwise,theLinEnMainScreendisplays.
7. Enterthepathandfilenameofthefilethatwillcontainthehashvalue,andclickOK.
Thehashvalueissaved,andtheLinEnMainScreendisplays.
Ahashvalueiscalculatedfortheselectedsectorsoftheselectedfile.Youcansavethishash
valuetoafile.
CHAPTER 5
Navigating the EnCase

Interface
In This Chapter
The Main Window
60
Panes and their Specific Tabs
Navigating the Tree Pane
115
Modifying the Table Pane
122
Modifying the View Pane
148
98
60
The Main Window

BeginusingtheEnCaseapplicationinthemainwindow.
Themainwindoworganizestheapplicationsfeatures.Featuresaccessiblefromthemain
windowarerunfromthesystemmenu,thetoolbar,andvariousrightclickmenus.Asthe
applicationruns,astatusmessagedisplaysinthestatuslineatthebottomofthewindow.
Themainwindowconsistsofa
Systemmenu
Toolbar
Windowcontainingpanes
Statusline
Panesdivideandorganizethewindowandcontaintrees,tables,anddatainvarious
representations.
Figure4 TheMainWindowasitappearsinEnCaseEnterprisewithanopencase,1)indicatesthesystem
menu,2)thetoolbar,3)awindowpane,and4)thestatusline.
NavigatingtheEnCaseInterface
61
Themenus,commands,andiconsdisplayedinthetoolbarchangedependingonthecontext
configurationoftheapplication.TheLogonandLogofficons,forexample,appearinenterprise
capableapplicationsonly.TheEditmenudoesnotappearwhentheapplicationisopenedin
acquisitiononlymode,whichoccurswhentheapplicationisopenedonamachinethatdoesnot
haveadongleorappropriatelicenses.Additionalfunctionalitymodulesaddcommandsand
icons.
System Menu
ThesystemmenuorganizescommandsprovidedbytheEnCaseapplication.
Thesystemmenuappearsinthemainwindow.Thesystemmenu,alongwiththerightclick,
contextspecificmenus,providescommandstoexecuteapplicationfunctionality.
Thesystemmenucontainsthefollowingcommands:
File
Edit
View
Tools
Help
Whenclicked,thecommandsinthesystemmenudisplaythecorrespondingmenu.TheEdit
menudoesnotdisplayinacquisitionmode,althoughtheEditcommandalwaysdisplaysinthe
systemmenu.
Someofthecommandsinthemenusdisplayedbythesystemmenucommandsarecontext
dependent.Contextdependentcommandsappearinthemenus,butaredisabledunlessthe
currentapplicationcontextmakesthemavailable.
62
File Menu
TheFilemenuprovidescommandsthatmanipulateapplicationfilesandglobalapplication
settings.
Youcan
createnewcasefiles
openexistingcasefiles
savecasefilesandglobalsettings
printthecontentsoffiles
adddevicestocases
addrawimagestocases
exittheapplication
YoumayseedifferentoptionsontheFilemenu,dependingonyourcontext.
TheFilemenuprovidesthefollowingcommands:
NewdisplaystheCaseOptionsdialogwhereyoudefinethecaseyouwanttoadd.
OpendisplaystheOpendialogwhereyouselectapreviouslysavedcase.
Savesavesthepreviouslysavedcasefile,ordisplaystheSavedialogwhereyouenterthe
filename,path,andfiletypeforthecasefileyouwanttosave.
SaveAsdisplaystheSaveAsdialogwhereyouenterthefilename,path,andfiletypeforthe
casefileunderadifferentname.
SaveAlldisplaystheSaveAlldialogwhereyouenterthefilename,path,andfiletypefor
boththecasefileandEnCaseglobalsettings.
63
PrintdisplaysaPrintdialog,whereyoudefinetheprintsettingsforthecontent(Table,
Report,Code),dependingonwhatisdisplayedintheTablepane.
PrinterSetupdisplaysthePrintSetupdialogwhereyouselectaprinterandchooseprinter
settings.
AddDevicedisplaystheAddDevicewizardwhereyoudefinethepreviewandacquire
parametersforadevice.Thiscommandappearsinthemenuonlywhenacaseisopen.
AddRawImagedisplaystheAddRawImagedialogwhereyouselectimagefilestobe
addedtotheopencase.Thiscommandappearsinthemenuonlywhenacaseisopen.
Exitclosestheprogram.Ifcontenthaschanged,youarepromptedtosaveit.
Edit Menu
TheEditmenucommandsworkwiththeobjectsandcontentinthecurrentlyselectedtab.
Editmenucommandsarecontextspecific,changingasyoumovefromonetabtoanother,or
selectobjectsorcontentinatab.SpecificEditmenusarediscussedinsectionsdescribingthe
featuresthathaveanEditmenuassociatedwiththem.
64
TheEditmenushownhereprovidesthefollowingcommands:
ExportdisplaystheExportdialog,whereyouselectfieldsinafiletocopydatatoatextfile,
andspecifythepathforthefilecontainingthedata.
Copy/UnErasestartstheCopy/UnErasewizardforcopyingevidencefilesandfolderentries
tooneormoredestinationfiles.Thiscommanddoesnotchangetheevidencefile.
CopyFoldersdisplaystheCopyFoldersdialog,whereyoucanprocessthecontentofa
selectedfolderorfoldersinavarietyofways.
BookmarkDatadisplaystheBookmarkDatadialog,whereyoucancreateanddefineanew
databookmark.
CreateaHashSetdisplaystheCreateHashSetdialogforselectedfilesalreadyhashed.You
cannameandcategorizethehashsettobecreated.
CreateLogicalEvidenceFiledisplays,foraselectedfileorcollectionofselectedfiles,the
CreateLogicalEvidencewizard,soyoucancreateanewlogicalevidencefiletocontain
thosefiles.
MountasNetworkSharedisplaystheMountasNetworkSharedialog,soyoucanmountan
acquireddeviceasanetworkshare.ThiscommandappearsonlyiftheVirtualFileSystem
moduleisinstalled.
Expand/Contract,foraselectedobjectanywherealongthebranchofthetree,expandsthe
branchofthetree,orforafullyexpandedbranchofthetree,contractsthebranch.
ExpandAllexpandsallbranchesofthetree.
ContractAllcontractsallbranchesofthetree.
SetIncludedFoldersisatoggleswitch.ItinitiallysetsSelectAllfortheselectedobjectina
treeanditsbranches.Choosingitagainclearstheselectednodes.
IncludeSubFolderstogglesSelectAllfortheselectedobjectinatreeanditsbranches.
IncludeSingleFoldertogglesSelectAllfortheselectedobjectinatree,ignoringits
branches.
Copy/UnErase
TheCopy/UnErasecommandrecoversandunerasesfileswithbyteperbyteprecision.
To initiate Copy/UnErase:
1. ClickEdit>Copy/UnErase.
2. Selectthefileorfilestocopy.
3. Selectwhethertohaveeachrecoveredfileappearinanewfileortomergethemtoa
singlefile.
65
4. EnterareplacementcharacterforerasedFATtableentries.Thedefaultisanunderscore.
5. ClickNext.
6. TodeterminewhatistobeCopy/UnErased,dooneofthefollowing:
a. IfonlythelogicalfilesaretobeCopy/UnErased,clickLogicalFilesOnly.
b. IftheentirephysicalfileistobeCopy/UnErased,clickEntirePhysicalFile.
c. IfRAMandDiskslackaretobeCopy/UnErased,clickRAMandDiskSlack.
d. IfonlyRAMslackistobeCopy/UnErased,clickRAMSlackOnly.
7. TodeterminewhichmaskwillbeappliedtothefilenamesofCopy/UnErasedcontent,do
oneofthefollowing:
a. Fornomasking,clickNone.
b. IfnonASCIIcharactersaretobemasked,clickDonotwritenonASCII
character.
c. IfadotistobesubstitutedfornonASCIIcharacters,clickReplacenonASCII
characterswithDOT.
8. Iferrorsaretobeincluded,clickSelectShowErrors,andthenclickNext.
9. Ifadestinationfolderotherthan/Exportistobeused,selectadestinationfolder.
10. ClickFinish.
66
View Menu
TheViewmenuprovidescommandsthatdeterminethecontentsoftheEnCasewindowpanes.
Viewmenucommands:
Displayspecifictabsinthetreepane
Displaytabsthatotherwisearenotdisplayed,orthatotherwisedonotappearinthetree
pane
Togglecontrolsthatappearintabbarsandthewrappingofthetoolbar
Navigatebetweentabs,hidetabs,andcontrolthedisplayoftabswithorwithouttheir
names
Moveanytabcontainingwindowsbacktotheirusualpositioninthemainwindow
67
68
AppDescriptorsdisplaystheAppDescriptortabsinthetreepane,whichincludestheApp
DescriptorHomeandAppDescriptorsHashPropertiestabs.Bydefault,thesetabsarenot
displayed.
ArchiveFilesdisplaystheArchiveFiletabinthetreepane.Thistabdoesnotdisplayby
default.
CasesdisplaystheCasestabsinthetreepane,whichincludestheCasesHome,Cases
Entries,CasesBookmarks,CasesSearchHits,CasesRecords,CasesDevices,CasesSecure
Storage,andCasesKeywordstabs.Thesetabsdisplaybydefault.Usethiscommandifyou
previouslyclosedtheCasestab.
EncryptionKeysdisplaystheEncryptionKeystabinthetreepane.Thistabdisplaysby
default.UsethiscommandifyoupreviouslyclosedtheEncryptionKeytab.
EnScriptdisplaystheEnScripttabinthetreepane.Thistabdoesnotdisplaybydefault.
Whenthistabdisplays,theEnScripttabintheFilterspaneisclosed.
WhentheEnScripttabappearsintheFilterpane,theEnScriptprogramsareorganizedintoa
treeextendingtotheprogramsthemselves.
WhentheEnScripttabappearsintheTreepane,onlyfolderspopulatethetree,andthe
programsthemselvesappearinatableintheTablepane.
Thetablerepresentationcontainsinformationbeyondwhatisvisibleinthetree
representationintheFilterpane.
EnScriptTypesdisplaystheEnScriptTypestabinthetreepane.Itdoesnotdisplayby
default.
FileSignaturesdisplaystheFileSignaturestabinthetreepane.Itdoesnotdisplayby
default.
FileTypesdisplaystheFileTypestabintheTreepane.Itdoesnotdisplaybydefault.
FileViewersdisplaystheFileViewerstabinthetreepane.Itdoesnotdisplaybydefault.
HashSetsdisplaystheHashSettabsinthetreepane,whichincludestheHashSetsHome
andHashSetsHashItemstabs.Theydonotdisplaybydefault.
KeywordsdisplaystheKeywordstabinthetreepane.Itdoesnotdisplaybydefault.
MachineProfilesdisplaystheMachineProfilestabsinthetreepane,whichincludesthe
MachineProfilesHomeandMachineProfilesAllowedtabs.Theydonotdisplaybydefault.
PackagesdisplaysthePackagestabinthetreepane.Itdoesnotdisplaybydefault.
ProjectsdisplaystheProjectstabinthetreepane.Itdoesnotdisplaybydefault.
69
SAFEsdisplaystheSAFEstabsintheTreepane,whichincludes:
theSAFEsHome
SAFEsNetwork
SAFEsRoles
SAFEsUsers
SAFEsEvents
Theydonotdisplaybydefault.
SAFEsorCasesSubTabsdisplaysasubmenuassociatedwiththetabcurrentlydisplayed
(SAFEsorCases).Inthefigureabove,theSAFEsSubTabscommanddisplaysbecausethe
SAFEstabisdisplayedintheTreeview(notshown)IfCasesweredisplayed,thenthe
commandwouldbeCasesSubTabs.
TablePanedisplaystheTablePanemenu.
ViewPanedisplaystheViewPanemenu.
FilterPanedisplaystheFilterpanemenu.
CloseTabhidesthetabcurrentlyinuse.Oncehidden,atabcanonlyreappearifitisopened
usingthetabcommandsontheViewmenu.
ShowNametogglesthedisplayofthenameofthetabcurrentlyinuse.
PreviousTabselectsthetabtotheleftofthetabcurrentlyinuse.Whenthetabcurrentlyin
useistheleftmosttab,therightmosttabisselected.
NextTabselectsthetabtotherightofthetabcurrentlyinuse.Whenthetabcurrentlyinuse
istherightmosttab,theleftmosttabisselected.
Autofittogglesthewrappingofthetoolbar.Thetoolbarextendstotherightbeyondthetab
whenAutofitisnotselected.WhenAutofitisselected,thetoolbarwraps,sothattheentire
toolbardisplays.
ResetViewputsanytabsappearinginwindowsbackintothemainwindowintheirusual
locations.
70
The Tree Pane and its Tab and Sub-Tab Menus

SubTabmenusdisplaycommandsfortabscontainedbyparenttabs.
Whenatabcontainsothertabs,ithasaViewcommandthatdisplaysasubtabmenu.Thesub
tabmenucontainscommandsthatdisplayeachofthecontainedtabs.
Whenatabcontainsonlyoneothertab,selectingthecontainingtabisequivalenttoselectingthe
containedtab.Forexample,selectingCasesSubTabs>Bookmarksisequivalenttoselecting
CasesSubTabs>BookmarksSubTabs>Home.
ThecommandsintheSubTabmenusopentheircorrespondingtabordisplayacorresponding
SubTabmenu.
The Table Pane and its Tab Bar and View Menu
TheTablePanemenucorrespondstothetabsappearinginthetablepane.
Thetabsinthetablepanedependonthetabcurrentlyselectedinthetreepane.
71
72
Table Pane Menu

TheTablePanecommandontheViewmenudisplaystheTablePanemenu.
Thetablepanecontainsacollectionofcontextsensitivetabs.Thecontextisdrivenbythetab
displayedinthetreepane.Thetablepanemenuiscontextsensitiveaswell.
EachofthetabsintheTablepanehasacorrespondingtabintheTablepanetabbar,anda
correspondingcommandontheTablePanemenu.
TabledisplaystheTabletabinthetablepane.Itdisplaysbydefault.
ReportdisplaystheReporttabinthetablepane.Itdisplaysbydefault.
GallerydisplaystheGallerytabinthetablepane.Itdisplaysbydefault.
TimelinedisplaystheTimelinetabinthetablepane.Itdisplaysbydefault.
DiskdisplaystheDisktabinthetablepane.Itdisplaysbydefault.
CodedisplaystheCodetabinthetablepane.Itdisplaysbydefault.
73
The View Pane and its Tab Bar and View Menu
TheViewPanemenusdisplayacommandforeachofthetabsonthetablepanetabbar.
TheViewpanecontainsseveraltabs,dependingonthetabcurrentlyselectedinthetablepane.
ThetabbaralsoincludescontrolsthatappearintheViewpanemenu.
74
View Pane Menu

TheViewPanecommandontheViewmenudisplaystheViewPanemenu.
TheViewPanemenucontainscommandscorrespondingtothetabsdisplayedintheViewpane.
ClickingoneofthesecommandsdisplaysthecorrespondingtabintheViewpane.
TextdisplaystheASCIItexttabintheViewpane.
HexdisplaystheHexadecimalvaluetabintheViewpane.
DocdisplaysaWindowsdocumentrepresentation(ifpossible)intheViewpane.
TranscriptdisplaystheTranscripttabintheViewpane.
PicturedisplaysthePicturetabintheViewpane.
ReportdisplaystheReporttabintheViewpane.
ConsoledisplaystheConsoletabintheViewpane.
DetailsdisplaystheDetailstabintheViewpane.
OutputdisplaystheOutputtabintheViewpane.
LockpreventstheViewtabfromchangingthetab,basedontheentryselectedintheTable
pane.
Codepagetogglestheabilityfortheviewpanetodisplaythefileinformationusingthe
detectedCodePage.Ifnotselected,thedefaultCodePageisused.
SelectionIndicatorindicatesthenumberofselecteditemsaswellasthenumberoftotal
possibleitems.
75
The Filter Pane and its Tab Bar and View Menu
TheFilterPanemenusdisplayacommandforeachofthetabsthatappearontheFilterpanetab
bar.
TheFilterPanemenuandthetabbarfortheFilterpanedisplaycommandscorrespondingtothe
tabsappearingintheViewpane.
76
Filter Pane Menu

TheFilterPanecommandontheViewmenudisplaystheFilterPanemenu.
TheFilterPanemenucontainscommandscorrespondingtothetabsdisplayedintheFilterpane.
ClickingoneofthesecommandsdisplaysthecorrespondingtabintheFilterpane.
EnScriptdisplaystheEnScripttabintheFilterpane.
FiltersdisplaystheFilterstabintheFilterpane.
ConditionsdisplaystheConditionstabintheFilterpane.
Displayshowsactivefilters.
QueriesdisplaystheQueriestabintheFilterpane.
TextStylesdisplaystheTextStylestabintheFilterpane.
Auto Fit
Whenyouresizeawindowpanesometabsmaynotbeviewable.
Insteadofscrollingtothem,youmaywanttouseAutoFit.
TherearetwowaystoimplementAutoFit:
ClickView>AutoFit.
RightclickinthepaneandselectAutoFit.
77
Tools Menu
TheToolsmenuprovidescommandstoperformanalyticaloperations.
IndexCaseopenstheIndexCasedialog,whereyouinclude(orexclude)filesintheindexing
process.Youcanselectanoisefile,whichisalistofstopwords(wordsthatwillnotbe
indexed).
WebmailParseropenstheWebmailParserdialog,whereyouselectthewebmailvendors
whoseaccountfilesaretobeparsed.
CaseProcessorstartstheEnScriptCaseProcessorscript.Youcanalsostartitbyopeningthe
ForensicandEnterprisetreesintheFilterpaneanddoubleclicking.Theshortcuthotkeyto
startitisAlt+P.
SweepEnterprisestartstheEnScriptSweepEnterpriseEnScriptscript.Youcanalsostartit
byopeningtheForensicandEnterprisetreesintheFilterpaneanddoubleclicking.The
shortcuthotkeyisAlt+S.
SearchopenstheSearchdialog,whereyoudetermine
whichfilesaresearched
definekeywordsearches
performemailsearches
hashcomputing,and
othersearchoptions
78
LogonopenstheLogonwizard,whereyoucanlogontotheenterpriseLAN.
LogofflogsyouofftheenterpriseLAN.
WipeDriveopenstheWipeDrivewizard,whereyouselectmediayouwanttocompletely
erase.AfterusingWipeDrive,youmustformatthemedia.
VerifyEvidenceFilesopenstheVerifyEvidenceFilesbrowser,whereyouselectfilestobe
verified.VerifyingcheckstheCyclicalRedundancyCheck(CRC)valuestoensureevidence
wasnotaltered.
CreateBootDiskopenstheCreateBootDiskwizardtocreateaLinEnbootdisk.
MountasNetworkShareClientopenstheMountasNetworkSharedialog,whereyou
specifytheIPaddressoftheservertobemounted.
OptionsopenstheOptionsdialog,whereyoudefineglobalsettingsforEnCase,suchas
defaultfilelocationsforanewcase
fontstouse
highlightingcolorsseeninthetablepane
dateandtimeformats
RefreshupdatestheEnCaseviewsbasedonthecontentofthefolderdisplayedinthelistsor
trees.UsethiscommandwhenyouuseWindowstoaddfilestothefoldersofanopencase.
EnCaseisnotawareofthesechangesuntilyourefreshthelistsandtrees.
Help Menu
TheHelpmenuprovidescommandsthataccessinformationandperformtasksassociatedwith
usingyourEnCaseapplication.
UsingtheHelpmenuyoucan
displaythereadmehelpfile
registeryourapplication
findoutaboutyourapplication
getinformationaboutyourlicense,
learnwhatmodulesareinstalled,andotherinformation.
79
WhatsNewdisplaystheEnCaseReleaseNotesasahelpfile.
RegisterEnCasedisplaystheapplicationregistrationpage,whereyoucan
Findyourdongleserialnumber
IfconnectedtotheInternet,registeryourapplication
Ifnotconnectedtotheinternet,findinstructionsonhowtoregisteryourapplication
AboutEnCasetellsyouwhichversionofEnCase,andwhichmodules,youhaveinstalled.
80
Toolbar
ThetoolbarprovidesiconsforthemostfrequentlyusedEnCaseprogramfunctionality.
Thetoolbardisplaysonthemainwindow.Itcontainsiconsforperformingthemostfrequent
tasksinthecurrentapplicationmodeorcontext.WhenEnCaseopensinacquisitionmode,only
theNew,Open,Print,andRefreshiconsappearinthetoolbar.Onceacaseisopened,theAdd
Deviceiconappears.Whentheapplicationisanenterpriseapplication,theLogoniconappears,
andonceloggedon,theLogofficondisplays.
Figure5 TheMainWindowToolbarinDifferentModesandContexts,showing1)Acquisitionmode,and
therestinEnCaseEnterprise2)beforelogginginandopeningacase,3)afterlogginginandopeninga
case,4)withanacquireddeviceselectedfromtheEntriestree,and5)withanentryselectedfromthe
Entriestable.
Thereisacorrespondingmenucommandforeachtoolbaricon.
Whenthetoolbariswiderthanthemainwindow,thetoolbarwrapstoanotherline.
Someiconsareenabledonlywhentheyareuseful,suchasPrintandRefresh.
Thepanesandthetabsinthetoolbarsalsoprovidecontextdependenticonsforfunctionality,
accessedthroughcontextdependent,rightclickmenusprovidedinthosefeatures.
Figure6 AContextdependentIconandItsAssociatedRightClickMenuCommand,where1)isthe
contextfortherightclickmenu,and2)isthecorrespondingmenucommandandtoolbaricon.TheFind
commandopenstheFinddialogwhereasearchstringcanbedefinedthatsearcheswithinthecontent
highlightedintheViewpane.
81
NewdisplaystheCaseOptionswizardwhereanewcaseisdefined.
OpendisplaystheOpendialogwhereyoucanopenanexistingcase.
PrintdisplaysthePrintdialog.
Refreshupdatesalistortabletoreflectchangesmadeinthefilesystemtofilesthatdrivethe
EnCaseapplication.
Savedisplays,onceacaseisopened,theSavedialog.
AddDevicedisplays,onceacaseisopened,theAddDevicewizard,sothatadevicecanbe
previewedoracquired.
SearchdisplaystheSearchdialog,sothatevidenceassociatedwiththecasecanbesearched.
LogondisplaystheLogondialog,sothatyoucanlogontotheSAFE.Thisicononlyappears
inenterpriseapplications.
LogofflogsyouofftheSAFE.ThisicononlyappearsafteryouhaveloggedontotheSAFE.
Othericonsaredescribedinthecontextwheretheyappear.
82
Panes
MostEnCaseworkisdonefromoneofthepanesinthemaindisplay.Thecurrentdisplay
containsfourpanescontainingdifferentdataanddisplays.
Theseincludethefollowing:
Treepaneshowscaseassociateddatainatreeformat.
Tablepanepresentsatabulardatalistthatvariesdependingonvariousselections.
Viewpanepresentsfacsimilesofselecteddata.Itvariesdependingonselections.
Filterpaneshowsfilterlists.
Figure7 Panesastheyappearinthemainwndowshowing1)Treepane,2)Tablepane,3)Viewpane4)
Filterpane.
Youcanseparateeachpanefromthemainwindowanddisplaythemasindividualwindows.
83
Panes in the Analysis Cycle

Panesdriveandorganizetheevidenceanalysiscycle.
Theevidencecycleiswhereyoudefineyourinvestigationofacquiredevidence.Analysisof
evidenceiscyclical,becauseyouwillredefineselectionandprocessingasyouranalysis
requirementsevolveduringtheinvestigation.
Figure8 PanesintheAnalysisCycle,where1)containerentriesselectedintheTreepanedeterminethe
containedentriesthatappearintheTablepane,2)containedentriesselectedintheTablepanedetermine
thecontentsthatappearintheViewpane,3)optionally,filters,searches,andprocessingdefinedinthe
FilterspanenarrowthecontentsorresultsoftheanalysisthatappearintheViewpane,4)resultsofthe
currentanalysiscycle,and5)subsequentrefinementsoftheanalysis.
Thetreepaneprovidesyouwiththestartingpointoftheanalysis.Thisiswhereyouselectthe
containerentries,suchasdevicesandfoldersthatcontaintheevidenceyouwanttoexamine.
TheTablepanepresentsthecontentsoftheentriesselectedintheTreepane.Youcanrefine
entriestobeexaminedhere.
TheFilterspanegivesyouthemeanstosearch,filter,andautomatetheexaminationofthe
entriesselectedforexaminationintheTreeandTablepanes.Thisnarrowsandfocusesyour
analysiseffort.TheFilterpaneprovidestabsthatenableyoutoviewanalyticalresultsinplaces
otherthantheViewpane.
TheViewpaneprovidesvarioustoolsthathelpyouexploreandseetheresultsoftheanalysis.If
theresultsoftheanalysisaresufficientforyourpurposes,theanalysiscanmoveontoother
aspectsoftheinvestigation.Ifnot,theanalysiscanberedefinedandperformedagain.
84
Panes as Separate Windows

Theindividualpanesthatappearinthemainwindowcanbedisplayedinseparatewindows.
Inthemainwindow,eachpanehasadraghandle.Youcandragthepaneoutsidethemain
windowandthepanewillappearinasecondarywindow.Oncethreepanesaredraggedfrom
themainwindow,theremainingpanedoesnotdisplayadraghandleandremainsassociated
withthemainwindow.Thepanescannotbedraggedbackintothemainwindow.
Refreshingtheviewdisplayedinthemainwindowplacesallthepanesbackinthemain
windowintheirusuallocation.
85
Figure9 Panesappearingassecondarywindows,showingtheTreepane,Tablepane,andFilterpaneas
separatewindows.TheViewpaneappearsinthemainwindowwheretheResetviewcommandisselected
fromtheViewmenu.TheResetviewcommandputsthepanesappearinginseparatewindowsbackinto
themainwindow.
86
Pane Features
Usepanefeatureswhileworkingwithpanesandtheirtabs.
Eachpanecandisplaythesefeatures:
Tabsandtabbar
Scrollbarinthetabbarforaresizedpane
Controlsinthetabbar
Grabhandle
Figure10 PaneFeatures,where1)isaViewpane,2)isthecurrenttab,3)isthetabbar,4)isthescroll
iconfornavigatingthetabbar,sothatthetabyouwanttousecanbedisplayed,5)isthedraghandleused
todragthepaneoutofthemainwindow,soitappearsinasecondarywindow,and6)carecommands
controllingthetabbar.
Eachpanecontainsoneormoretabs.
Asthemainwindowisresized,thetabtoolbarresizescorrespondingly.Whenapaneisresized
toasizenotaswideasitstoolbar,thetabsarehiddenandascrolliconappears.Thescrollicon
letsyouscrolltotherightorleftsoyoucanviewthehiddentabs.Youcanwrapthetabs,rather
thanhavingthemhidden,byusingAutoFitontherightclickmenuofthetabtoolbar.
Thetabtoolbarmaycontaincontrolsinadditiontotabs.Thescrollbarexposesthesecontrolsas
wellastabswheneitherishidden.
87
Eachtabalsohasagrabhandleusedtomovethetaboutsidethemainwindowwhereitappears
inasecondarywindow.Oncethreetabsareremovedfromthemainwindow,thelasttabinthe
mainwindownolongerdisplaysagrabhandle,becauseitcannotberemovedfromthemain
window.
Pane Tab Bar and Pane Tab Bar Menu

Eachpanecontainsoneormoretabs.Clickingatabdisplaysdifferentcontentinthepane.Tabs
areorganizedintoatabbar.Tabsmaycontainsubtabs,andtheseareorganizedbyseparatetab
toolbars.
Eachtabbarhasitsownmenu.Themenudisplayswhenyourightclickthetabbar.
Figure11 PaneTabBarsandtheirTabBarMenus.Thetabbarshavebeendarkenedwherethemenucan
bedisplayed.Thetabshavetheirownmenus.Tabswereclosedonthesecondtabbartoshortenit.
AutoFittoggleswhetherthetabbardisplaysasasinglerowwithascrollbar,orwrappedto
multiplerowswhenthepaneisresized.
88
Tab Right-Click Menu

Eachtaborsubtabdisplaysthesamerightclickmenu.
Thismenumanagestabsandprovidesanotherwayofmovingfromonetabtoanother.Thetab
toolbarmenucommandAutoFitisalsoavailablehere.
Figure12 Therightclickmenu,where1)indicatesthatyouclosedatab,2)indicatesatabdisplayingonly
theicon,withthenamehidden,3)thePrevioustab,and4)theNexttab.
CloseTabhidesatabanditsassociateddata.Todisplaythedataafterclosingatab,usethe
Viewmenucommandassociatedwiththetab(forexample,View>CasesSubTabs>Secure
StoragereopenstheSecureStoragesubtab).
ShowNametogglesthetextdisplayingthenameofthetab.Whenthetextishidden,the
iconisstilldisplayed.Youcanshortenthecontentsofthetabbarbyhidingthenametext.
PreviousTabdisplaysthetabtotheleftofthecurrenttabonthetabbar.
NextTabdisplaysthetabtotherightofthecurrenttabonthetabbar.
AutoFittoggleswhetherthetabbarisdisplayedasasinglerowwithascrollbar,or
wrappedtomultiplerowswhenthepaneisresized.
Individual Panes
Theindividualpanesthatcomprisethemainwindoware:
Treepane
Tablepane
Viewpane
Filterspane
89
Tree Pane
TheTreepaneestablishesthecontextforallcasedataanalysis.
TheTreepaneorganizesacollectionoftabsthatcontainatreespecifictothattab.Atree
representsthehierarchicalstructureofarelatedcollectionofentriesorobjects.
Theveryfirstobjectinatreeistheroot.Folderobjectscontainotherfolderobjects.Nonfolder,
terminal,leafobjectsdonotappearinthetree.TheyappearintheTablepanewhentheir
containingfolderobjectishighlighted.
Figure13 ATreePane,asawindow,alongwithits1)tabbarsandits2)tree,whereEntriesistherootof
thetree,HunterXPisadevice,Cisavolume,andtherestofthetreeconsistsoffolders.Inthetree,4)
ApplicationDataishighlighted.Eachobjectinthetreecanconsistof5)anExpand/Collapseicon,asseen
whenexpanded,6)aSetAllicon,7)aCheckbox,8)aCategoryicon,and9)aName.
90
Asingleentryorobjectinthetreeconsistsofthefollowing:
Expand/Collapsedeterminesifthecontainedentriesorobjectsaredisplayedorarehidden.
WhereafolderobjectappearsthatdoesnothaveanExpand/Collapseicon,theentriesor
objectsitcontainsappearinthetableintheTablepane,insteadofthetree.
SetIncludedetermineswhethertheentryorobjectandtheentriesandobjectsitcontains
appearintheTablepanewheretheentriescanbeselectedforfurtheranalysisorexploration.
Checkboxenablesyoutoselecttheentryorobjectwithoutselectingtheentriesofobjectsit
contains.
Categoryindicatesthetypeofentry.
Namecontainsanddisplaysthenameoftheentryorobject.Thenamecanbehighlighted,
whichindicatesthattheentriesorobjectscontainedintheentryorobjectassociatedwiththe
nameappearintheTablepane.
Clickingonanypartofaentryorobjecthighlightsit.
91
Table Pane
TheTablepanecontainstabsthatshowyoudifferentaspectsoftheobjectsselectedintheTree
pane.
Selectingatabdeterminestherepresentationused.TheTabletaboftheTablepanedisplays
informationabouttheseentriesinanumberedtable.ExceptfortheGallerytab,thisinformation
isdescriptive,ratherthantheactualcontentoftheentries.Youcanviewandfurtherexplorethe
contentyouselectintheTablepane.
Figure14 TheTablepaneliststhedatafromtheobjectselectedintheTreepane,where1)thetabtoolbar
containstabsappropriateforthetypeofdatayouselectedintheTreepane,and2)thecolumnheaders
showyouthevaluesyoucanuseintheanalysis(forexample,acolumnheaderforfilesisFileType),3)the
numberedselectioncolumnwhereyouselectthetableentriestouseinoperations,and4)ahighlighted
entry.
92
Sorting a Table
YoucansortuptofivecolumnsofatableintheTablepane.
Youcandothisintwoways:
Doubleclickingonthecolumnheader
UsingtheSortcommandonthetablesrightclickmenu
Asingleredtriangleappearsinthecolumnheaderwhensortingasinglecolumn,andtoindicate
theprimarysortwhenyousortbymorethanonecolumn.
Tosortbymultiplecolumns,aftertheprimarysort,presstheshiftkeywhiledoubleclickingthe
desiredadditionalcolumnheaders.Tworedtrianglesappearintheheaderofthesecondcolumn
sorted.Threeredtrianglesappearforthethirdcolumnsorted,withfourinthefourth,andfive
inthefifth.
Figure15 Atablewithfivesortedcolumns,wherethecolumnsaresortedinthefollowingorder:FileType,
FileCategory,Signature,Description,andLastAccessed.
Thesemethodsworkforalltablesregardlessofwheretheyappearintheinterface,notjusttables
intheTablepane.
Filters Pane
TheFilterspanecontainthefollowingtabs:
EnScript
Filters
Conditions
Queries
TextStyles
ThesetabsorganizeanalyticprocessesappliedtotheentriesshownintheTabletab.
93
94
Filtering Effects in Table Pane

Whenafilterisrun,aqueryiconappearsonthemainmenubar,andthefilterresultsshowin
theTablepane.
TheQueryiconinthetopmenubarappearswiththefilterresults.Whentheiconshowsagreen
+,filteredlistsappear.Ifmorethanonefilterhasbeenrun,itsnameappears,withORedlogic,in
thetablesFiltercolumn.
Whenclicked,theQueryiconchangesitsappearanceanditsassociatedlistcontents.Asyoucan
seebelow,theiconnowhasasign.Inthisstate,thelistshowselectedevidencefilesand
filteredfiles.
95
Hereisatabledisplaywiththequeryinthestate.
96
View Pane
TheViewpanecontainstabsthatdisplaydifferentviewsoftheentryhighlightedintheTable
pane.
TheViewpanetabsdisplaythecontentoftheentryhighlightedintheTablepaneindifferent
ways.Someofthetabsaremoreappropriatethanothersforcertainkindsofdata.
Figure16 TwoViewpanesshowingtwowaystoviewthecontent:(top)theHextaband(bottom)theText
tab,where1)arethetabtoolbars,2)isthehexadecimalviewintheHextab,and3)isthetextviewofthe
sameobject,and4)isthetextintheTexttab.Noticethatthetextrepresentationsin3)and4)arethe
same.
Status Line
Thestatuslineprovidesdetailsonthephysicalandlogicaldrivelocationofaselection.
Thestatuslinedisplaysatthebottomofthemainwindow.
Figure17 TheStatusLine,where1)isthestatusline,and2)isthecursorintheViewpane,drivingthe
contentofthestatusline.
97
ThefilebeingexaminedinyourEnCaseapplicationdrivessomeofthestatuslinecontent.The
locationofthecursorinthecontentofthefilebeingexaminedandcontentselectedbythecursor
alsodrivessomeofthestatuslinecontent.
Thestatuslinecontentofthefilebeingexaminedincludes:
Nameofthecase
Nameofthedevice
Nameofthevolume
Pathtothefile
Filename
Thestatuslinecontentrelativetothebeginningofthefilebeingexaminedincludes:
Physicalsector(PS)displaysthesectornumberofthephysicalsectorrelativetothe
beginningofthephysicaldisk
Logicalsector(LS)displaysthesectornumberofthelogicalsectorrelativetothe
beginningofthelogicaldisk
Clusternumber(CL)displaystheclusternumber
Thestatuslinecontentrelativetothelocationofthecursorwithinthefilebeingexamined
includes:
Sectoroffset(SO)displaysthenumberofsectors,inbytes,betweenthestartofthecluster
andthecurrentcursorlocation
Fileoffset(FO)displaysthenumberofbytesbetweenthestartofthefileandthecurrent
cursorlocation
Length(LE)displaysthelength,inbytes,ofthecontentcurrentlyselectedbythecursor
98
Figure18 Statuslineelementsfromdrivegeometry,where1)isthecontentofafilefromstarttoendof
file(EOF),2)sectors,3)clusters,4)widthofthecursor.Noticethatthephysicalsector(PS)valueandthe
logicalsector(LS)sectorvaluearedifferent,butaddressthesamelocation.
Panes and their Specific Tabs

Thepanesthatcomprisethemainwindoworganizecollectionsoftabs.
Theyinclude:
Treepanetabs
Tablepanetabs
Viewpanetabs
Filterspanetabs
99
Tree Pane Tabs

TheTreepanecontainstabswithtreesdisplayingmanyoftheelementsorobjectsusedinyour
EnCaseapplication.
Eachtabcontainsatreedisplayingacollectionofelementsinahierarchy.Forexample,
keywordsyoudefineappearintheKeywordstab.Keywordsassociatedwiththecurrently
openedcasesappearintheCasesKeywordstab.
Theelementsfoundinthesetreeshaveuniquerightclickmenus.TheEditmenumatchesthe
rightclickmenuofthecurrentlyselectedelementorobject.
Table Pane Tabs

TheTablepanedisplaystabsthatprovidedifferentviewsoftheentriesselectedintheTreepane.
ThecontextestablishedbytheentriesintheTreepanedeterminewhattabsappearintheTable
pane.TheTable,Report,andCodetabsappearinalmostallcontexts.Entriesthatinvolvetime
canappearinaTimelinetab.Whereimagecontentisinvolved,theGallerytabisamongthetabs
thatdisplay.
100
Figure19 TabsthatdisplayintheTablepane,asdeterminedbytheTreetabdisplayedintheTreepane.
Grayvaluesmeanthattabisavailableforuse.Whitevaluesmeanthatthetabisnotavailableforuse.
Contentdisplayedinthesetabsisdeterminedbyselectionsmadeinthetreeofthetabdisplayed
intheTreepane.
WhentheTextStylestabdisplaysintheTreepane,andyouselecttherootoftheTextStylestree,
theTabletaboftheTablepanedisplaysatablecontainingthesamefoldersdisplayedinthetree.
Whenaparticularfolderisselectedinthetree,thecontentsofthatfolderappearintheTabletab
oftheTablepane.
101
Figure20 TablePanecontext,where1)theobjectselectedinthetreeontheTextStylestaboftheTree
panedetermines2)thecontentdisplayedinthetableintheTabletaboftheTablepane.
102
Table Tab Columns

Tabletabcolumnsareactivatedordeactivatedbyrightclickingthetabletab,selectingShow
Columnsandselectingdesiredcolumns.Bydefault,allcolumnsareselected.
Thefigurebelowshowseachcolumnheader.Inordertofitthemintothedocumenttheyare
stacked.IntheEnCaseTablepane,youscrollhorizontallyacrossthepanetoseethem.Youcan
draganddropcolumnstoarrangethemaccordingtoyourneeds.Eachisdescribedbelow.
103
Nameisthenameoftheentry.Iconstotheleftofthefilenameindicatethetypeofentry,
suchasdevice,folder,ordocument.
Filterdisplaysthenameofthesavedfilteroptionsifthefilesmeetthecriteriaset.
InReportindicateswhetherornottheitemappearsinthereport.Toincludethefileina
report,rightclicktheInReportcolumnandselectInReport,orselecttheentryandpress
Ctrl+R.Toincludemorethanoneentryinthereport,selecteachoneinthefirstcolumn
checkbox,thenrightclicktheInReportheaderandselectInReport.
FileExtdisplaysafilesextension,suchas.exe,.jpg,or.doc.
FileTypenamesthefiletype.ThesoftwaregeneratesthisinformationfromtheFileTypes
tableusingthefilesextension.WhenyourunaSignatureAnalysis,thisinformationis
generatedfromthefilesidentifying(header)informationinsidethefile.
FileCategoryclassifiestheentryasWindows,database,picture,etc.
Signatureidentifiesthefilebyheader,notfileextension.SeeAnalyzingandSearchingFiles,
formoreinformationonusingfilesignatures.
Descriptiongivesashortexplanationoftheentry(alsoindicatedbytheicontotheleftofthe
filename).
IsDeleteddisplaysTRUEifthefileisdeletedbutnotemptiedfromtheRecycleBin.
LastAccesseddisplaysthedateofthelastactivityofthefile.Afiledoesnothavetobe
alteredfortheLastAccesseddatetochangeonlyaccessed.Anyactivity(suchasviewing,
dragging,orevenrightclicking)maychangetheLastAccesseddate.Thelastaccesseddate
mayalsochangeifthefileisaccessedbyaprogramsuchasaviruschecker.
FileCreatedisarecordofwhenaparticularfilewascreatedatthatlocation.Ifafileisedited
andchangedonJanuary3,thencopiedtoafloppydisketteonJanuary15,andthatfloppy
disketteisacquiredonJanuary28,theentryshowsthatthefileonthefloppydiskwas
createdafteritwaslastwrittentooraccessed.
LastWrittendisplaysthelastdateandtimeafilewasopened,edited,andthensaved.Ifa
fileisopenedthenclosed,butnotaltered,theLastWrittendatedoesnotchange.
EntryModifiedreferstothefileentrypointeranditsinformation,suchasfilesize.Ifafile
waschangedbutitssizenotaltered,theEntryModifieddatedoesnotchange.
FileDeletedshowsthedeletiontimeanddate.IfanentryinanINFO2fileonanNTFS
volumehasadeleteddate,TRUEappearsintheIsDeletedcolumn.
FileAcquireddisplaysthedateandtimetheevidencefile,inwhichtheselectedfileresides,
wasacquired.
LogicalSizedisplaysthebytesizeofthefile.
InitializedSizeisthesizeofthefilewhenitisopened.ThisappliesonlytoNTFSfile
systems.
104
PhysicalSizeistheclustersizeoccupiedbythefile,thatisthephysicaldiskspaceusedby
thefile.Givenaclustersizeof4096bytes,thephysicalsizeofanyfilewithalogicalsizeless
than4096byteshasaphysicalsizeof4096bytes.Afilewithjustonemorebyte,4097bytes,
forexample,requirestwoclusters,or8,192bytesofphysicaldiskspace.The4095byte
differenceinthesecondclusteriscalledslackspace.
StartingExtentshowsthestartingclusterofeveryfileinthecase.Theformatdisplayedis
evidencefilenumber,logicaldriveletter,clusternumber.Forexample,astartingextentof
1D224803meansthatthefileisonthesecondevidencefile(countingbeginsatzero),onthe
logicalD:\drive,atcluster224803.
FileExtentsliststhenumberofextentsafragmentedfileoccupiesonadrive.Toview
extents,clickthecolumnvalueofthefilebeingexamined,andselecttheDetailstabofthe
Reportpane.YoucanalsoselectthefileinTablepane,thenselecttheFileExtentssubtab,
abovetheTreepane.
Permissionsdisplayssecuritysettingsofafileorfolder.TRUEindicatesasecuritysettingis
applied.Toviewsecuritysettings,selecttheentryandclickontheDetailstabinthelower
pane.OryoucanselectthefileintheEntriestable,thenselecttheView>CasesSubTabs>
EntriesSubTabs>PermissionsmenutodisplaythePermissionsintheTablepane.
Referencesisthenumberoftimesthefilehasbeenreferencedinthecase.Forexample,if
youbookmarkafilethreetimes,thereferencescolumnshowsthat.
PhysicalLocationthenumberofbytesintothedeviceatwhichthatunallocatedcluster
begins.Theprogramorganizesdeviceunallocatedclustersintoonevirtualfile.Itreadsthe
filesystemsFileAllocationTable(FAT),ortheNTFSBitmap,tocreatethisvirtualfile.This
allowstheexaminertoefficientlyexamineunallocatedclusters.
PhysicalSectorclusters.Physicalliststhestartingsectorwheretheitemresidesin
unallocatedspace.
EvidenceFileisthenameoftherootevidencefilewheretheentryinthetableresides.
FileIdentifierisafiletableindexnumberstoredinthemasterfiletable.Itisaunique
numberallocatedtofilesandfoldersinanNTFSfilesystem.
CodePageisthecharacterencodingtableuponwhichthefileisbased.
HashValuedisplaysthehashvalueofeveryfileinthecase.YoumustruntheCompute
HashValuecommandtogeneratethisinformation.
HashSetdisplaysthehashsettowhichafilebelongs.Ifnohashsetsarecreatedor
imported,thecolumnisunpopulated.
HashCategorydisplaysthehashcategorytowhichafilebelongs.Ifnohashsetsarecreated
orimportedthiscolumnisunpopulated.
FullPathdisplaysthefilelocationwithintheevidencefile.Theevidencefilenameis
includedinthepath.
105
ShortNameisthenameWindowsassignsusingtheDOS8.3namingconvention.
OriginalPathdisplaysinformationderivedfromtheINFO2filefordeletedfilesthatarein
theRecycleBin.Thepathiswherethedeletedfilewasoriginallystored.
Thecolumnisblankforundeletedfiles.
TheoriginallocationisshownforfilesintheRecycleBin.
Showswhatfilehasoverwrittentheoriginalfilefordeletedandoverwrittenfiles
SymbolicLinkcanprovidelinkstodirectoriesorfilesonremotedevices.
IsDuplicatedisplaysTRUEifthedisplayedfileisaduplicateofanother.
IsInternalreferenceshiddenfilestheOSusesinternallybutarehiddenfromtheuser.
IsOverwrittendisplaysTRUEiftheoriginalfileisdeletedanditsspaceisoccupiedby
anotherfile.
Filters Pane Menu

SelectingaFilterspanemenutabdisplaysfiltersfeatures.
106
ThemenuthatappearsabovetheFilterpaneshowsthesametaboptions.Thesearedescribed
here.
ClickingatabchangesthecontentsoftheFilterspaneasfollows:
EnScriptdisplaysanEnScripttreemenu.
Filtersdisplaysallavailablefilters.
Conditionsdisplaysallavailableconditions.
Displayshowsfilters,conditionsandqueriesthatarerunning.
Queriesdisplaystreemenuofavailableconditions.
TextStylesprovidesaccesstoavailabletextstyles.
View Pane Tabs

TheViewpanetabsdisplaydifferentrepresentationsoftheentriesselectedintheTablepane.
WhenthetypeofviewisappropriatefortheselectedentryintheTablepane,theViewpanetab
isenabled.
107
TheViewpaneaccessesthefollowingtabs:
Text
Hex
Doc
Transcript
Picture
Report
Console
Details
Output
ThetabsontheViewpanecannotbeclosed.
ThetabbarfortheViewpanealsocontainscontrolsspecifictotheViewpane.Thesecontrols
include:
LockpreventsthetabfromchangingifthefiletypeofthefileselectedintheTablepane
changes.Bydefault,theViewpanedisplaystheappropriatetabforthetypeoffileselectedin
theTablepane.ThisbehaviorisoverriddenwhenLockisselected.WhenyouselectLock,
thecurrentlydisplayedtabtypeisretained,eveniftheselectedfiletypeintheTablepane
changes.Forexample,ifyouLocktheViewpanewiththePicturetabinviewandthenselect
entriesintheTablepanethatdonotcontainimages,thePicturetabmayshownothing.
Codepagedetermineswhetherthedetected,ratherthanthedefault,codepageisusedintabs
thatdisplaytext.
Selected/Totaldisplaysthenumberofentriesselectedasafractionofthetotalnumberof
entriesavailableinthecurrentcase.
ThecontextestablishedbyselectinganentryintheTablepanedetermineswhatcontentis
displayedintheViewpane.TheViewpanedisplaysthecontentofoneentryfromthetable.
WhileseveralentriescanbebluecheckedintheTablepane,onlyoneentrycanbehighlightedat
atime.
108
Figure21 Viewpanecontext,where1)theTablepanecontainsatablewhereonlyoneentrycanbe2)
highlightedforfurtherexplorationin3)atabintheViewpane.4)Checkingtableentriesdoesnotdrive
thecontentdisplayedinthetabdisplayedintheViewpane.Therepresentationofthehighlightedcontent
ismadewhenyou5)selectthedesiredViewpanetab.6)TheHextabcontainsarepresentationconsisting
ofanaddress,thenumericbytevalues,andthetextrepresentationofthosenumericbytevalues.
109
The Text Tab

TheTexttabshowsthehighlightedfileasASCIItext.
110
The Hex Tab

TheHextabshowsasplitviewofafilewithhexadecimalvaluesontheleftandASCIIonthe
right.
111
The Doc Tab

TheDoctaboftheViewpaneusesOracleOutsideIntechnologytodisplaytextinitsnative
format.
Thisviewertechnologyprovidesapplicationsoftwaredeveloperswithhighfidelitydocument
viewingwithouthavingtousenativeapplicationsformorethan390fileformatsonWindows
platforms.
112
The Transcript Tab

TheTranscripttabusesOracleOutsideIntechnologytoextracttextfromafilecontainingmore
thantext.
TheTranscripttabdisplaysplaintextcontentpulledfromitsnonplaintextnativeformat.This
makesitespeciallyattractiveforcreatingsweepingbookmarksinsidefilesthatarenotnormally
storedasplaintext,suchasExcelspreadsheets.
The Picture Tab

ThePicturetaboftheViewpanedisplaysthecontentsofanimagefile.
The Report Tab

TheReporttabdisplaysadetailedlistoffileattributesintheViewpane.
113
114
The Console Tab

UsetheConsoletabtoviewoutputstatusmessageswhenrunningEnScriptprograms.
The Details Tab

TheDetailstabprovidesfileextentinformation.
Toviewfileextents
1. Openacaseanddisplayitscontents.
2. ScrolltothefileextentscolumnintheTablepaneandclickFileExtentsinsomerow.
3. ClicktheDetailstabintheReportspanetoviewthefileextents.
Thefigurebelowshowsthefirsteightfileextentsfromapieceofevidence.
115
The Output Tab

UsetheOutputtabtoobtainoutputfromvariousEnScriptprograms.
Navigating the Tree Pane

TheTreepanepresentsastructuredviewofallgatheredevidenceinaWindowslikefolder
hierarchy.
UsethestructuredviewwhenexploringEntries,Bookmarks,SearchHits,Keywords,andother
viewsofevidence.Youcanaddfolderstothestructuretosuityourworkingrequirements.Note
thatsomefoldershaveaplussign(+)nexttothem.Clickingtheplussignopensthefolderand
displaysitscontents.
116
Inthefigureabove,theDocumentsandSettingsfolderisexpandedtoshowthefivefoldersit
contains.Notethatthesymbolnexttotheopenfolderisasign,indicatingthefolderis
expanded.
Opening and Closing Folders with Expand/Contract

UsetheEditmenuorrightclickintheTreepanetouseExpand/Contracttoopenorclosethe
hierarchyatthepointofthehighlighteditem.
ToopenandcloseallfoldersdisplayedintheTreepane,dooneofthefollowing:
RightclickthefolderandchooseExpand/Contractfromtherightclickmenu.
ClicktheExpand/Contracticon(+or).
Withthefolderhighlighted,pressthespacebar.
Expand All
Youcanexpandallnestedfoldersbeneaththehighlightedfolderwithonemenuclick.
IftheentireTreepanehierarchyisclosed,orifoneormorefoldersareopen,theentiretreecan
beexpandedtodisplayallofthecontents.
117
UsetherightclickExpandAllcommandtoshowallofthehierarchy.StartattheEntriesrootto
openallavailablefolders.
Contract All
Youcancloseanentiretreewithonemenuclick.Ifoneormorefoldersisexpandedbeneaththe
highlighteditem,theentiretreeiscontracted.
ContracttheentiretablebyopeningtheEditMenu,thenclickContractAll.
Thehierarchicaltreecontractsanddisplaysthehighlighteditemonly.
118
Displaying Tree Entry Information for One Branch

HighlightingisoneofthreewaystochooseitemsintheTreepane.
HighlightinganiteminthetreedisplaysitscontentsintheTablepane.
Figure22 Highlightingatreeentry,where1)isthehighlighteditem2)arefolderobjectscontainedinthe
highlighteditemintheTreepane,and3)areitemscontainedinthehighlighteditem,enumeratedinthe
Tablepane.
Highlightingdiffersfromselecting.Selectingclickingoneormorecheckboxesconstructsa
collectionforprocessingbyananalyticoperationsuchasbookmarkingorhashing.
Highlightingalsodiffersfromincluding.Includingclickingtodisplaythegreenpolygon
displaysalltheitemsfoundintheincludedbranchofthetreefromthetoplevel,downtothe
itemyouclicked.
119
Displaying Expanded Tree Entry Information

YoucanincludeallthelowerlevelsofthehierarchyofanitemfordisplayintheTabletabwitha
singlemouseclick.
Youdonothavetoexplicitlyexpandthetreefolders.WhenyouclicktheSetIncludepolygonin
theTreepane,orrightclickandchooseSetIncludefromthemenu,thisoccurs:
TheSetIncludeiconofthehighlighteditemturnsgreen.
Itemsonthelowerlevelsofthehierarchyarealsoincluded,asindicatedbythegreen
icons.
ThecontentofalltheentriesorobjectsincludedappearintheTablepane.
IftheIncludeAlliconisnotgreen,thedataassociatedwiththatitemdoesnotappearinthe
Tablepane.
IncludingAllisdistinctfromhighlightinginthatIncludingAlldisplaysalltheitemsinthe
branchfromtheselectedentrytotheleafentries,whilehighlightingdisplaysonlyitems
containedinthehighlighteditem
IntheTreepane,includingallisdistinctfromselectingbecauseincludingallaffectsthecontents
ofthetablepane,whileselectingdoesnot.
Initially,SetIncludedisplaystheentriesandobjectsintheTablepaneinahierarchicalorder.
Sortingcolumnsinthetabledestroysthisorder,whichcannotberecoveredexcepttocyclethe
SetInclude.Usethestatuslinetoseetheparentforaparticularentryinthetable.
120
Figure23 ComparingHighlightingandSetInclude,wherethecontentsof1)thehighlightedentryinthe
Treepane,as2)itappearsintheTablepane,andwherethecontentofthe3)SetIncludeentrythat
enablestherestoftheSetIncludeentriesinthesubtree,as4)itdisplaysintheTablepane.Include
propagatesdownthetreefrom3),theentryinitiallyincludedtotheparallelentries.
Selecting Tree Entries for Operations

SelectionisthewaytochoosemultipleitemsintheTreepanetomanagethem.
WhilehighlightingandincludingintheTreepanedrivethecontentoftheTablepane,selecting
doesnot.Selectingdetermineswhichentriesareprocessedbyanalyticoperationssuchas
bookmarking,searching,filtering,andhashing.
Whenyouselectanitembyclickingacheckbox,theselectionpropagatesupwardsinthe
hierarchytoincluderelatedstructure.
121
Figure24 Selectingitemswhere1)istheitemthatyoucheckedwithamouseclick,2)isaselectedancestor
thatwaspropagatedfromtheinitialselection,whoseentirecontentsareincludedinafutureoperation,as
indicatedbythewhitebackgroundofthecheckbox,and3)isaselectedancestor,thatwaspropagatedfrom
theinitialselection,whosecontentsarenotincluded;asaresult,itscheckboxhasagraybackground.The
arrowshowsthedirectionofthepropagation.
Using the Dixon Box

TheDixonBoxislocatedinthetababovetheReportpaneandshowshowmanyfilesare
selectedandhowmanyfilesexistinthecase.
Ifnofilesareselectedintheopencase,theboxlookslikethis:
Inthispicture,threeofthesame191filesareselected:
Note: To quickly select or deselect all files in a case, click the Dixon Box.
122
Modifying the Table Pane

TheTablepanedisplaysthecontentsofselectedfilesandfolders.
Note: Contents of the Table pane change as different items are selected in Tree pane and when files are
clicked in the Table pane.
123
Showing Columns
Individualorgroupsofcolumnscanbeshownandhiddenfromview.
ToshoworhidecolumnsusingtheShowColumns,placethecursorintheTablepaneandright
click.Thismenuoptionappearsbelow.
ToactivateordeactivatetheTablecolumnsdialogrightclicktheTablepane,selectShow
Columnsandselectthedesiredcolumns.
TheShowColumnsdialoglookslikethis:
Note: See Table Tab Columns (on page 102) for information on all columns.
Tohidecolumns,cleartheappropriatecheckboxes,thenclickOK.
124
Showing Columns in the Records Tab

1. SelecttheRecordsTab.
2. RightclickintheblankareaoftheTablepaneandselectShowColumns.
3. Thecolumnsdisplayinatreestructure:
125
Hiding Columns
Youcanhideindividualcolumns.RightclickthecolumnyouwanttohideandclickHide.
Thecolumninwhichthecursorwaslocatedishidden.
Auto Fit All Columns

TheAutoFitAllfeatureexpandsthewidthofeachcolumnsonodataarehidden.
Note: The difference between Auto Fit All and Fit to Data is that with Auto Fit All, each displayed column is
expanded to show its entire contents.
Fitting Columns to Data

Attimes,youmaywanttoadjustthewidthofonlyonecolumn.Toviewtheentirecolumn,
selectFittoData.
Note: If a column contains too much data, widen the column by clicking Fit to Data in the Column
submenu.
126
Resetting Columns
Restorecolumnstotheirdefaultorderandwidthbyusingreset.
Manuallyresizeacolumnbydraggingthecolumnseparator.
Youcanchangetheorderinwhichthecolumnsappearbygrabbingthecolumnheaderand
draggingthecolumntothedesiredlocation.
Note: Change column order by left-clicking the column header and dragging it to another location.
Setting a Lock on Columns

UseSetLocktoscrollrightandleftinatablewhilecontinuingtoshowcertaincolumns.
ColumnsarelockedontheleftsideoftheTablepane.Tolockacolumn:
1. Placethecursorinacolumntobelocked.
2. RightclickandselectSetLockinthesubmenu.
127
Thelockissetonthepositionofthecolumn.Ifothercolumnsaremovedintothatposition,they
tooarelocked.Toreleasethelock:
1. Rightclickthelockedcolumn.
2. SelectColumns.
3. SelectUnlock.
Excluding Search Hits

TheExcludeoptionhidesoneormoresearchhitsfromview.Itdoesnotdeletethemfromthe
case.
Note: Excluded search hits are indicated by the international Not symbol.
Inthefigurebelow,thefilesetuplog.txtisincluded,whilethoseinrows15,16,and17are
excluded.
128
Deleting Items
WhenusingSearchHits,deleteisconsideredasoftdeletewhichyoucanundeleteuntilthecase
isclosed.Ifasearchhitremainsdeletedwhenthecaseisclosed,thehitispermanentlydeleted.
Inothertabs,however,undeleteworksonlywiththelastselectiondeleted.Onceafileisclosed,
deleteditemsarepermanentlyremovedandcannotberecovered.
Run,thenviewakeywordsearch.ThisprocessissimilartotheExcludeFiles(onpage360)
feature.
ViewthesearchhitsreportintheTablepanebeforeexcludingthemfromthereport.
1. Selectfilestoexclude,thenrightclicktheview,selectingeitherDeleteorDeleteAll
Selected.
SelectingthelatterdisplaystheExcludeAllSelecteddialog.
2. SelecttheappropriateoptionandclickOK.Theselectedfilesaretemporarilydeleted.
Note: Viewing the report shows the concatenated results.
129
Filters
FiltersareEnScriptsthatmodifywhatdataaredisplayed.
Note: There are different types of filters available depending on the tab chosen on the Tree pane. For
example, the filters available for search hits are different from those available for entries.
Severalfiltersexistforfilteringoutobjectsoflittleornointeresttoaninvestigation.Filtersdo
notremovetheseobjectsfromthecase,theysimplyhidethemfromtheTablepane.
TheFilterpaneallowsinvestigatorstorun,create,edit,ordeletefilters,conditions,andqueries.
TheConditionstaballowstheusertobuildfiltersbysimplyspecifyingparameters.
Rightclickonafiltertoopenasubmenu.
UseNewtocreatefiltersbasedonsetconditionsthataremenuselectable.
Createdfiltersresideinaninitializationfile(C:\ProgramFiles\EnCase6\Config\filters.ini).
FiltersaresavedgloballywithintheEnCaseprogram.
130
Creating a Filter
Newfiltersofyourowncreationcanbeaddedtothelist.
DisplaytheFilterlistintheFilterpane,thencreateanewfilter.
1. RightclicktopmostFiltericon.
Asubmenuappears.
2. ClickNewfromthedropdownmenu.
TheNewFilterdialogappears.
3. EnteradescriptivenameintheFilterNamefieldandclickOK.
AsourceeditorappearsintheTablepane.
4. EnterEnScriptcodeasrequiredtoaccomplishyourtask.
ThenewlycreatedfilternameappearsatthebottomoftheFilterpanelist.
Executethenewfilterasrequiredbydoubleclickingit.
Editing a Filter
Changeafiltersbehaviorbyeditingit.
DisplaytheFilterlistintheFilterpane,theneditit.
Editafilterasfollows:
1. Rightclickthefilteryouwanttoedit.
Adropdownmenuappears.
131
132
2. ClickEditSource.
ThefiltersourceappearsintheTablepane.
Note: The Table pane menu shows the Code icon selected, the text editor's menu highlights the
filter you are editing, and the scroll bars allow you to maneuver in the display.
3. Editcommandsasneeded.Filterbehaviorchanges.
Running a Filter
Runningafilteragainstasetofevidencefilesproducesdatathatconformtothefilters
parameters.
Openacasefileandselectfolderstosearch.
1. RunafilterbyclickingSelectAll(homeplate)onevidencefolders.TheTreepanethat
appearsissimilartothisillustration.
133
2. Doubleclickafilter,orrightclickitandselectRunfromthedropdownmenuthat
appears.Completeanydialogsthatappear.
Whenthefilterfinishes,theTablepanedisplaysentriesthatmeetthefilterscriteria.The
figurebelowshowsthefilternameandotherdataonthosefilesthatmeetthe
requirements(DeletedFilesinthiscase).
3. NoticethataQueryicon(below)appearsinthetopmenubar.Thisiconappearswhena
filteredlistisdisplayed.
Clickingtheiconchangesthedisplayfromshowingthefilteredlisttoshowingallfile
entries.
TheQueryiconchangeswhenclicked.Ithasaredsignonittoshowthefilterisoff.
Thisdoesnotdeletethefilter;itonlyturnsitsdisplayeffectsoff.
134
Combining Filters
Youcanrunmultiplefilters,andcombinefilterswithConditionsandQueries.
Todothis,runmorethanonefilter.RunningmultiplefiltersusesORlogictoselectfiles,thus
theshowsbothdeletedandselectedfiles.Anyentrythatrespondstoanyactivefiltercondition
orqueryappears.Thefirstfigureshowsafilteredlistwithonefilterrunagainstit.
NotethattheentryintheIsDeletedcolumnismarkedTrue.
Thissecondfigureshowsthedisplaythatresultswhentwofilters,DeletedFilesandFiles
Beforen,arerun.ThenamesofbothfiltersappearintheFiltercolumnoftheTablepane.
135
Asimilarresultwouldoccurifyouweretocombineafilterandacondition.
AND/OR Filter Logic

Youcantogglebetweendisplayingonlyentriesthatmatchalltheactivefilters(ANDfunctional
logic)orentriesmatchinganyoftheactivefilters(ORfunctionallogic).
Whenyourunmultiplefilters,aMatchesAnyoptiondisplaysinthetoolbar:
ThisoptionemploysORlogictodisplayfiles.
ToemployANDlogic,clicktheMatchesAnytoolbaroption.TheoptionchangestoMatches
All:
Changing Filter Order

Filtersrunintheorderinwhichyouselectedthem.Tochangethisorder:
1. ClickDisplaytoshowtheactivefilters.
2. Leftclickthefilteryouwanttomove.
3. Whileholdingtheleftmousebuttondown,movetheselectedfiltertoanewposition.
136
Athreefilterlistwithallitemsselectedisshownbelow.Thenextexampleshowsthesamethree
filtersinaneworder.Becauseallfiltersareselected,andthusactive,allwillberun.Theorderin
whichtheyrun,however,ischanged.Inthefirstexamplebelow,SelectedFilesOnlyrunsfirst,
whileinthesecondexample,itrunssecond.
Turning Filters Off

Thereareseveralwaystoturnoffordisablefilters.YoucantoggletheQueryicontoalternate
betweenthefilteredlistandtheunfilteredone.Thisisanallornonetoggle.
WhenyouhavemorethanonefilterorconditionintheFilterspaneDisplaytab,deselectinga
filtermodifiestheTableviewtoshowonlyfilesthatresultfromthestillcheckeditems.For
example,thelistinthenextexampleshowsthreeactivefilters,SelectedFilesOnly,File
ExtensionandDeletedFiles,butFileExtensionisunchecked.
137
Deleting a Filter
YoucanremoveafilterfromtheDisplaylistbyselectingit,rightclickingit,andthenclicking
Deletefromthedropdownmenu.Asasafeguard,adialogdisplays.ClickYestocompletethe
deletion.TheTablepanedisplayautomaticallyupdatestoreflectthechange.Thefilter,
condition,orqueryisnotdeletedfromtheFilters,Conditions,orQueriestabfromwhichitwas
executed.
Importing Filters
Filtersotherscreatecanbeimportedintoyourcollectionandused.
To import a filter someone else has written,
1. RightclickintheFilterpane.
2. SelectImport.
3. NavigatetoorenterthepathwherethefilterislocatedandclickOK.
Exporting Filters
Sendyourfiltersinatextfiletoothers.
138
Toexportafilterfromyourcollection,
1. RightclickintheFilterpane.
2. SelectExport.
Note: Selecting XML Formatted exports filters in XML format.
3. ChecktheExportTreefieldasinthefigure.
Note: By default, the Output File text field contains a file named export.txt. This can be changed and a
complete export path can be entered or navigated to.
Conditions
Conditionsaresimilartofilters.TheylimitTablepanecontent.Severalcreatedconditionsexist,
andlikefilters,theyvarydependingonthechosenTreetab.Thefirstfigurebelowshowsthe
displaywhentheConditionstabisselected.
139
Creating Conditions
Tocreateanewcondition,rightclickafolderintheConditionstabintheFilterpaneandselect
New.
Note: To use a filter inside a condition, create the filter by first clicking the filter tab and creating a filter.
Once created, click the Conditions tab and the filter appears in the properties list.
140
To create a condition:
1. EnteranameintheNamefield.
2. RightclickMainontheconditionstreeandselectNewtoseetheNewTermdialog.
3. Selectaproperty,anoperator,and,ifprompted,avalueandchoice.Dependingonthe
propertyandoperatorchosen,youcanalsoselect
PromptforValue
CaseSensitive
GREP
4. Toeditthesourcecode,clickEditSourceCode.
5. Repeatthestepsabovetocreateasmanytermsasyouwanttomaketheconditionas
detailedaspossible.
6. ClickOKtosavethecondition.
7. Tonestterms,createafolderbyrightclickingthedesiredlocationintheTreepaneand
choosingNewFolder.Placethenestedtermsinsidethisfolder.
8. Ifyouwanttochangethelogic,rightclickthetermandselectChangeLogic.This
changestheANDoperatortoanOR,andviceversa.
9. Ifyouwanttonegatethelogic,rightclickthetermandselectNot.
10. Whensatisfiedwiththelogic,clickOK.
141
Editing Conditions
Conditionscanbeopenedandeditedwhentherearenoopencases.
1. Selectthefilter.
2. RightclickitandselectEdit.
TheeditwizardopensintheTablepane.
3. RightclickthepropertyandselectEdittoseetheEditTermwizard.
142
4. MaketheselectedchangesandclickOK.
Running Conditions
Torunconditions,doubleclickthem,selectanitemandrunthescriptagainstit,orrightclick
andselectRun.
TheexamplebelowshowstheTablepanebeforeafilterisrun.
143
Threerowsareselected;7,10,and17.NotetheblankFiltercolumn.
Runningaconditionchangesthedisplayseveralways.First,thetoptabmenudisplaysthe
conditionnameanddisplaytabs.Noticethe+signonbothiconsinthefigurebelow.
ThesecondchangeisthatfilestowhichthefilterappliesappearintheConditioncolumn.Inthis
case,weranafilterlookingforfilesthathadanydatebefore21September2006.Youcanchange
thedateandtimeinthesefiles.
TheTableviewlookslikethisafterthefilterisrun:
Columnnumbersarechanged,butthefileselectednamesandtheconditionnameappearasin
thepictureabove.
Toreturntotheoriginaldisplay,clicktheMySelectedFilestabtochangethe+signtoasign.
Alloriginalfilesreappearwiththefilterinthefielddisplayedononlythosefileswhichmeetthe
parameters.Tohidethefiltername,selecttheDisplaytabandchangeittoasign.
Importing Conditions
Youcanimportconditionscreatedbyothers.
Toimportaconditionfiltersomeoneelsehaswritten:
1. RightclickintheConditionpane.
2. SelectImport.
144
Exporting Conditions
Exportfilterstosharethemwithotherusers.
Toexportafilterfromyourcollection:
1. RightclickintheConditionspane.
2. SelectExport.
3. SelectExportTree.
Note: Selecting XML Formatted exports the file in XML format.
Note: By default, the Output File text field contains a file named export.txt. You can change this
name. You can also enter or browse to a complete export path.
145
Queries
Queriesallowchangingwhatisvisiblebycombiningfiltersandconditionsintooneitem.There
aretwopartstoaquery,thedisplayportionandthelogicportion.Thedisplayportionaffects
thetextanditscolor,andisusedtodenotematchesusinguserselectedfiltersandconditions.
ThelogicportionactuallycontrolswhichrowsarehiddenfromtheTablepane.
Constructaqueryusingthesamefiltersandconditionsforthedisplayandlogicsections,oruse
differentfiltersandconditions.Onecaveat:thelogicportiontakesprecedence,soifarowisnot
afiltersandconditionsmatchusedinthelogicsection,itishiddenevenifitmayhavebeena
matchinthedisplaylogic.Thelogicportionactuallycontrolswhichrowsarehiddenfromthe
Tablepane.
To create a query:
1. Enteranameinthefield.
2. IntheDisplaysettingsforshownitemspane,rightclickintherightpaneandselectnew.
ChooseFilterorCondition.
Selectthefilterorconditionfromthelist.
Entertextintothetextfield.ThistextwillappearinthefiltercolumnoftheTable
panewhenafilemeetsthiscriteria.
ChangethecolorelementbyclickingTextColororFrameColor,thendoubleclick
BackgroundandForegroundcolors,thenclickOK.
3. ChooseFilterorCondition.
4. Selectthefilterorconditionfromthelist.
5. Entertextintothetextfield.ThisistextwillappearinthefiltercolumnoftheTablepane
whenafilemeetsthiscriteria.
6. ChangetheColorelementbyclickingTextcolororFramecolor,thendoubleclickthe
BackgroundandForegroundcolors,thenclickOK.
7. IntheNewDisplaydialog,repeatStep4asoftenasrequired.
Note: The filters and conditions shown here will not hide rows that do not match the requirements
of the selected filters. These selections simply adjust how the matches are indicated in the
interface.
8. IntheConditionsforshowingitemspane,rightclickCombinationsandselectNew.
9. IntheNewCombinationdialog,selectfilterorcondition,thenselectthefilteror
conditionfromthelistandclickOK.
Note: You do not need to enter the same filters or conditions here as entered in the display setting
for shown items pane.
146
10. RepeatStep7asmanytimesasneeded.
Note: This is the logic for hiding rows. If, for example, an item matches a filter from the display
settings for shown items pane, but it does not match the logic in the conditions for showing items
pane, then the row will not be shown.
11. ThedefaultlogicfortheconditionsisAND.TochangethislogictoOR,rightclick
Combinations>CombinationsChangeLogic>ChangeLogic.
12. ClickOK.
Note: Other operations, including exporting and importing are the same as filters and conditions.
Gallery Tab
TheGallerytabisaquick,easywaytoviewimagesstoredonsubjectmedia.Theextentoffiles
showninGallerytaboftheTableviewisdeterminedbytheselectionmadeintheTreepane.For
example,toviewimagesoftheentirecase,setincludeattherootoftheCasetree.
InGallery,youcanbookmarkimagesjustlikebookmarkingthemintheTabletab.
Ifsignatureanalysisisnotyetrun,Galleryviewdisplaysfilesbasedonpublishedfileextension.
Forexample,ifaJPGfileischangedtoDLL,itdoesnotappearintheGalleryuntilasignature
analysisisrun.
Note: Running a signature analysis is suggested before performing analysis in the gallery tab.
SeetheSignatureAnalysis(onpage327)sectionofthismanualformoreinformation.
Viewing More Columns

ViewmorepicturesinGallerybyincreasingthenumberofdisplayedcolumns:
1. RightclickanywhereinGallery.
2. SelectMoreColumns.
Viewing Fewer Columns

ViewfewerpicturesinGallerybyreducingthenumberofdisplayedcolumns:
1. RightclickanywhereinGallery.
2. SelecttheFewerColumnsmenuoption.
Therightmostcolumnishidden.
147
Viewing More Rows

ViewmorepicturesinGallerybyincreasingthenumberofdisplayedrows:
1. RightclickintheGallerytab.
2. SelectMoreRows.
Viewing Fewer Rows

ViewfewerpicturesinGallerybydecreasingthenumberofdisplayedrows:
1. Rightclickanywhereingallery.
2. SelectFewerRows.
Timeline Tab
TheTimelineisagreatresourceforlookingatpatternsoffilecreation,editing,andlastaccessed
times.
Youcanzoomintoasecondbysecondtimelineandzoomouttoayearbyyeartimelineby
rightclickingandselectingtheappropriateoption.
Abovethecalendarareselectionboxestoquicklyandeasilyfilterwhichtypeoftimestampto
display:
Written
Accessed
Modified
Deleted
FileAcquired
148
Clearingoneormoreoftheseboxeschangesthetimelinepresentation.
Modifying the View Pane

TheViewpaneprovidesdisplayspecificfunctionalityofitemsselectedintheTablepane.
Copy
YoucancopydataintheTextandHextabs.YoucanalsocopyRTFfromareportsoitcanbe
pastedintoanexternalprogramthatacceptsRTFinput.
Ineithertab,selectthetext,rightclickandselectCopy.
Goto
UseGototospecifywheretomovethecursorintheViewpane.
Toskiptoalocation:
1. RightclickintheViewpane.
2. SelectGoto.
3. EnterthefileoffsetintheotherfieldandclickOK.
GotocanalsointerpretselectedtextusingLittleEndianorBigEndian.Tointerpretselectedtext:
1. HighlighttextintheViewpane.
2. RightclicktheViewpaneandchooseGoto.
3. ClickLittleEndiantoseetherepresentationinLittleEndian.
4. ClickBigEndiantoseetherepresentationinBigEndian.
149
Find
FindworksinmosttabsoftheViewpane.Useittolocatestringswithindata.
Tofindastring:
1. DisplayTextview.
2. RightclicktheViewpane.
3. ClickFind.
4. EnterastringintheExpressionfield.TouseaGREPexpression,checktheGREPoption.
5. SelecteitherWholeDocument,FromCursor,orCurrentSelection.
6. SelectCaseSensitiveifdesired.
7. Choosewhethertohaveresultsappearinoutputpane.
8. ClickOK.
Thesystemfindstheexpressionyouentered.
CHAPTER 6
Case Management
In This Chapter
Overview of Case Structure 151
Case Related Features
New Case Wizard
Using a Case 169
Open a Case 175
Saving a Case 176
Close Case
177
166
157
152
Overview of Case Structure

Anevidencecasehasatripartitestructureconsistingofanevidencefile,acasefile,andEnCase
programconfigurationfiles.
Thecasefilecontainsinformationspecifictoonecase.Itcontains
pointerstooneormoreevidencefilesorprevieweddevices
bookmarks
searchresults
sorts
hashanalysisresults
signatureanalysisreports
Note: A case file must be created before any media can be previewed or evidence files analyzed.
Indeed,oneofthemostpowerfulfeaturesoftheprogramisitsabilitytoorganizedifferent
mediasotheycanbesearchedasaunitratherthanindividually.
Case Management
Beforestartinganinvestigation,giveconsiderationtohowthecaseisaccessedonceitiscreated.
Forexample,morethanoneinvestigatormayneedtoviewtheinformation.Toaccomplishthis,
evidencefilescanresideonacentralserver.
Creatingtemporaryexportandevidencefoldersallowsfilesegregationandcontrol.A
temporaryfolderholdsanytransientfilescreatedduringaninvestigation.Theexportfolder
providesadestinationfordatacopiedfromtheevidencefile.
Createanevidencefoldertostoreevidence.TempandExportfoldersarebuiltwhenacaseis
created.
CaseManagement
153
Concurrent Case Management

Theprogramcanopenmorethanonecaseatatime.EachcaseappearsintheTablepane,andis
analyzedindependentoftheother.
To switch case analysis from one case to another:

1. ClickView>CasesSubTabs>Home.
2. SelectacaseforanalysisfromtheTabletab.
TheDevicescolumnofthetableindicateshowmanydevicesareassociatedwiththecaseinthe
Namecolumn.
Note: To look at the devices associated with a particular case, highlight the case in the Table pane, then
click on the Entries sub-tab below Cases.
Indexing a Case
Managingtheindexfilesassociatedwithevidencefilesinacaseisanimportantpartofcase
management.
Fordetailedinformation,seeIndexing(onpage365).
154
Case File Format

Version6hasanewcasefileformat.Asaresult,casefilescreatedinversion6donotopenin
previousversions.Version6,however,doessupportcasescreatedwithversion5.
Ifaversion5casefileisopenedinversion6,itcanbesavedaseitheraversion5oraversion6
casefile.YouhavethisoptionintheFile>SaveAsmenu.
Forexample,acaseiscreatedinversion5,thenopenedandworkedoninversion6.Toselectthe
versioninwhichtosavethefile,
1. SelectFile>SaveAs.
2. ExpandtheSaveastypefieldandmakeaselection.
CaseFilesavesthefileasversion6.
Version5CaseFilesavesthefileasversion5.
BackupCaseFilesavesthefileasaversion6backupfile.
CaseManagement
155
Case Backup
Bydefault,abackupcopyofthecasefileissavedevery10minutes.
Bydefault,backupfiles(.cbak)aresavedtoC:\Program Files\EnCase\Backup.Withthe
exceptionoftheextension,thisfilehasthesamenameastheparentfile.
Tochangethedefaultsavetime:
1. SelectTools>Options>Global.
2. ChangethenumberintheAutoSavetextfield.
Selecting0disablestheautosavefunction.Thisisnotrecommended.
The Options Dialog

TheOptionsmenuallowsyoutocustomizethesoftware.
Toaccessthemenu,selectCases>Optionsfromthetoolbar.
156
Atabbeddialogappears.Thetabsare:
CaseOptions(whenacaseisopen)
Global
NAS
Colors
Fonts
EnScript
StoragePaths
Enterprise
CaseManagement
Note: All fields on the Case Options tab are mandatory.
TheCaseOptionsfieldsintheillustrationshowthedefaultvalues.
Nameholdsthecasename.
ExaminerNameistheinvestigatorsname.
DefaultExportFolderisthelocationtowhichexporteddataaresent.
TemporaryFolderisthelocationtowhichtemporarydataaresent.
IndexFolderisthelocationofcaseindices.
Case Related Features

Casesusetheseprocesses:
Logonwizard
NewCasewizard
Optionsdialog
CaseTimeSettingdialog
157
158
Logon Wizard
TheLogonwizardcapturestheusername,password,andSAFEtouseforthecurrentsession.
Theuserandpasswordareestablishedbytheadministrator,orthosegrantedadministrator
levelpermissions.
TheLogonwizarddisplaysthefollowingpages:
Userspage
SAFEpage
CaseManagement
159
Logon Wizard Users Page

TheUserspageoftheLoginwizardcapturesthecurrentuserspasswordandusername.
Passwordcapturestheuserpassword.
UsercontainstheUsertreelistingusersprivatekeysandanysubfoldersinthecurrentroot
path.AvaliduserhasamatchingpublickeyintheSAFEtheylogonto.
RootUserObjectprovidesadditionalfunctionalitythrougharightclickmenuincluding:
updatingthelistofusersdisplayed
changingtherootpath
commandsthatexpandorcollapsetheUsertree.
UserObjectsprovidesadditionalfunctionalitythrougharightclickmenuincluding
updatingthelistofusersdisplayed,andchangingtherootpath.
Users Right-Click Menu

TheUsersrightclickmenuprovidesadditionalfunctionality.ThemenudisplaysfromtheUsers
treeintheUsersPage.
160
TheUpdatecommandupdatestheUserstreedisplay.Whenausersprivatekeyisaddedto
thedefaultC:/Program Files/EnCase6/Keysfolderoranyotherfolderspecifiedbythe
currentrootpath,thetreedoesnotimmediatelydisplaythenewuser.Thenewuserappears
whenthewizardisopenedagain,orwhentheUsertreeisupdated.
UsetheChangeRootPathcommandtospecifyafolderthatcontainstheprivatekeysof
usersotherthanthedefaultfolder.SpecifytherootpathintheBrowseforFolderdialog.The
Userstreecontainsonlythoseusersinthefolderspecifiedasthenewrootpath.
Browse for Folder Dialog

UsethisdialogtochangetherootpathintheUserstreeandtheSAFEtreetospecifythepathto
folderscontainingkeysforusersorSAFEs.ThedefaultpathisC:/Program
Files/EnCase6/Keys.
TheUserstreeisbasedontheprivatekeyscontainedinthefolderdefinedbytherootpath.The
SAFEtreeisbasedon.SAFEfilescontainedinthefolderdefinedbytherootpath.Bothtypesof
filesareintheC:/Program Files/EnCase6/Keysfolder.
Movingthesekeyfileswhilethetreesaredisplayedrequiresarefreshtoupdatethetrees.
Pathdisplaysatreetonavigatetothefoldercontainingthekeys.
CaseManagement
161
SAFE Page of the Logon Wizard

TheSAFEpageoftheLogonwizarddeterminesifSAFEisassociatedwithandusedbythe
currentuser.
SAFEcontainstheSAFEstreethatorganizesalltheSAFEsthatareinstalled.Theuserselects
aSAFEtocompletethelogon.
SAFEsRootObjectprovidesadditionalfunctionalitythrougharightclickmenusuchas
editingthesettingsoftheSAFE
changingtherootdirectory
loggingontoaremoteSAFE
additionalcommandsthatexpandorcollapsetheSAFEstree
SAFEObjectsprovidesadditionalfunctionalitythrougharightclickmenusuchas
editingthesettingsoftheSAFE
changingtherootdirectory
loggingontoaremoteSAFE
SAFE Right-Click Menu

TheSAFErightclickmenuprovidesadditionalfunctionality.
162
EditopenstheEditSAFEDialogwhereSAFEsettingsaredefinedandremotelogonsare
enabled.
UpdateupdatestheUserstreedisplay.Whenausersprivatekeyisaddedtothedefault
C:/Program Files/EnCase6/Keysfolderoranyotherfolderspecifiedbythecurrent
rootpath,thetreedoesnotimmediatelydisplaythenewuser.Thenewuserappearswhen
thewizardisopenedagain,orwhentheUsertreeisupdated.
UsetheChangeRootPathcommandtospecifyafolderthatcontainstheprivatekeysof
usersotherthanthedefaultfolder.SpecifytherootpathintheBrowseforFolderdialog.The
Userstreecontainsonlythoseusersinthefolderspecifiedasthenewrootpath.
Browse for Folder Dialog

UsethisdialogtochangetherootpathusedintheUserstreeandtheSAFEtreetospecifythe
pathtofolderscontainingkeysforusersorSAFEs.ThedefaultpathisC:/Program
Files/EnCase6/Keys.
TheUserstreeisbasedontheprivatekeyscontainedinthefolderdefinedbytherootpath.The
SAFEtreeisbasedon.SAFEfilescontainedinthefolderdefinedbytherootpath.Bothtypesof
filesarefoundintheC:/Program Files/EnCase6/Keysfolder.
Movingthesekeyfileswhilethetreesaredisplayedrequiresarefreshtoupdatethetrees.
Pathdisplaysatreetonavigatetothefoldercontainingthekeys.
CaseManagement
163
Edit SAFE Dialog

TheEditSAFEdialogcontainssettingsthatdefineconnectionstotheSAFEandenableremote
login.
164
MachineNamecontainstheIPaddresstothemachineorsubnetthatconstitutestheSAFEor
SAFEsaccessedusingthenamedSAFE.
RemoteSAFEdeterminesifcommunicationswiththenodewillberoutedthroughtheSAFE,
sotheSAFEstandsbetweentheclientandthenode.Enablingthissettingallowsyouto
provideavalueforInboundPortandtouseitsvaluecommunicatingwiththeremoteSAFE.
InboundPortdetermineswhichportisusedwhencommunicatingwiththeremoteSAFEat
theIPaddressspecifiedinMachineName.
AttemptDirectConnectioncontainssettingsthatdeterminewhatkindofconnectionis
madetothespecifiedSAFE.
NoneshouldbeenabledwhenthetargetsystemcannotestablishaconnectionwithanEE
client.ThenalltrafficisredirectedthroughtheSAFEserver.Thiscanincrease
communicationtimes;however,itprovidestheinvestigatorwiththeabilitytoobtaindata
thatisotherwisenotavailable.
ClienttoNode(Local)shouldbeenabledwhentheclient(Examiner)andthenode(servlet)
resideonthesamenetwork,andtheSAFEresidesonadifferentnetwork.Thisallowsdatato
transferdirectlyfromthenodetotheclient,aftertheclientsuccessfullyauthenticates
throughtheSAFE.AlsotheclientwillusetheIPaddressthatthenodebelievesithas,rather
thentheIPaddresstheSAFEhasforthenode.Inthisconfiguration,thenetworkshouldbe
designedsothatallthecompanysemployeesarelocatedontheCorporateDesktop
Network,andshouldemployrouting/NATing.
ClienttoNode(SAFE)enablesNAT,whereaprivateIPaddressismappedtoapublicIP
address.Typically,theSAFEandnoderesideonthesamesubnet,andtheclientonanother.
Thisallowsdatatotransferdirectlyfromthenodetotheclient,aftertheclientsuccessfully
authenticatesthroughtheSAFE.TheclientalsousestheIPaddressthattheSAFEbelieves
thenodehas,ratherthentheIPaddressthenodereportsithastoallowadirectconnection
betweentheclientandnodemachine.Thisoptionisenabledbydefault.
NodetoClientoperatessimilarlytotheClienttoNode(SAFE)mode,exceptthatthenode
attemptsthedirectconnectiontotheclient.Itisusedwhenyoudesiredirectdatatransfer
betweenthenodeandtheclient,andthereisNATingorafirewallprohibitingthenodefrom
sendingdatadirectlytothelocalIP/defaultportoftheclient.Onceyoucheckthisoption,the
ClientreturnaddressconfigurationboxbecomesavailabletoentertheNATedIPaddress
andcustomport(e.g.,192.168.4.1:1545).TheClientreturnaddressboxisdisabledunlessthis
optionisselected.
CaseManagement
PrioritydeterminesthepriorityofconnectionforthisSAFE.
LowmeanstheconnectiontothisSAFEwillbereconnectedafterallother
connectionsofnormalorhighpriority.
NormalmeanstheconnectiontothisSAFEwillbereconnectedafterallother
connectionsofhighpriorityandbeforethoseconnectionsoflowpriority.
HighmeanstheconnectiontothisSAFEwillbereconnectedbeforeallother
connectionsofmediumorlowpriority.
165
166
New Case Wizard

TheNewCasewizardcapturesroleandcasesettings.Acaseisassociatedwithaspecificrole.
Rolesareestablishedbytheadministrator.
TheNewCasewizardconsistsoftwopages:
Rolepage
CaseOptionspage
CaseManagement
167
Role Page of the New Case Wizard

TheRolespageoftheLoginwizardassociatesthecasebeingcreatedwitharole.Rolesare
establishedbytheadministrator.
Note: Care should be taken here, because once a role is selected for a case, it cannot be changed.
RolescontainstheRolestree,whichorganizestherolesavailabletotheuser.Selecttherole
associatedwiththecasebeingcreatedfromtheRolestree.
168
Case Options Page of the New Case Wizard

TheCasesOptionspageoftheNewCaseWizardiswhereyouenterthenameofthecase,the
examinersnameandpathstofoldersassociatedwiththecase.
Namecontainsthenameofthecaseassociatedwiththecaseoptionssetonthistab.Thecase
nameisusedasthedefaultfilenamewhenthecaseissaved.Youcanchangethisfilename
whenyousavethecase.
ExaminerNameisthenameoftheinvestigator.
DefaultExportFoldercontainsthepathtoandnameofthefolderwherefilesareexported.
TemporaryFoldercontainsthepathtoandnameofthefolderwheretemporaryfilesare
created.
IndexFoldercontainstheindexfileforanyindexedfileorcollectionoffiles.
Add Device
Onceacaseisopen,addevidenceinaccordancewiththeinformationintheWorkingwith
Evidencesection.
CaseManagement
169
Using a Case
Acaseiscentraltoaninvestigation.Beforeyoucanaddadevice,previewcontent,oracquire
content,youmustopenacase.Thismaybeanewcaseoranexistingcase.
Onceyoucreateafile,youcanaddadevice,proceedwiththedevicepreviewandacquisition,
andsubsequentanalysis.
UsetheCaseOptionspagetodefineacase.Thesettingsonthispagearethesameasthoseon
theCaseOptionstaboftheOptionsdialog.
Onceacaseisopen,youcanestablishitstimezonesettings.
Modifying Case Related Settings

UsetheNewCasewizard,CaseOptionsdialogtomodifycaserelatedsettingsafterthecaseis
created.
1. Openthecase.
2. ClickTools>Options.
TheCaseOptionstabdisplays.
3. ChangethesettingsthroughthevarioustabsintheOptionsdialog.
4. ClickOK.
Formoreinformation,seetheInstallationofEnCaseEnterprisechapter.
170
Time Zone Settings

TheEnergyPolicyActof2005(PublicLaw109058)amendstheUniformTimeActof1966by
changingthestartandenddatesofdaylightsavingtimebeginningin2007.Clocksaresetahead
onehouronthesecondSundayofMarch,andsetbackonehourthefirstSundayinNovember.
Thisresultingextrafourweeksiscalledextendeddaylightsavingtimeperiod.EnCasesoftware
usestimezonedefinitionsstoredintheexaminersWindowsregistrytoadjustfordaylight
savingtimeandtimezoneadjustments.Microsoftreleasedapatchalteringhowthese
adjustmentsarestored.
TheWindowsregistrycontainsasubdirectoryofdynamicdaylightsavingstimeentriesfor
differentyears.Thisallowstheoperatingsystemtoapplycurrentdaylightsavingstimesettings
tonewfiles,andthecorrespondingyearsdaylightsavingstimeforolderfiles.
Onpatchedmachines,therootentryfordaylightsavingtimesettingsisupdatedtothe2007time
zonesettings,andthatiscurrentlytheentryEnCasesoftwareuses.Therefore,iftheexaminer
machineispatched,EnCasesoftwareusesthenew2007rulesforentrieswhosedateslieinthe
newfourweekextendeddaylightsavingtimeperiod.Consequentlyallfiledates,eventhosefor
previousyears,applythenewdaylightsavingstimesettings.
Settingthetimezonesettingsisaccomplishedtwodifferentways.Ifyouhaveanentirecase
whereyouwanttouseonetimezone,youcansetthetimezonefortheentirecase.Ifyouhave
severalpiecesofmediathatusedifferenttimezones,youwanttosetthetimezonesindividually
foreachdeviceinyourcase.
CaseManagement
171
Case File Time Zones

SetthetimezonefortheentirecasewiththeCaseTimeSettingsdialog.
ThefeaturesoftheCaseTimeSettingsdialogare:
AccountforSeasonalDaylightSavingsTimeappliesDSTrulesasdefinedbytheregistry
settings.Ifyouwanttousethenew2007DSTrules,ensureyourmachineispatched.
ConvertAllDatestoCorrespondtoOneTimeZoneenablestheDaylightSettingandthe
TimeZonelist.Thisallowsyoutoconvertalltimestomatchonetimezone.
DaylightSettingisdisabledunlessConvertAllDatestoCorrespondtoOneTimeZoneis
checked.UsetheoptionbuttonstoselectStandardorDaylightSavingstimeadjustments.
TimeZoneListisalsodisabledunlessConvertAllDatestoCorrespondtoOneTimeZone
ischecked.Thiscapturesthetimezoneyouwanttousewithyourcase.
172
Evidence File Time Zones

UsetheTimePropertiesdialogtosetthetimezoneforeachevidencefile.
ThefeaturesoftheTimePropertiesdialogare:
TimeZoneListcapturesthetimezonethesubjectdevicewassetto.
DetailsproviderulesusedforthetimezoneselectedintheTimeZonelist.Theruleslisted
herepopulateusingDynamicDaylightSavingsTime,whichrequiresthatyourcomputeris
properlypatchedinordertousethenewDSTrulesdescribedabove.
UseSingleDSTOffsetspecifiesnottouseDynamicDSTandinsteadapplyasingleDST
offsettotheentiredevice.Usethisoptionwhenthesubjectmachinedidnothavetheproper
2007DSTpatchdescribedabove.
YearSelectionListisdisableduntilUseSingleDSTOffsetischecked.Youcanselectwhich
DSTrulestobasetheDSTadjustmenton:
Use2006formachinesusingpre2007DSTrules
Use2007onlyoncomputersusingthenew2007DSTrules
Setting Time Zones Settings for Case Files

1. Openacase.
2. ClickView>CasesSubTabs>Home.
TheopencasesappearintheTablepane.
CaseManagement
173
3. Rightclickthecasewhereforwhichyouwanttosetthetimezoneandthenselect
ModifyTimeSettings.
TheCaseTimeSettingsdialogdisplays.
4. Ifyouwanttoaccountforseasonaldaylightsavingstimerules,selectAccountfor
SeasonalDaylightSavingTime.
5. Ifyouwanttoconvertalldatestoaparticulartimezone:
a. SelectConvertAllDatestoCorrespondtoOneTimeZone.
b. SelectaDaylightSetting.
c. SelectaTimeZone.
6. Whenyouarefinished,clickOK.
Setting Time Zone Options for Evidence Files

1. Openacasetodisplayitscontents
2. SelectaDevicefromtheTreepane,rightclickitandchooseModifytimezonesettings.
TheTimePropertiesdialogappears.
3. SelectaTimeZonefromtheTimeZonelist.
ThedetailsofthetimezoneappearintheDetailstextbox.
4. IfyouwanttouseasingleDSToffset,selectUseSingleDSTOffsetandselecttheyear
oftheDSTrulesyouwantapplied.
5. Whenyouarefinished,clickOK.
174
General Time Zone Notes

FAT,HFS,andCDFStimesarenotassociatedwithanytimezonewhenstoredonatarget
machine.Theinvestigatorassignsatimezonetotheevidenceatthedevicelevel.This
assignmentdoesnotchangedisplayeddatesunlessacasetimeissetanditisdifferent
fromthedevicetime.
NTFSandHFS+timesareassociatedtoGreenwichMeanTime(GMT)whenstoredona
targetmachine.
SetdevicetimezonesassociatesatimezonewiththestoredFATtimes,andforNTFS
displaysthecorrectoffsetfromGMT.
Note:Bydefault,alltimezonesaresettotheexaminermachinetimezone.
ModifyingthecasetimezonetoconvertalltimestoonetimezonechangestheFAT,HFS,
andCDFStimesifthedevicetimezoneisdifferentfromthatofthecasetimezone.All
NTFSandHFS+timesareadjustedtothecaseGMToffsetifconvertalltimesisapplied.
Atthecaselevel,thedaylightsettingsrespondthisway:
Ifstandardisselected,nochangeismadetoanytimes.
Ifdaylightisselected,onehourisaddedtoalldisplaytimesregardlessofthetimeof
year.
Theinvestigatorssystemclockdateinstandardordaylighttimeshouldhaveno
effectondisplayedtimes.
FAT, HFS and CDFS Time Zone Specifics

FAT,HFS,CDFS:Alltimesarestoredinitiallyasthesystemtimeoftheacquiredmachine.For
instance,ifafileissavedat3p.m.,thetimestoredis3p.m.Thereisnotimezoneassociatedto3
p.m.whenthetimeisstored.
Settingthetimezoneatthedeviceorvolumelevelidentifiesthetimezoneinwhichtherecorded
timesoccurred.Whentheevidenceisaddedtotheprogramitisassumedtobeinthe
investigatorslocaltime.
Modifyingthedeviceleveldoesnotchangetimesbecausethedevicetimezoneassociatesatime
zoneonlytothetimesstored.
CaseManagement
175
Time Zone Example

ThetargetcomputerhasanHFSinNewYork(5GMT).
Thefileiscreatedat3p.m.Thestoredtimeinthecomputeris3p.m.
Thedriveisimagedandtheinvestigatorwritesthatthecomputerdisplayedthecorrect
localtime.
AninvestigatorinCaliforniaopenstheevidencefile.TheEnCaseprograminitially
assignsatimezonetothedevicelevelof8GMTsincethatisthetimezonesettingofthe
Westcoastinvestigatorsmachine.Thetimestilldisplays3p.m.becauseEnCasesoftware
knowsthestoredtimeis3p.m.andthelocaltimezoneoftheexamineris8GMT.
Open a Case
Openacasetocontinueanalysisortoreviewacase.
1. SelectFile>Open.
2. Browseto,orselectthecasefromtherecentfileslistatthebottomofthemenu,andclick
Open.
Note: You can also open a case by double clicking the case file in Windows Explorer.
176
Saving a Case
Youcansaveacase:
Toitscurrentfilenameandlocation:seeSavingaCase(onpage176)inthisdocument.
Withanewfilenameoranewlocation:seeSavingaCasewithaNewNameorNew
Location(onpage176)inthisdocument.
Toitscurrentfilenameandlocationalongwiththeapplicationscurrentreferences,
conditions,andfilters:seeSavingaCaseandtheGlobalApplicationFiles(onpage176)
inthisdocument.
Saving a Case
Tosaveacase:
1. ClickFile>SaveorclickSaveonthetoolbar.
TheSavedialogappears.
2. IfyouwanttousethecasenameasthefilenameandusethedefaultpathinMy
Documents,clickSave.
3. Youcanalsonavigatetoorenteradifferentfilenameandpath,andclickSave.
Saving a Case With a New Name or New Location

Youcansaveanycasewithanewnameorsaveitinanewlocation.
1. ClickFile>SaveAs.
2. IfyouwanttousethecasenameorcurrentfilenameandusethedefaultpathinMy
Documents,clickSave.
3. Youcanalsonavigatetoorenteradifferentfilenameandpath,andclickSave.
CaseManagement
177
Saving a Case and the Global Application Files

Youcansavetheglobalapplicationfilescontainingpreferences,conditions,andfiltersinthe
locationsspecifiedintheStoragePathstaboftheOptionsdialog.
1. ClickFile>SaveAll.
2. IfyouwanttousethecurrentfilenameandthedefaultpathinMy Documents,click
Save.
3. Youcanalsonavigatetoorenterthedesiredfilenameandpath,andclickSave.
Close Case
Protecttheintegrityofcasesbyclosingthemwhentheyarenotbeingworkedon.
1. Savetheopencase.
2. InTreeview,placethecursoronanopencase.
3. ClickClose.
ClickYestoclosethecase.
Note: Close is also available from the right-click menu.
CHAPTER 7
Working with Evidence

In This Chapter
Overview
179
Supported File Systems and Operating Systems

Using Snapshots
182
Getting Ready to Acquire the Content of a Device

Acquiring
196
Remote Acquisition
Hashing
235
240
Logical Evidence Files

Recovering Folders
242
247
Recovering Partitions 250

Restoring Evidence
254
Snapshot to DB Module Set 260

WinEn 270
182
183
180
Overview
TheEnCaseapplicationorganizesdigitalevidenceintoanassociatedcase.Digitalevidenceis
previewed,thenpossiblyacquired.Onceevidenceisacquiredoraddedtoacase,itcanbe
analyzed.Inthissection,wefocusonpreviewing,acquiring,andaddingdigitalevidencetothe
case.
Types of Entries
Entriesincludeevidenceandotherfiletypescontainingdigitalevidencethatareaddedtoacase.
TherearefourclassesofevidencecontainingfilesthatEnCaseapplicationssupport:
EnCaseEvidenceFiles(E01)
LogicalEvidenceFiles(LEF/L01)
Rawimages
Singlefiles,includingdirectories
Thesefilesareacquiredoraddedtoacase.Beforedigitalevidencecanbeaddedtoacase,itis
previewed.
EnCase Evidence Files

EnCaseevidencefiles(E01)containthecontentsofanacquireddeviceandprovidethebasisfor
lateranalysis.
Encaseevidencefilesintegrateinvestigativemetadata,thedevicelevelhashvalue,andthe
contentofanacquireddevice.Thisintegrationsimplifiesevidencehandlingandinvestigative
effortsbykeepingthedevicelevelhashvalueandcontenttogether,andbysimplifyingtheeffort
requiredtoverifythattheevidencehasnotchangedsinceitwascollectedfromasubjectdevice.
DragginganddroppinganE01fileanywhereontheEnCaseinterfaceaddsittothecurrently
openedcase.
WorkingwithEvidence
181

LogicalEvidenceFiles(LEF/L01)arecreatedfromfilesseeninaprevieworexistingevidence
file.Theyaretypicallycreatedafterananalysisfindssomenoteworthyevidence.
WhenLEFsareverified,thestoredhashvalueofthefileiscomparedtotheentryscurrenthash
value.
Ifthehashofthecurrentcontentdoesnotmatchthestoredhashvalue,thehashis
followedbyanasterisk(*).
IfnocontentfortheentrywasstoredwhencreatingtheLEF,butahashwasstored,the
hashisnotcomparedtotheemptyfilehash.
IfnohashvaluewasstoredfortheentrywhencreatingtheLEF,nocomparisonisdone,
andanewhashvalueisnotpopulated.
Raw Image Files

Rawimagefilescontainacollectionoffilesbutlacktheintegrationofmetadataandcompression
hashvaluesthattheEnCaseevidencefileprovides.
Beforerawimagefilescanbeacquiredtheymustbeaddedtoacase.TheLinuxddcommandis
typicallyusedtoproducerawimagefiles.Rawimagefilescanbeacquiredandaddedtoacase.
Duringacquisition,therawimagefilecanbehashedandcompressed.Onceacquiredrawimage
filesareincorporatedintoanEnCaseevidencefile.
Single Files
IndividualfilescanbeaddedtothecaseonceActivateSingleFilesisselected.
AnyfiletypesupportedbyanEnCaseapplicationcanbeaddedtoacase.Youcandothis
throughtheinterface,orthroughdraganddrop.Whenfilesareadded,theyappearintheview
pane.
Youcanaddafoldercontainingfilestoacase.Thiscanonlybedoneusingdraganddrop.When
youaddfolders,thefoldersappearintheentriestreeandtheentriestable.Theindividualfiles
withinthefolderappearonlyontheentriestable.
182

Whatsnewinthisrelease:
SupportfortheNovellFileSystem
UFS2FileSystem
MacDMGimagefiles
UpdatedNTFSParser
GUIDpartitiontables,asimplementedaccordingtotheIntelExtensibleFirmware
Interface(EFI)arealsosupported
SupportfortheDOSEN.EXEutilitywasdropped,soyoushouldnowdodrivetodriveand
crossovercableacquisitionsusingtheLinEnutility.
Using Snapshots
Snapshotscollectavarietyofinformationtocreatesnapshotbookmarks.Snapshotsarethe
outputofEnScriptprograms.InEnCaseForensic,onlytheScanLocalMachineEnScript
programcreatessnapshots.InEnCaseEnterprise,thefollowingEnScriptprogramscreate
snapshots:
SweepEnterprise
QuickSnapshot
TheSweepEnterpriseEnScriptprogramcapturesliveinformationfromaselectednetworktree
withoutacaseorEnterpriselogonneededbeforerunning.
TheQuickSnapshotEnScriptprogramcapturesliveinformationfromaselectedmachine
associatedwithadeviceinanopencase.
FormoreinformationontheseEnScriptprograms,seeEnterpriseEnScriptPrograms(onpage
481).
WorkingwithEvidence
183
Getting Ready to Acquire the Content of a Device

Beforeyoucanacquirethecontentsofadevice,youmustaddthedevice,andpreviewthe
devicescontent.
Toadd,preview,oracquirethecontentofadevice,firstopenthecaseassociatedwiththe
device.
Toacquirethecontentofadevice:
1. UsingtheAddDevicewizard,addthedevice.
2. UsingtheEnCasemainwindow,previewthecontentofthedevice.
YouarereadytoacquirethecontentsofthedeviceasanEnCaseevidencefileinthecurrently
openedcase.
Previewing
Previewingisdonebeforeanacquisition,soaninvestigatorcandetermineifthedeviceshould
beacquired.Apreviewisnotoptional,althoughtheinvestigatordeterminestheextentofthe
preview.Duringapreview,thecontentofthedevicecanbeanalyzedjustasifthecontenthad
beenacquired.
Note: A write blocking device , such as the FastBloc write blocker, prevents the subject device from
changing. Previewing via a crossover network cable is useful if a write blocking device is not available.
Bypreviewing,theinvestigatordoesnothavetowaittofinishanacquisitionbeforedoinga
preliminaryexamination.Whilepreviewing,youcanrunkeywordsearches,createbookmarks,
performCopy/UnErase,andotheranalysisfunctions.Thesesearchresultsandbookmarkscanbe
savedintoacasefile,however,eachtimethecaseisopened,thesubjectmediamustbe
physicallyconnectedtotheinvestigatorsmachine.
184
Live Device and FastBloc Indicators

IntheEntriesTablepaneandthePreviewDevicespageoftheAddDevicewizard,graphical
indicatorsmarkthedevicesthatarepreviewedorblockedviaFastBlockoranotherwrite
blockingdevice.
Abluetriangleinthelowerrightcornerofthedeviceiconindicatesaprevieweddevice.
AbluesquarearoundthedeviceiconindicatesthedeviceiswriteblockedbyFastBloc.
Previewing the Content of a Device

Oncedevicesandevidencefilesareaddedtothecasefile,thedevicescanbepreviewedbefore
theyareacquired.
Note: When a file is initially written to a multi-session CD it is assigned an offset. When the same file is
changed, it is written again to the CD, as a new file in the new session, but with the same offset. Any
number of revisions of the initial file are assigned the same offset. The file and all of its revisions can be
viewed. Because the offset is used to associate bookmarks to the bookmarked entity, bookmarks of
content on multi-session CDs will remount the first file it encounters with this offset when reopening the
case.
Verifythedevicecontainingthecontenttobepreviewedwasaddedtothecase.
Topreviewthecontentofadevicethatwasaddedtothecurrentlyopenedcase:
1. OntheTreepaneorTablepaneofthemainwindow,lookattheiconofthedevicebeing
previewedtoseeifitisliveorwriteblocked.
2. Performanyevidenceanalysisrequiredtodetermineifadeviceshouldbeacquired.
3. Onceyouhavedeterminedthedeviceshouldbeacquired,acquireit.
WorkingwithEvidence
Add Device Wizard

UsetheAddDevicewizardtoaddadeviceforlateracquisition.
TheAddDevicewizardincludes:
Sourcespage
SessionsSourcespage(optional)
ChooseDevicespage
PreviewDevicespage
YoumustopenacasebeforetheAddDevicewizardcanbeopened.
185
186
Sources Page of the Add Device Wizard

YoucanselectoneormoretypesofsourcesontheSourcespageoftheAddDeviceWizard.
Localdrives,aPalmPilot,oranetworkcrossoverconnectioncanbeusedasasourcedevicefor
subsequentpreviewsoracquisitions.Inadditiontolocaldevices,youcanaddfoldersintended
tocontainevidencefiles.
SessionsopenstheSessionsSourcespageoftheAddDeviceWizardwhenNextisclicked.
SourcesTreePaneorganizesthedevicesourcesfromwhichcontentislaterpreviewedor
acquired.
SourcesRootObjectcontainsthechildobjects.Therightclickmenudisplayscommandsfor
thisobject.Youcan:
ExpandorcollapseobjectsintheSourcestree.
SelectvariousobjectsintheSourcestree.
LocalObjectreferstolocaldevicesphysicallyconnectedtothemachine,whichcouldinclude.
WorkingwithEvidence
187
Floppydrive
PalmPilot
Removablemedia
Harddrive
Anothercomputer
ThedevicetypesappearasentriesintheTablepanewhentheobjectisselected.Rightclick
menucommandsforthisobjectdeterminehowto:
ExpandorcollapseobjectsintheSourcestree
SelectvariousobjectsintheSourcestree
EvidenceFilesFolderObjectcontainsfoldersaddedassourcefolderscontainingevidencefiles.
TheTablepanedisplaysthesamefoldersasthetree.Therightclickmenucommandsforthis
objectletyou
Addfolders
DeterminewhichobjectsappearintheSourcesTree
DeterminewhichentriesareshownintheTablepanewhentheobjectisselected
EvidenceFolderObjectsrepresentseachfolderaddedasacontainerofevidencefiles.Asleaf
nodesofthetree,theevidencefilesdonotshowinthetree,buttheydoappearintheTable
pane.Therightclickmenucommandsforthisobjectletyou:
Deletethefolderwhereyouopenedtherightclickmenu
DeletefoldersselectedintheSourcestree
DeterminewhichobjectsappearintheSourcestree
DeterminewhichentriesareshownintheTablepanewhentheobjectisselected
TablePanedisplaysthechildrenofthecurrentlyselectedfolderobjectintheSourcestree.The
rightclickmenucommandsforthisobjectletyou
Deletethefolderwhereyouopenedtherightclickmenu
Deletefoldersselectedinthetree
Copytheentrywhereyouopenedtherightclickmenu
Selecttheobjectonthetreethatcorrespondstotheentrywhereyouopenedtheright
clickmenuintheTablepane
Navigatetotheparentoftheobjectcontainingtheentrywhereyouopenedtherightclick
menuintheTablepane
188
Sessions Sources Page of the Add Device Wizard

WhenSessionsisenabled,youcanaddevidencefilestotheSourcestreeusingtheAddTextList
dialogortheAddEvidenceFilesbrowser.
SessionsopenstheSessionsSourcespageoftheAddDeviceWizardwhenyouclickNext.
AddTextListopenstheAddTextListdialog,whichcontainsalistofpathstoandfilenamesof
evidencefilestobeaddedinbatchtotheSourcestree.
AddEvidenceFilesopenstheAddEvidenceFilesfilebrowserwhereyoucanenterthepathto
andthefilenameofanevidencefile,sotheevidencefileisaddedindividuallytotheSources
tree.Thefollowingtypesoffilescanbeaddedusingthisfilebrowser:
EvidenceFile(.E01)
SafeBackFile(.001)
VMwareFile(.VMDK)
LogicalEvidenceFile(.L01)
VirtualPCFile(.VHD)
SourcesTreeorganizesthefoldersusedtocontaintheevidencefilesaddedeitherasbatchfile
listsorindividualfiles.Youcanorganizethefoldersinthistreehierarchicallyasdesired.
SourcesRootObjectcontainsthedefaultfoldersandfoldersaddedbytheuserthatorganizethe
evidencefileseitheraddedortobeaddedtotheSourcestree.Rightclickmenucommandsfor
thisobjectletsyou:
WorkingwithEvidence
189
Addanewfolderasachild
Expandorcollapsethesubordinatetree
AnychildobjectsofthisobjectonthetreeappearinasentriesontheTablepane.Thechildrenof
thisobjectcanbeorganizedhierarchicallybydragginganddroppingfoldersintoeachother.
CurrentSelectionisadefaultchildoftheSourcesrootobject.Itcontainsanyevidencefiles
addedtotheSourcestreeduringthecurrentsessionorinvocationoftheAddDeviceWizard.
ThenexttimetheAddDeviceWizardisopened,theevidencefileslistedherearemovedtothe
LastSelectionfolder,andthisfolderisemptied.Therightclickmenuonthisobjectletsyou:
Deletethisobject
Renamethisobject
AnychildobjectsofthisobjectappearasentriesontheTablepane.Youcanorganizethe
childrenofthisobjecthierarchicallybydragginganddroppingfoldersintoeachother.
LastSelectionisadefaultchildoftheSourcesrootobject.Itcontainsanyevidencefilesaddedto
theSourcestreeduringthepriorsessionorinvocationoftheAddDevicewizard.Thenexttime
theAddDevicewizardisopened,theevidencefileslistedintheCurrentSelectionfolderare
movedtothisfolder,andanyevidencefileslistedbeforethemoveareremovedfromthefolder.
Onceadded,theevidencefilescontinuetobeusedassourcesuntiltheyareindividually
removedregardlessofwhethertheyshowintheselectionfolders.
Therightclickmenuonthisobjectletsyou:
Deletethisobject
Renamethisobject
AnychildobjectsofthisobjectonthetreeappearasentriesontheTablepane.Youcanorganize
thechildrenofthisobjecthierarchicallybydragginganddroppingfoldersintoeachother.
TablePanedisplaysthechildrenofthecurrentlyselectedobjectintheSourcestreeasentriesin
thetable.Rightclickmenucommandsforthisobjectletyou
Copyanentryforuseelsewhere;thecopiedentrycannotbepastedintothetable
Deleteanentry
Renameoreditanentry
Navigatetotheparentobjectoftheobjectcontainingtheentry
190
Choose Devices Page of the Add Device Wizard

Oncelocaldevicesaredefined,asubsetofthoseareselectedheresotheycanbeaddedtoacase.
WorkingwithEvidence
191
DevicesTreeorganizesthedevicedefinitionstobeaddedtoacase.
DevicesRootObjectcontainsthedefaultfoldersthatreflectthetypesofdevicesdefinedatthis
pointintheAddDevice(seeAddingaDeviceonpage192)process.Rightclickmenu
commandsforthisobjectdetermine:
WhichobjectsappearintheSourcestree
WhichentriesdisplayintheTablepanewhentheobjectisselected
LocalDrivesObjectcontainsthecurrentcollectionofchildinstancesoftheLocalDrivesdevice
typeentriesontheTablepane.Rightclickmenucommandsforthisobjectdetermine:
WhichobjectsappearintheSourcestree
WhichentriesdisplayintheTablepanewhentheobjectisselected
TablePanedisplaysthechildrenofthecurrentlyselectedobjectintheSourcestreeasentriesin
thetable.Rightclickmenucommandsforthisobjectletyou:
ToggletheReadFileSystemColumnvalue
Copyanentryforuseelsewhere,asthecopiedentrycannotbepastedintothetable
Selectanentry
Editanentry
Navigatetotheparentobjectoftheobjectcontainingtheentry.
DeviceSelectionColumncontainsacheckboxforeachrow.Toaddadevice,clickits
checkbox,thenclickNext.
ReadFileSystemColumn:Ifthissettingnotselected,thefilesystemisreadinasaflatfilefrom
sector0tothelastsector.Files,folders,andanyotherfilesystemarchitecturalstructureislost.
192
Preview Devices Page of the Add Device Wizard

Thispagedisplaysalistofthedeviceseligibletoadd.
TablePaneliststhedevicesthatareaddedbyclickingNext.
TableEntryRowsdisplaythedetailsofthedevicedefinedinthatrow.Therightclickmenufor
eachrowprovidescommandsthat:
ToggletheReadFileSystemsettingfortheentrywhereyouopenedtherightclickmenu
Copytheentry
EdittheentryincludingtheReadFileSystemvalue.Thebestmeanstoselectorenable
theReadFileSystemisviathiseditcommand.
ReadFileSystemColumnwhendeselected,thefilesystemisreadinasaflatfilefromsector0
tothelastsector.Files,folders,andanyotherfilesystemarchitecturalstructureislost.
WorkingwithEvidence
193
Adding a Device
ThedevicesaddedusingtheAddDevicewizarddeterminethetypeofacquisitiontobe
performed.TheprimarydetermineristhedevicetypesetontheSourcesPageoftheAddDevice
wizard.Theprocessforaddingadevicevariesoncethedevicetypeisselected.
Openacasewhereyouwanttoadddevices.Whenacaseisopen,theAddDevicebutton
displaysonthemainwindowtabbar.
1. ClickAddDevice.
TheSourcespageoftheAddDevicewizardappears.IntheSourcestreetheLocalobject
isselected,andthelocaldevicetypesarelistedintheTablepane.
2. CompletetheSourcespageoftheAddDevicewizardasneeded,andclickNext.
IfyoucheckedSessionsontheSourcespageoftheAddDevicewizard,theSessions
SourcespageoftheAddDevicewizardappears.Otherwise,theChooseDevicepage
appears.
3. IfSessionswasselectedontheSourcespage,completetheSessionsSourcespageand
clickNext.
TheChooseDevicepageappears.
4. CompletetheChooseDevicepageasneeded,andclickNext.
ThePreviewDevicespageappears.
5. CompletethePreviewDevicespageasneeded,andclickNext.
ThedevicesdefinedandselectedontheAddDevicewizardareaddedtothecurrently
openedcase.
Thedevicesthatwereaddedtothecasecannowbepreviewedandacquired.
194
Completing the Sources Page

TheSourcespageoftheAddDevicewizardenablesyoutodetermine:
Thedevicetypesofthedevicesaddedtothecase
Theevidencefilesaddedtothecase
Beforeyoubegin:
Openthecase
OpentheAddDevicewizardtotheSourcespage.
Note: For a local acquisition, see Acquiring a Local Drive
Note: For a Palm Pilot acquisition, see Acquiring a Palm Drive
Note: For a network crossover acquisition, see Doing a Drive-to-Drive Acquisition in LinEn
1. Toacquireorpreviewalocaldrive:
a. SelecttheLocalobjectintheSourcestree
b. ClickthecheckboxforLocalDrivesintheTablepane.
2. ToacquireorpreviewaPalmPilot:
b. ConnectthePalmPilotandsetittoconsolemode
c. ClickthePalmPilotcheckboxintheTablepane.
3. Toacquireorpreviewanetworkcrossover:
b. StarttheLinEncrossoverconnectionacquisition
c. Ifappropriate,connectthecrossoverconnection
d. ClicktheNetworkCrossovercheckboxintheTablepane.
4. Toaddevidencefilestothecasefile,selectSessions.
TheSessionsSourcespageappearsafterclickingNext.
5. ClickNext.
IfSessionswasselected,theSessionsSourcespageappears;otherwise,theChoose
Devicespageappears.
WorkingwithEvidence
195
Completing the Sessions Sources Page

AftertheSourcespageoftheAddDevicewizardiscompletetheSessionsSourcespageappears.
Beforeyoubegin:
Openthecase
CompletetheSourcespageintheAddDevicewizard
SelectSessions
DraganddropanevidencefilefromWindowsFileExplorertothispage.
1. Toaddalistofevidencefiles:
a. ClickAddTextList.
b. Enterthepathandfilenameforeachevidencefiletobeaddedusingthelist.
c. ClickOK.
2. Toaddasingleevidencefileusingafilebrowser:
a. ClickAddEvidenceFile.
b. Browsetoorenterthepathandfilenameoftheevidencefiletobeadded.
c. ClickOK.
3. Ifmoredevicesneedtobeadded,clearSessions.
Ifallthedeviceshavebeenadded,clickNext.
IfSessionswascleared,theChooseDevicesPageappears;otherwise,theSourcespageappears.
Completing the Choose Devices Page

ThispagedisplaysthedevicesdefinedthatcanbeaddedtothecasebytheAddDevicewizard.
Atthispointintheacquisition,thesourcedeviceswereaddedtotheAddDevicewizard.
Toselectthesubsetofdevicestoadd:
1. WithanentityobjectselectedintheTreepane,intheTablepaneselectthesourcestobe
addedtothecasebyselectingorclearingtheDeviceSelectionColumncheckboxfor
eachsource.
2. ClickNext.
ThePreviewDevicespageoftheAddDevicewizardappears.
196
Completing the Preview Devices Page

Thispagedisplaysonlytheselecteddevicesfromthoseinitiallydefined.
Selectasubsetofthedefineddevicesandevidencefilessotheycanbeaddedtothecase.
Toverifythatthelistofdevicestobeaddediscorrect:
1. RevieweachrowintheTablepane,andIfthedeviceattributesneedtobechanged,do
thefollowing:
a. Rightclickontherowcontainingthedevicewhoseattributesneedtobechanged,
andclickEdit.TheDeviceAttributesdialogappears.
b. Enterthedesiredchanges.
2. Ifthedeviceshouldbeacquiredasaflatfile,clearReadFileSystem.
3. ClickOK.
ThechangesmadeintheDeviceAttributesdialogappearintheTablepane.
4. Ifthelistofdevicestobeaddediscorrectandcomplete,clickNext;otherwiseclickBack
asnecessarytorevisevalues.
ThedevicesdefinedintheAddDevicewizardareaddedtothecase.
Acquiring
Onceadeviceisadded,itscontentscanbeacquired.Beyondanacquisition,youcanaddEnCase
evidencefilesandrawevidencefilestothecase.Rawevidencefilescanbereacquired,sothat
theyaretranslatedintoEnCaseevidencefilescompletewithmetadataandhashvalues.Palm
Pilotscanalsobeacquired.TheLinEnutilityalsoletsyoudonetworkcrossoverincollaboration
withEnCaseFieldIntelligenceModelandyoucanuseLinEntoperformdisktodisk
acquisitions.EnCaseevidencefilesoriginatinginothercasescanbeaddedaswell.
Alloftheseacquisitionsarediscussedinthissection.
WorkingwithEvidence
197
Types of Acquisitions
ThereareseveraltypesofacquisitionsthatcompriseEnCaseevidencefiles(E01)andassociate
thesefileswiththecurrentlyopenedcase.
Thereareseveraladditionaldigitalevidencefiletypesthatareassociatedwiththecurrently
openedcasebutdonotinvolveacquisitions,exceptwhenreacquired.
Therearealsologicalevidencefiles(LEF),usuallyconstructedduringapreview.
ThelocalsourcesforacquisitionscreateE01s.
Localsourcesinclude
Localdrives(usingawriteblocker)
PalmPilot
Networkcrossover(LinEn)
Localdevices(LinEndisktodisk)
Evidencefilesareaddedthroughtheinterface.Theevidencefilesinvolvedincludethosecreated
byaLinEndisktodiskacquisition.Youcanaddevidencefilesinitiallycreatedforothercasesto
thecurrentlyopenedcaseaswell.
AnetworkcrossoveracquisitioninvolvesbothLinEnandtheEnCaseapplication.
LinEndisktodiskacquisitionscreateevidencefilessafelyintheLinuxenvironmentwithout
usingawriteblocker.
Dragginganddroppingafileresultsinthefilebeingaddedasasinglefile,ratherthanan
evidencefile.Whenanevidencefileisdraggedanddropped,itisaddedtothecaseasan
evidencefile.
Doing a Typical Acquisition

AtypicalacquisitionconsistsoflocaldeviceacquisitionusingWindowsandaFastBlocwrite
blocker.
198
Acquisition Wizard
UsetheAcquisitionwizardtoperformacquisitions.
Beforeacquiringadevicescontent,thedevicemustbeaddedtothecaseusingtheAddDevice
wizard.
TheAcquisitionwizardcapturesthespecificationsfortheacquisition.Thewizardcontainsthe
followingpages:
AfterAcquisitionpage
(Optional)Searchpage
Optionspage
Eachisexplainedindetailbelow.
WorkingwithEvidence
After Acquisition Page

UsetheAfterAcquisitionpageoftheAcquisitionwizard:
toeasetheacquisitionofsubsequentdisks
toenablesearch,hash,andsignatureanalysistolaunchautomaticallyafterthe
acquisitioniscompleted
todeterminewhathappenstothenewimage
torestartacancelledacquisition
199
200
Acquireanotherdiskenablestheinvestigatortoworkthroughaseriesofacquisitions(typically
floppydiskcontent)withoutaddinganewdeviceforeachacquisition.WhenAcquireanother
diskischecked:
Replacesourcedeviceisdisabled
Search,HashandSignatureAnalysisisenabled.
Search,HashandSignatureAnalysisopenstheSearchpageoftheAcquisitionwizard,where
search,hashandsignatureanalysisaredefined,afterclickingNext.
NewImageFileGroupcontrolsinthisgroupdeterminehowthenewlyacquiredimageis
saved.ThedefaultisReplacesourcedrive.
Donotaddexcludesthenewlyacquiredimagefromthecurrentlyopenedcase.
AddtoCaseaddsthenewlyacquiredimageinthecasefileassociatedwiththedevicewherethe
imagewastaken.
Replaceasourcedeviceaddsthenewlyacquiredimagetothecaseandremovesthepreviewed
devicewheretheacquisitionwasmade.
RestartAcquisitionrestartsacancelledacquisition.Iftheacquisitionwasinterrupted,butnot
cancelled,thatacquisitioncannotberestarted.WhenyoucheckRestartAcquisition,Existing
EvidenceFileanditsassociatedbrowsebuttonareenabled.Thefilecontainingthedatafrom
thecancelledacquisitionisavailabletospeedupthecurrentacquisition.Theincompleteset
containingthecancelledfilecanbereplacedwithasetcontainingallthedata.
ExistingEvidenceFilecontainsthepathandfilenameoftheevidencefilewhoseacquisitionwas
cancelledearlier.Theexistingevidencefileisreplacedbytheacquisitioninprogress.
ExistingEvidenceFileBrowseopenstheWindowsfilesystembrowsertocapturethepathand
filenameoftheexistingevidencefile.
WorkingwithEvidence
201
Search Page
UsetheSearchpageoftheAcquisitionwizardto:
Searchtheentirecase
Defineakeywordsearch
Defineanemailsearch
Computehashvalues
Verifyfilesignatures
Identifycodepages
Searchforinternethistory
Ultimately,thesesearchesandanalyseslengthentheacquisitiontime.Forlongacquisitions,
thesesearchescanbeperformedindependentlyfromtheacquisitiononcetheacquisitionis
complete.
202
SelectedItemsonlyacquiresonlythosefilesyouchecked.
KeywordSearchOptionscontainscontrolsusedtodefineakeywordsearchwhilethecontentof
thedeviceisacquired.
Searchentriesandrecordsforkeywords:executesakeywordsearchwhenchecked.When
unchecked,othercheckedfunctionsareperformed,butthekeywordsearchisnot.Thisallows
youtorunasignatureanalysisorahashanalysiswithoutrunningakeywordsearch.This
optionalsoenables:
Selectedkeywordsonly
Searchentryslack
Useinitializedsize
Undeleteentriesbeforesearching
SearchonlyslackareaofentriesinHashLibrary
Selectedkeywordsonlyrestrictsthenumberofkeywordsusedduringthekeywordsearchto
thenumberofkeywordsspecified(showninNumberofKeywords).
Searchentryslackincludesfileslackinthekeywordsearch.
Useinitializedsizeusestheinitializedsizeofthedeviceduringthekeywordsearch.
Undeleteentriesbeforesearchingundeletesdeletedfilesbeforetheyaresearchedfor
keywords.
SearchonlyslackareaoffilesinHashLibrarydetermineswhethertheslackareasofthefiles
includedinthehashlibraryaresearched.
HashOptionscontainscontrolsusedtocomputehashvalues.
Computehashvaluedetermineswhetherahashvalueiscomputed.
Recomputehashvaluedetermineswhetherahashvalueisrecomputed.Whenyourecompute
thehashvalues,theyarerecomputedevenifhashvaluesarealreadypresent.
EmailSearchOptionscontainscontrolsusedtodefineanemailsearchperformedwhile
acquiringthecontentofthedevice.
Searchforemailperformsanemailsearch.Thisoptionalsoenablescontrolsthatdeterminethe
typeofemailsought.
RecovereddeleteddetermineswhetherdeletedemailthatremainsinthePSTfilesincethelast
compactoperationisrecovered.
WorkingwithEvidence
203
Outlook(PST)includes.pstfilesinthesearch.
OutlookExpress(DBX)includes.dbxfilesinthesearch.
Exchange(EDB)includes.edbfilesinthesearch.
Lotus(NSF)includes.nsffilesinthesearch.
AOLincludesAOLemailfilesinthesearch.
MBOXincludesMBOXemailfilesinthesearch.
AdditionalOptionscontainscontrolsthatdetermineadditionalanalysistoperformonthe
contentbeingacquired.
Verifyfilesignaturesauthenticatesfilesignaturesduringtheacquisition.
Identifycodepage:Ifyoucheckthisoption,thesoftwareattemptstodeterminethecodepageof
eachfile,thensavesthosecodepagesforlateruseintheviewpanewhenthefilecontentsare
displayed.
SearchforinternethistoryfindsInternethistoryfilesduringtheacquisition.
204
Options Page
TheOptionspageoftheAcquisitionwizarddefinesthemetadataandvariousaspectsofthe
imagegeneratedbytheacquisition,whichconstitutestheEnCaseevidence.
WorkingwithEvidence
205
NamecontainsthenameoftheEnCaseEvidenceFilethatcontainstheimageresultingfromthe
acquisitionoftheunderlyingdevice.
EvidenceNumbercontainstheinvestigatorassignednumberfortheEnCaseevidencefile
producedbytheacquisitioninprogress.
NotescontainstheinvestigatorsnotesregardingthisEnCaseevidencefile.
FileSegmentSizespecifiesfilesegmentsizeoftheevidencefiles.Itisusefulforcontrollingthe
sizeofevidencefiles.
StartSectorspecifiesthefirstsectorofthecontentyouwanttoacquire.
StopSectorspecifiesthelastsectorofthecontentyouwanttoacquire.
PassworddeterminesiftheEnCaseevidencefileispasswordprotected,andwhatpasswordis
used.EnteringapasswordenablesConfirmPassword.Thispasswordcannotbereset.
BlocksizedeterminestheblocksizeofthecontentswhereCRCvaluesarecomputed.
Errorgranularitydeterminestheportionoftheblockiszeroedoutifanerrorisencountered.
TheerrorgranularitywillbeatthemostthesamevalueasBlocksize,oranevenfractionof
Blocksize.
Quickreacquisitionallowsyoutoquicklyreacquireinordertochangethefilesegmentsize,or
toapplyorremoveapassword.
ReadAheadreadstheacquiredcontent,sothaterrorscanbedetectedbeforetheblockis
acquired,orCRCsarecalculatedandhashed.
OutputPathdeterminesthepathandfilenamewheretheEnCaseevidencefileresultingfrom
theacquisitioniswritten.
AlternatePathcontainsthepathandfilenameofanalternativedestinationvolumewherethe
EnCaseevidencefileisstoredifthefirstlocationrunsoutofdiskspace.
206
Acquisition Results Dialog

Thisdialogdisplayswhileanacquisitionisperformed.
ConsolesendsthestatusmessagesdisplayedinthedialogtotheConsoletaboftheview.
Notewritesthecontentsofthestatusmessageintoabookmarknotecontainingthedeviceand
EnCaseevidencefilebeingacquired.
LogRecordaddsthestatusmessagesdisplayedtoabookmarklogrecord.
WorkingwithEvidence
207
Opening the Acquisition Wizard

Beforeyoubegin:
OpenthecaseassociatedwiththeEnCaseevidencefilebeforeyouacquireanEnCaseevidence
file.Thedevicefromwhichthecontentisacquiredmustalreadybeaddedtothecase.
To open the Acquisition wizard:

1. ToreachtheEntriestree,intheTreepane,clickCases>Entries>Home.
TheEntriestreedisplaysintheTreepane.
2. IntheEntriestree,highlightthedesireddevice.
3. Rightclickthehighlighteddeviceobject.
TheDevicerightclickmenuappears.
4. ClickAcquire.
TheAcquisitionwizardappears.
ContinuecreatinganEnCaseevidencefilebycompletingtheacquisitionspecificationusingthe
Acquisitionwizard.
208
Specifying and Running an Acquisition

ThiscompletescreationofanEnCaseEvidenceFile.
Beforeyoubegin:
OpentheAfterAcquisitionpageoftheAcquisitionwizard.
Tospecifyandruntheacquisition:
1. Asneeded,changethedefaultsettingsontheAfterAcquisitionpageasdescribedin
CompletingtheAfterAcquisitionPageoftheAcquisitionWizard.
2. ClickNext.
IfyouselectedSearch,HashandSignatureAnalysis,theSearchpageoftheAcquisition
wizardappears.Otherwise,theOptionspageoftheAcquisitionwizardappears.
3. IftheSearchpageappeared:asneeded,
ChangethedefaultsettingsontheSearchpage,describedinCompletingtheSearch
PageoftheAcquisitionWizard
ClickNext.
TheOptionspageoftheAcquisitionwizardappears.
4. Asneeded:
ChangethedefaultsettingsontheOptionspage,describedinCompletingthe
OptionsPageoftheAcquisitionWizard
ClickFinished.
Theacquisitionbegins.
Ifthefileistobesavedinthecase,theCRCsareverified,andanyafteracquisition
processingisperformed.
WorkingwithEvidence
209
Thethreadstatusesfortheacquisition,verification,andpostprocessingisdisplayedas
theprocessesexecute.
Oncetheprocessesarecomplete,theresultsdialogappears.Whiletheacquisitionis
running,theacquisitioncanbecancelled(seeCancellinganAcquisition).
Note: The evidence file containing both the content of the device and its associated metadata is saved as
determined by the New Evidence File on the After Acquisition page of the Acquisition Wizard.
Completing the After Acquisition Page of the Acquisition Wizard

ThispageoftheAcquisitionwizardspecifiestheactionstakenoncethecontenthasbeen
acquired,butbeforetheacquisitioniscompleted.
Beforeyoubegin:
OpentheAcquisitionwizardtotheAfterAcquisitionpage.
To define actions after the acquisition:

1. Ifadditionaldisksaretobeacquiredafterthisacquisition,selectAcquireanotherdisk.
WhenAcquireanotherdiskisacquired,theimageassociatedwiththatdiskisaddedto
thecase,andtheNewImageFilevalueissettoreflectthis.
2. Ifthecontentbeingacquiredistobesearched,hashed,oranalyzedforsignatures,select
Search,HashandSignatureAnalysis.
210
3. ClickNext.TheSearchpageoftheAcquisitionWizardappears.
4. InNewImageFile,clickontheappropriatedispositionofthefilecontainingthe
acquiredimage.
5. Ifyouwanttorestartacancelledacquisition:
a. SelectRestartAcquisition.
b. BrowsetoorenterthefilenameandpathoftheEnCaseevidencefilecontaining
thepartialacquisitiontoberestarted.
6. ClickNext.
IfyouselectedSearch,HashandSignatureAnalysis,theSearchpageoftheAcquisitionwizard
appears;otherwise,theOptionspageappears.
Completing the Search Page of the Acquisition Wizard

Thispagedefinesthesearches,hashing,andadditionalanalysisperformedaspartofthe
acquisitionafterthecontentisacquired.
Beforeyoubegin:
OpentheAcquisitionWizardtotheSearchpage.
WorkingwithEvidence
211
Todefinetheanalysisprocessingaspartoftheacquisition:
1. Dothefollowingasrequired:
Tosearchallthecontentofdevicesassociatedwiththecase,notjustthecontentofthe
devicebeingacquired,clickSearchentirecase.
Toperformakeywordsearch,clicktheappropriatecontrolsintheKeywordSearch
Options.
Toperformanemailsearch,clicktheappropriatecontrolsinEmailSearchOptions.
Tocomputeorrecomputehashvalues,clicktheappropriatecontrolsinHash
Options.
Toverifyfilesignatures,inAdditionalOptions,clickVerifyFilesignatures.
Toidentifycodepages,inAdditionalOptions,clickIdentifycodepages.
Tosearchforinternethistoryfiles,inAdditionalOptions,clickSearchforinternet
history.
2. ClickNext.
TheOptionspageoftheAcquisitionwizardappears.
212
Completing the Options Page of the Acquisition Wizard

ThispageoftheAcquisitionWizardspecifieshowtheEnCaseevidencefileisbuiltduringthe
acquisition,andthedispositionofthatfileaftertheAcquisitioniscomplete.
TodefinehowtheEnCaseevidencefileisbuiltandoutput:
1. Acceptthedefaultvaluesorenterorselectalternativevalues.
2. EnteranEvidenceNumberandNotes.
3. Ifahashhasnotbeenrequestedyetandoneisdesired,clickGenerateimageHash.
4. Ifyoumightrunoutofstoragespacewhereyouarestoringtheacquireddevice,specify
additionalstoragebybrowsingtoorenteringapathandfilenameinAlternatePath.
5. ClickFinish.
Theacquisitionstarts,andtheThreadStatusLineappearsatthebottomrightcornerof
themainwindowdisplayingthestatusofthethreadperformingtheacquisition.Youcan
canceltheacquisitionduringprocessing(seeCancellinganAcquisition).
6. WhentheAcquisitionResultsdialogdisplaysastatusoffinished,selectConsole,Note,
orLogRecord.
7. ClickOK.
WorkingwithEvidence
213
TheAcquisitionResultsdialogclosesandtheacquisitioniscomplete.
Canceling an Acquisition
YoucancancelanacquisitionwhileanAcquisitionisrunning.Aftercanceling,theAcquisition
canberestarted.If,however,theacquisitionendswithoutbeingcancelled,youcannotrestartit.
To cancel an acquisition while it is running

1. Atthebottomrightcornerofthemainwindow,doubleclicktheThreadStatusLine.The
ThreadStatusmessageboxappears.
2. ClickYes.
TheAcquisitionResultsdialogappearsdisplayingcancelledstatus.
3. ClickOk.
Theacquisitioniscancelled.Youcanrestartitatalatertime.
214
Acquiring a Local Drive

Beforeyoubegin:
Thelocaldrivetobeacquiredwasaddedtothecase.
1. Toprotectthelocalmachinefromchangingwhileitscontentisbeingacquired,usea
writeblocker(seeUsingaWriteBlocker),thenverifythatthedevicebeingacquiredis
shownintheTreepaneortheTablepaneaswriteprotected,(seeLiveDeviceand
FastBlocIndicators).
2. Performtheacquisition(seeSpecifyingandRunninganAcquisition).
Thedriveisacquired.
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)
EnCaseapplicationscandetectandimageDCOand/orHPAareasonanyATA6orhigherlevel
diskdrive.TheseareasaredetectedusingLinEn(Linux)ortheFastBlocSEmodule.EnCase
applicationsrunninginWindowswithahardwarewriteblockerwillnotdetectDCOsorHPAs.
EnCaseapplicationsusing
FastBlocSE
LinEnwhentheLinuxdistributionusedsupportsDirectATAmode
TheapplicationnowshowsifaDCOareaexistsinadditiontotheHPAareaonatargetdrive.
FastBlocSEisaseparatelypurchasedcomponent.
HPAisaspecialarealocatedattheendofadisk.Itisusuallyconfiguredsothecasualobserver
cannotseeit,anditcanonlybeaccessedbyreconfiguringthedisk.HPAandDCOareextremely
similar:thedifferenceistheSET_MAX_ADDRESSbitsettingthatallowsrecoveryofaremoved
HPAatreboot.Whensupported,EnCaseapplicationsseebothareasiftheycoexistonahard
drive.Formoreinformation,seetheEnCaseModulesManual.
WorkingwithEvidence
215
Using a Write Blocker

Writeblockerspreventinadvertentlyorintentionallywritingtoanevidencedisk.Theiruseis
describedinthesesections:
WindowsbasedAcquisitionswithFastBlocWriteBlockers
AcquiringinWindowsWithoutFastBloc
WindowsbasedAcquisitionswithanonFastBlocWriteBlocker
FastBlocsupportsAMD64bitarchitecture.ByreplacingtheexistingIDEandSCSIcontroller
driverwiththenewGuidancedriver,onlyreadonlyrequestsaresenttotheattachedhard
drives.
TheFastBlocSEModulecanbeusedwithdevicesequippedwiththePromiseSATAcards
300TX4302
300TX4
300TX2PLUS
ThereisalsosupportfortheAMDAthlon64processor,andforsystemsrunningMicrosoft
WindowsXP64bitedition,andMicrosoftWindowsServer200364bitedition.
Windows-based Acquisitions with FastBloc Write Blockers

ThefollowingwriteblockersaresupportedinEnCaseEnterprisev6.0:
Figure25 FastBlocFE
216
Figure26 FastBloc2FEv1
Figure27 FastBloc2FEv2
Figure28 FastBlocLE
WorkingwithEvidence
217
Figure29 FastBloc2LE
Computerinvestigationsrequireafast,reliablemeanstoacquiredigitalevidence.FastBlocLab
Edition(LE)andFastBlocFieldEdition(FE)(hereafterreferredtoasFastBloc)arehardware
writeblockingdevicesthatenablethesafeacquisitionofsubjectmediainWindowstoan
EnCaseevidencefile.BeforeFastBlocwasdeveloped,noninvasiveacquisitionswereexclusively
conductedincumbersomecommandlineenvironments.
ThehardwareversionsofFastBlocarenotstandaloneproducts.Whenattachedtoacomputer
andasubjectharddrive,FastBlocprovidesinvestigatorswiththeabilitytoquicklyandsafely
previeworacquiredatainaWindowsenvironment.Theunitislightweight,selfcontained,and
portableforeasyfieldacquisitions,withonsiteverificationimmediatelyfollowingthe
acquisition.
FastBlocSEisasoftwareversionofthisproduct.
Acquiring in Windows Without a FastBloc Write Blocker

NeveracquireharddrivesinWindowswithoutFastBlocbecauseWindowswritestoanylocal
harddrivevisibletoit.Windowswill,forexample,putaRecycleBinfileoneveryharddrive
thatitdetectsandwillalsochangeLastAccesseddateandtimestampsforthosedrives.
MediathatWindowscannotwritetoissafetoacquirefromwithinWindows,suchasCDROMs,
writeprotectedfloppydiskettes,andwriteprotectedUSBthumbdrives.
Windows-based Acquisitions with a non-FastBloc Write Blocker

EnCaseapplicationscannotrecognizethepresenceofanyharddrivewriteblockerotherthan
FastBloc.Forthatreason,EnCasewillreportthatthesubjectharddriveisnotprotected,whenit
mightbe.UsersofnonFastBlocwriteblockersareencouragedtotesttheirequipmentand
becomefamiliarwiththeircapabilities.
218
Performing a Drive-to-Drive Acquisition Using LinEn

OnceLinEnissetup,runLinEn,chooseAcquire,thenselectthedrivetobeacquiredandthe
storagepath.Optionally,provideadditionalmetadata.
LinEnwasconfiguredasdescribedinLinEnSetup,andautofsisdisabled(cleared).
Theinvestigatoridentifiesthesubjectdrivetobeacquiredandthestoragedrivethatwillhold
theacquiredevidencefile.
1. IftheFAT32storagepartitiontobeacquiredhasnotbeenmounted,mountit.
2. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsoletorun
LinEn.TheLinEnMainScreenappears.
3. ChooseAcquire.TheAcquirescreenappears.
4. Choosethephysicaldriveorlogicalpartitionyouwishtoacquire.TheAcquireDevice
<drive>dialogappears.
WorkingwithEvidence
219
5. ForthedataelementsrequestedbytheAcquiredialog,eitheracceptthedefaultwhen
provided,orenteravalueorchooseoneofthealternatives(seeSpecifyingandRunning
anAcquisitionsection),andthenpressEnter.
TheAcquireDevicedialogrequestsadditionaldatavaluesuntilalldataelementsare
enteredorselected.ThentheCreatingFiledialogappears.
6. Whentheacquisitioniscomplete,clickOK.
TheLinEnmainwindowappears.Thesubjectwasacquiredandisstoredonthestorage
drive.
7. Connectthestoragedrivetoinvestigatorsmachine.
8. AddtheEnCaseevidencefileusingtheSessionsSourcespageoftheAddDeviceWizard
(seeCompletingtheSessionsSourcesPage).

IftheLinuxdistributionsupportstheATAmode,youwillseeaModeoption.Themodemust
besetbeforethediskisacquired.AnATAdiskcanbeacquiredviathedrivetodrivemethod.
TheATAmodeisusefulforcaseswhentheevidencedrivehasaHostProtectedArea(HPA)or
drivecontroloverlay(DCO).OnlyDirectATAModecanreviewandacquiretheseareas.
LinEnisbeenconfiguredasdescribedinLinenSetup,andautofsisdisabled(cleared).Linuxis
runninginDirectATAMode.
1. IftheFAT32storagepartitiontobeacquiredhasnotbeenmounted,mountit.
TheLinEnMainScreenappears.
220
3. SelectMode,thenselectDirectATAMode.
YoucannowacquirethediskrunninginATAmode.
4. ContinuethedrivetodriveacquisitionwithStep3ofDoingaDrivetoDriveAcquisition
UsingLinEn.
Acquiring a Palm Pilot

Beforeyoubegin:
ThePalmPilotisnotyetaddedtothecase
TheexaminationmachineisbootedintoWindows
YourEnCaseapplicationisrunning
1. PutthePalmPilotorHandspringsPDAinitscradle,andattachthecradlecabletoaUSB
orserialportontheexaminationmachine.
2. TurnonthePDA,thentoputthePDAinconsolemode:
a. Ontheleftsideofthegraffitiarea,usethestylustowritealowercasecursiveL
followedbytwodots
b. Ontherightsideofthegraffitiarea,writea2.
ThePDAisinconsolemode.
OntheSourcespageoftheAddDeviceWizard:
1. IntheTreepane,clickLocal.
2. IntheTablepane,clickthecheckboxforPalmPilot.
3. Ifotherdevicesaretobeacquiredinthisacquisitioncontinuedefiningdevices(see
CompletingtheSourcesPage)orclickNext.
WorkingwithEvidence
221
TheChooseDevicespageoftheAddDeviceWizarddisplays.
4. OntheChooseDevicesPage,intheTablepaneselecttheentryforthePalmPilotdevice
andanyotherdevicestobeacquiredduringthisacquisition,andclickNext.
ThePreviewDevicespageoftheAddDeviceWizardappears.
5. OnthePreviewDevicesPageintheTablepaneselecttheentryforthePalmPilotdevice,
andanyotherdevicestobeacquiredduringthisacquisition,andclickFinish.
222
IntheCases>Entry>Hometabofthemainwindow,thePalmPilottobeacquired
appearsintheEntrytree.
6. RightclickthePalmPilotobjectintheEntrytree,andclickAcquire.
TheAfterAcquisitionpageoftheAcquisitionwizardappears.
7. ContinuetheacquisitionfromStep1ofSpecifyingandRunninganAcquisition
WhentheAcquisitionResultsdialogcloses,theacquisitioniscomplete.
Leaving Console Mode

Toleaveconsolemode,youmustdoasoftresetonthePalmPilot.TurningthePalmPilotoff
andbackondoesnottakeitoutofconsolemode,andleavingitinconsolemodecausesthe
batterytodrainfasterthanusual.
To leave console mode:
1. LocatethesmallholeonthebackofthePalmPilotlabeledRESET.
2. Pressthetipofapenintothehole.
WorkingwithEvidence
223
Acquisition Times
Initially,previewingaserialPalmPilotPDAmaybeslowbecausestandardserialportstransfer
dataatamaximumspeedof115kbps.ThepreviewandacquisitionofaPalmPilotVx,for
example,takesbetween30and40minutes.USBPalmPilotswillbefaster:inacquisitiontests,a
12MBm500tookfourminutestopreviewand16minutestoacquire.However,afterthefirst
keywordsearchonaprevieweddevice,allotherprocessesaccessingtheevidencefilewillbe
fast,astheentireevidencefileiscachedinmemory.
Acquiring Non-local Drives

TheacquisitionofnonlocaldrivesinvolvesLinEn,whichacquiresthesedrivesbyperforminga
networkcrossoveracquisition.WhenyouusetheLinEnutilitytoacquireadiskthroughadisk
todiskacquisition,theresultingEnCaseevidencefilemustbeaddedtothecaseusingtheAdd
DeviceWizard.
When to use a Crossover Cable

Useacrossovercablewhenacquiringfromalaptop,RAIDs,ordrivesnotrecognizedbythehost
machine.Youcanalsousethecrossovercabletopreview.
Performing a Crossover Cable Preview or Acquisition

YouhaveaLinEnbootdisk.
Theinvestigatoridentifiesthesubjectdrivetobeacquired.
1. BootthesubjectmachinefromtheLinEnbootdisk.
2. Connecttheforensicmachinetothesubjectmachineusingacrossovercable.
3. InLinux,ensurethatthesubjectmachinehasanIPaddressassignedandaNICcard
loadedappropriately:\
a. Typeifconfig eth0
b. IfnoIPaddressisassigned,assignonebytypingifconfig eth0 10.0.0.1
netmask 255.0.0.0
c. ChecktheIPaddressassignmentagainbytypingifconfig eth0
5. SelectServer,andpressEnter.
224
ThemessageWaitingtoconnectappears.
6. Ontheforensicmachine,specifyanIPaddressof10.0.0.1forthesubjectmachine.
7. LaunchtheEnCaseapplicationontheforensicmachine.
8. Createanewcase,oropenanexistingcase.
9. RightclickontheDevicesobjectandclickAddDevice.
10. SelectNetworkCrossover,andclickNext.
11. SelectthephysicaldiskorlogicalpartitiontoacquireorpreviewandclickNext.
12. ClickFinish.
Thecontentsoftheselecteddevicereachedthroughthenetworkcrossoverconnectionare
previewed.Toacquirethecontent,performanacquisition(seeSpecifyingandRunningan
Acquisition).
WorkingwithEvidence
225
Acquiring Disk Configurations

GuidanceSoftwareusesthetermdiskconfigurationinsteadofRAID.Asoftwaredisk
configurationiscontrolledbytheoperatingsystemsoftware,whereasacontrollercardcontrols
ahardwarediskconfiguration.Inasoftwarediskconfiguration,informationpertinenttothe
layoutofthepartitionsacrossthedisksislocatedintheregistryorattheendofthedisk,
dependingontheoperatingsystem;inahardwarediskconfiguration,itisstoredintheBIOSof
thecontrollercard.Witheachofthesemethods,6diskconfigurationtypescanbecreated:
Spanned
Mirrored
Striped
RAID5
RAID10
Basic
Software RAID
EnCaseapplicationssupportthesesoftwareRAIDs:
WindowNT,seeWindowsNTSoftwareDiskConfiguration
Windows2000,seeDynamicDisks
WindowsXP,seeDynamicDisks
Windows2003Servers,seeDynamicDisks
226
Windows NT - Software Disk Configurations

InaWindowsNTfilesystem,youcanusetheoperatingsystemtocreatedifferenttypesofdisk
configurationsacrossmultipledrives.Thepossiblediskconfigurationsare
Spanned
Mirrored
Striped
RAID5
Basic
Theinformationdetailingthetypesofpartitionsandthespecificlayoutacrossmultipledisksis
containedintheregistryoftheoperatingsystem.EnCaseapplicationscanreadthisregistry
informationandresolvetheconfigurationbasedonthekey.Theapplicationcanthenvirtually
mountthesoftwarediskconfigurationwithintheEnCasecase.
Therearetwowaystoobtaintheregistrykey:
Acquiringthedrive
Backingupthedrive
Acquirethedrivecontainingtheoperatingsystem.Itislikelythatthisdriveispartofthedisk
configurationset,butintheeventitisnotsuchasthediskconfigurationbeingusedforstorage
purposesonlyacquiretheOSdriveandaddittothecasealongwiththediskconfigurationset
drives.
Tomakeabackupdiskonthesubjectmachine,useWindowsDiskManagerandselectBackup
fromthePartitionoption.
Thiscreatesabackupdiskofthediskconfigurationinformation,placingthebackuponafloppy
disk.YoucanthencopythefileintoyourEnCaseapplicationusingtheSingleFilesoption,or
acquirethefloppydiskandaddittothecase.Thecasemusthavethediskconfigurationset
drivesaddedtoitaswell.Thissituationonlyworksifworkingwitharestoredcloneofasubject
computer.Itisalsopossiblearegistrybackupdiskisatthelocation.
RightclicktheevidencefilethatcontainsthekeyandselectScanDiskConfiguration.Atthis
point,theapplicationattemptstobuildthevirtualdevicesusinginformationfromtheregistry
key.
WorkingwithEvidence
227
Dynamic Disk
DynamicDiskisadiskconfigurationavailableinWindows2000,WindowsXPandWindows
2003Server.Theinformationpertinenttobuildingtheconfigurationresidesattheendofthe
diskratherthaninaregistrykey.Therefore,eachphysicaldiskinthisconfigurationcontainsthe
informationnecessarytoreconstructtheoriginalsetup.EnCaseapplicationsreadtheDynamic
Diskpartitionstructureandresolvetheconfigurationsbasedontheinformationextracted.
TorebuildaDynamicDiskconfiguration,addthephysicaldevicesinvolvedinthesettothecase
and,fromtheCasestab,rightclickonanyoneofthedevicesandchooseScanDisk
Configuration.
Iftheresultingdiskconfigurationsseemincorrect,youcanmanuallyeditthemviatheEdit
commandintheDevicestab.
228
Hardware Disk Configuration

Hardwarediskconfigurationscanbeacquired
Asonedrive
Asseparatedrives
BothRaid5andRaid10canbeacquired.
Disk Configuration Set Acquired as One Drive

Unlikesoftwarediskconfigurations,thosecontrolledbyhardwarecontainnecessary
configurationinformationinthecardsBIOS.Becausethediskconfigurationiscontrolledby
hardware,EnCasecannotreconstructtheconfigurationsfromthephysicaldisks.However,since
thepertinentinformationtorebuildthesetiscontainedwithinthecontroller,thecomputer(with
thecontrollercard)actuallyseesahardwarediskconfigurationasone(virtual)drive,regardless
ofwhetherthesetconsistsoftwoormoredrives.Therefore,iftheinvestigatoracquiresthesetin
itsnativeenvironment,thediskconfigurationcanbeacquiredasonedrive,whichistheeasiest
option.Thebestmethodforperformingsuchanacquisitionistoconductacrossovernetwork
cableacquisition.
Note: The LinEn boot disc for the subject computer needs to have Linux drivers for that particular RAID
controller card.
Toacquiretheset:
1. Keepthediskconfigurationintactinitsnativeenvironment.
2. BootthesubjectcomputerwithanEnCaseNetworkBootDisk.
3. LaunchtheLinEnutility.
Note: The BIOS interprets the disk configuration as one drive, so EnCase applications will as well.
The investigator sees the disk configuration as one drive.
4. Acquirethediskconfigurationasyouwouldnormallyacquireasingleharddrive
dependingonthemeansofacquisition.Parallelport,crossovernetworkcable,ordrive
todriveacquisitionisstraightforward,aslongasthesetisacquiredasonedrive.
Ifthephysicaldriveswereacquiredseparately,orcouldnotbeacquiredinthenative
environment,EnCaseapplicationscaneditthehardwaresetmanually.
WorkingwithEvidence
229
Disk Configurations Acquired as Separate Drives

Sometimesacquiringthehardwarediskconfigurationasonedriveisnotpossible,orthemethod
ofassemblingasoftwarediskconfigurationseemsincorrect.Toeditadiskconfiguration,several
itemsofinformationarerequired:
thestripesize
startsector
lengthperphysicaldisk
whetherthestripingisrighthandedornot
YoucancollectthisdatafromtheBIOSofthecontrollercardforahardwareset,orfromthe
registryforsoftwaresets.
WhenaRAID5consistsofthreeormoredisksandonediskismissingorbad,theapplication
canstillrebuildthevirtualdiskusingparityinformationfromtheotherdisksinthe
configuration,whichisdetectedautomaticallyduringthereconstructionofhardwaredisk
configurationsusingtheScanDiskConfigurationcommand.
WhenrebuildingaRAIDfromthefirsttwodisks,resultsfromvalidatingparityaremeaningless,
becauseyoucreatetheparitytobuildthemissingdisk.
Toacquireadiskconfigurationsetasonedisk:
1. Addtheevidencefilestoonecase.
2. View>CasesSubtabs>Devices.
3. RightclickanyevidencefilerowandselectEditDiskConfiguration.
4. TheDiskConfigurationdialogappears.
230
5. InDiskConfiguration,rightclickontheappropriatediskconfiguration,thenclickNew.
6. Enterthestartsectorandsizeoftheselecteddiskconfiguration,andthenclickOK.
Validating Parity on a RAID-5

TheValidateParitycommandcheckstheparityofthephysicaldisksusedtoassembletheRAID
5.Thus,iftheRAID5wasrebuiltwithamissingdisk,thisfeaturewillnotwork.
Tochecktheparity:
1. FromtheCasestab,rightclicktheRAID5volumeicon,andthenclickValidateParity.
2. ThevalidationprocessstatusdisplaysintheThreadStatuslineatthebottomrightofthe
EnCasemainwindow.
RAID-10
RAID10arraysrequireatleast4drives,implementedasastripedarrayofRAID1arrays.
Acquiring Virtual PC Images

WithMicrosoftVirtualPC2004youcanrunmultiplePCbasedoperatingsystems
simultaneouslyononeworkstation.UserssaveimagesofthesevirtualPCsinafashionsimilar
toVMware.EnCaseapplicationstreatMicrosoftVirtualPC2004imagesasdevicestobe
submittedtothesameinvestigationasphysicaldevices.VirtualPCcancreateflatandsparse
files,bothofwhicharesupportedtransparentlybyEnCaseapplications.
AddVirtualPCfilesviatheAddDeviceWizard.IntheWizard,navigatetothefoldercontaining
VirtualPCfiles(*.vhd)andaddthemasanEnCaseevidencefile.
CD-DVD Inspector File Support

EnCaseapplicationssupportviewingfilescreatedusingCD/DVDInspector,athirdparty
product.Treatthesefilesassinglefileswhenaddingthem,aszipfiles,orascompositefiles
whenusingthefileviewer.Dragsinglefilesintotheapplication.
Acquiring SlySoft CloneCD Images

YoucanaddrawCDROMimagescreatedusingSlySoftCloneCDtoacase.Whenaddingthese
images,youcanspecifythepresectorbytes,postsectorbytesandstartbyteoftheimage.
WorkingwithEvidence
231
Acquiring a DriveSpace Volume

DriveSpacevolumesareonlyrecognizedassuchaftertheyareacquiredandmountedintoa
case.Onthestoragecomputer,mounttheDriveSpacefileasavolume,andthenacquireitagain
toseethedirectorystructureandfiles.
To acquire a DriveSpace volume
1. AFAT16partitionmustexistontheforensicPCwhereyouwillCopy/Unerasethe
DriveSpacevolume.AFAT16partitioncanonlybecreatedwithaFAT16OS(suchas
Windows95).
2. RunFDISKtocreateapartition,thenexit,reboot,andformattheFAT16partitionusing
format.exe.
3. ImagetheDriveSpacevolume.
4. AddtheevidencefiletoanewcaseandsearchforafilenamedDBLSPACE.000or
DRVSPACE.000.
5. Rightclickthefileandcopy/uneraseittotheFAT16partitiononthestoragecomputer.
6. InWindows98,clickStartandselectAllProgramsAccessories>SystemTools
DriveSpace.
7. LaunchDriveSpace.
8. SelecttheFAT16partitioncontainingthecompressed.000file.
9. SelectAdvanceMount.
10. SelectDRVSPACE.000andthenclickOK,notingthedriveletterassignedtoit.The
CompressedVolumeFile(.000)fromthepreviousdriveisnowseenasfoldersandfiles
inanewlogicalvolume.
11. Acquirethisnewvolume.
12. Createtheevidencefileandaddtoyourcase.
Youcannowviewthecompresseddrive.
232
Acquiring Firefox Cache in Records

ThisfeatureparsesMozillaFirefoxcachedata.Theparsercorrectlyextractsallavailable
informationbyreadingmapfilesthatcontaininformationaboutacacheentryandwhereitis
located.
WhenyouselectSearchforInternetHistoryfromtheSearchdialog,theEnCaseprogram
searchesforspecificfilesandattemptstoparsethemasMozillaFirefoxcachefiles.Whenthe
searchiscomplete,thesecolumnsareshownintheTablepane:
Name
Filter
InReport
SearchHits
AdditionalFields
MessageSize
CreationTime
ProfileName
URLName
URLHost
BrowserCacheType
BrowserType
LastModificationTime
MessageCodePage
LastAccessTime
Expiration
VisitCount
ServerModified
WorkingwithEvidence
233
Reacquiring Evidence
WhenyouhavearawevidencefilewhichoriginatedoutsideanEnCaseapplication,reacquiring
itresultsinthecreationofanEnCaseevidencefilecontainingthecontentoftherawevidence
file.
YoucanmoveEnCaseevidencefilesintoacaseeveniftheywereacquiredelsewhere.Thisdoes
notrequireareacquisition.JustdragthefilesfromWindowsExploreranddropthemonthe
SessionsSourcespageoftheAddDeviceWizard.
YoumayalsowanttoreacquireanexistingEnCaseevidencefiletochangethecompression
settingsorthefilesegmentsize.
Reacquiring an Evidence File

Beforeyoubegin:
YourEnCaseapplicationisopen
Thefiletobereacquiredisincludedinthecase
Thecasehasbeenopened
To reacquire an evidence file:

1. IntheTreepane,clickCases>Entries>Home.
TheEntriestreeappearsintheTreepane.
2. Rightclickthedevicetobereacquired,andclickAcquire.
TheAfterAcquisitionpageoftheAcquisitionwizardappears.
3. Performtheacquisition(seeSpecifyingandRunninganAcquisition).
4. Payparticularattentiontothedispositionofthefile:
a. UsetheNewImageFilecontrolsontheAfterAcquisitionpage.
234
b. ClickQuickReacquisitionontheOptionspageoftheWizard.
Theevidencefileisreacquired.
Adding Raw Evidence Files

Reacquiringarawevidencefileembedsthefilecontainingtheimageofthecontentsofadevice
withcasemetadataand,optionally,thehashvalueofthatimage.
Beforeyoubegin:
Youhavearawimagefilethatcanbeaccessedbytheforensicmachine
Acaseisopen
To acquire a raw evidence file:

2. ClickFile>AddRawImage.
TheAddRawImagedialogappears.
3. Draganddroptherawimagestobeacquired
TherawimagestobeaddedarelistedintheComponentFileslist.
4. AcceptthedefaultsintheAddRawImagedialogorchangethemasdesired,thenclick
OK.
ADiskImageobjectappearsintheEntriestree,whichisontheCases>Entries>Hometree
pane.
WorkingwithEvidence
235
Remote Acquisition
SettinguptheremoteacquisitionExaminerside:
1. StartbyaddingthemachineyouwanttoacquirejustasyouwouldanyotherEnterprise
node.
2. ClickNext.
3. Afteryouchoosethemachine,selectthedevicesyouwanttoacquire.
4. ClickNext.
236
5. Rightclickthedeviceyouwanttoacquire,thenclickAcquire.
6. ClickNextuntilyoureachtheOptionsdialog.
7. Entertheremoteacquisitioninformation,includingavalidOutputPath.
8. ClicktheRemoteacquisitioncheckbox.
9. ClickNext.
WorkingwithEvidence
10. EnteraUsernameandPasswordfortheremoteshare.
11. ClickFinish.TheAcquiredialogdisplays:
12. ClickOK.
Remote Acquisition Monitor

UsetheRemoteAcquisitionMonitortochecktheprogressoftheacquisition.
1. DoubleclickRemoteAcquisitionMonitorandentertheappropriateinformation.
237
238
2. ClickOK.
3. Themonitorconnectstothemachineanddisplaystheacquisitionsprogress.
Setting Up the Storage Machine

ThisisbasicWindowssharesetup.
1. IntheAcquisitionPropertiesdialog,selecttheSharingtab.
WorkingwithEvidence
239
2. ClicktheSharethisfolderradiobuttonandenteraSharename.
3. ClickPermissions.
4. ThePermissionsforAcquisitiondialogdisplays.Thesesettingsvary,dependingonyour
environment.
5. Setupthepermissionsyouwant,thenclickOK.
6. Thesharedfolderlookslikethis:
240
Hashing
Youcanperformhashingbeforeorafteranacquisition,soaninvestigatorcandetermineifthe
deviceshouldbeacquired,orifthecontentshavechanged.Youmustrunapreviewifworking
withintheWindowsversionofEnCase(thisisnotnecessarywhenhashingadriveusingthe
LinEnutility).
Note: If you are hashing the device locally using Windows, a write blocking device , such as the FastBloc
write blocker, prevents the subject device from changing. Hashing via a crossover network cable, or locally
using the LinEn utility is useful if a write blocking device is not available.
Therearetwowaystohashadrive:
HashingthesubjectdriveusingLinEn
Hashingthesubjectdriveoncepreviewedoracquired

Thisallowstheinvestigatortoknowthehashvalueofthedrive.
Beforeyoubegin:
LinEnisconfiguredasdescribedinthesetuptopics
autofsisdisabled
Theinvestigatorhasidentifiedthesubjectdrivetobehashed
To perform a hash using LinEn
1. NavigatetothefolderwhereLinEnresidesandtype./linenintheconsoletorun
LinEn.
2. SelectHash.
TheHashdialogappears.
3. Selectadrive,thenclickOK.
TheStartSectordialogappears.
4. AcceptthedefaultorenterthedesiredStartSector,andthenclickOK.
TheStopSectordialogappears.
5. AcceptthedefaultorenterthedesiredStopSector,andthenclickOK.
TheHashResultsdialogappears.
WorkingwithEvidence
241
6. Ifyouwantthehashresulttobewrittentoafile,clickYes.
Ifthehashvalueistobesavedtoafile,theSaveHashValuetoaFiledialogappears;
otherwise,theLinEnMainScreenappears.
7. Enterthepathandfilenameofthefilethatwillcontainthehashvalue,andthenclick
OK.
ThehashvalueissavedandtheLinEnMainScreenappears.
Ahashvalueiscalculatedfortheselectedsectorsoftheselectedfile.Ifdesired,thishashvalueis
savedtoafile.
Hashing the Subject Drive Once Previewed or Acquired

IfyouwanttohashadevicewithoutleavingtheWindowsoperatingsystem,youcanhash
directlyfromEnCase.
Thedevicemustbepreviewedoracquired.
1. OntheEntriestabontheTreepane,rightclickthedeviceyouwanttohash.
2. SelectHash.
3. Enterthefollowing:
a. SupplyaStartSector,oracceptthedefault,whichisthefirstsectorofthedevice
b. SupplyaStopSector,oracceptthedefaultvalue,whichisthelastsectorofthe
device
4. ClickOK.
242
5. Selectoneofthefollowingoutputformats:
Consolewritestheresultsintheconsoletab
Notewritestheresultsasanotebookmark
LogRecordwritestheresultsasalogrecordbookmark
6. ClickOK.

ALogicalEvidenceFile(LEF)containsacollectionofindividualfilestypicallycopiedfroma
subjectcomputerwhenpreviewing.
Asyouexaminedigitalevidence,someoftheevidenceismoresignificanttotheintentofthe
investigation.DuringtheanalysisoftheEnCaseevidencefile,varioussearchesareperformedto
findthesesignificantfiles.Bycopyingthesesignificantfilesintoalogicalevidencefileyoucan
accessthemwithoutdealingwiththelargevolumecontainedinanEnCaseevidencefile.
DragginganddroppingaLEFanywhereontheEnCaseinterfaceaddstheLEFtothecurrently
openedcase.
WorkingwithEvidence
243
Create Logical Evidence File Wizard

UsetheCreateLogicalEvidenceFileWizardtocreatelogicalevidencefilesassociatedwiththe
currentlyopenedcase.
Beforealogicalevidencefilecanbecreated,openthecaseassociatedwithitandselectthe
associatedfilesyouwanttoacquire.
TheCreateLogicalEvidenceFilewizardcontainsthefollowingpages:
Sourcespage
Outputspage
244
Sources Page
UsetheSourcesPageoftheCreateLogicalEvidenceFileWizardtospecifysourcefilesthatwill
comprisethelogicalevidencefilebeingcreated.
Sourceisthenameoftheparentdevicecontainingthefileorfilestoincludeinthelogical
evidencefile.
Filescontainsthenumberoffilesandthetotalsizeofthefileorfilestoincludeinthelogical
evidencefile.
TargetfolderwithinEvidenceFileisthenameofthefoldercontainingthefilesthatcomprise
thelogicalevidencefile.
Includecontentsoffiles:ifdisabled,onlythefilenameisknowntothelogicalevidencefile,and
whenthelogicalevidencefileisopened,nodatadisplaysintheViewpane.
HashFilesdetermineswhetherthefilescomprisingthelogicalevidencefilearehashedasthey
areputintothelogicalevidencefile.
Addtoexistingevidencefiledetermineswhetherthefilescomprisingthelogicalevidencefile
areaddedtoanexistingevidencefile.Whenthiscontrolisenabled,EvidenceFilePathappears.
Lockfilewhencompleteddetermineswhetherthelogicalevidencefileislockedaftercreation.
WorkingwithEvidence
245
EvidenceFilePathcontainsthepathandfilenameofthelogicalevidencefile,wheretheselected
fileswillbeadded.
The Outputs Page of the Create Logical Evidence File

UsetheOutputspageoftheCreateLogicalEvidenceFilewizardtospecifythemetadataand
outputattributesofthelogicalevidencefiletobecreated.
246
Namecontainsthenameofthelogicalevidencefiletobecreated.
EvidenceNumbercontainstheinvestigatorsevidencenumberforthelogicalevidencefiletobe
created.
FileSegmentSizecontainsthefilesegmentsizeofthelogicalevidencefiletobecreated.
Compressioncontainscontrolsthatdeterminethecompressionusedwhencreatingthelogical
evidencefile.
Nonemeansnocompressionisusedwhencreatingthelogicalevidencefile.
Good:goodcompressionisusedtocreatealogicalevidencefilethatissmallerthanwhenno
compressionisused,butlargerthanwhenbestcompressionisused.
Best:bestcompressionisusedtocreatealogicalevidencefilethatissmallerthanonecreated
withgoodcompression.
OutputPathcontainsthepathandfilenameofthelogicalevidencefiletobecreated.
Creating a Logical Evidence File

Beforeyoubegin:
OpenthecaseassociatedwiththelogicalevidencefiletobecreatedinEnCase.
WorkingwithEvidence
247
To create a logical evidence file.

2. Selectthefilesandfolderstobeassociatedwiththelogicalevidencefile.
3. RightclicktheparentobjectontheEntrytree,andclickCreateLogicalEvidenceFile.
TheSourcespageoftheCreateLogicalEvidenceFilewizardappears.
4. Acceptthedefaultsettingsorenterdesiredvalues,andthenclickNext.
TheOutputspageoftheCreateLogicalEvidenceFilewizardappears.
5. Entertheappropriatevalues,andenterorbrowsetothepathandfilenameofthelogical
evidencefiletobecreated.
6. ClickNext.
Theresultsdialogappearswithastatusofcomplete.
Recovering Folders
Thefollowingtypesoffolderscanberecovered:
FoldersonFATvolumes,asdescribedinRecoveringFoldersonFATVolumes
NTFSfolders,asdescribedinRecoveringNTFSFolders
UFSandEXT2/3partitions,asdescribedinRecoveringUFSandEXT2/3Volumes
248
Recover Folders on FAT Volumes

Afteraddinganevidencefiletoacase,runRecoverFoldersonallFATpartitionsbyright
clickingoneachdeviceandselectingit.Thiscommandsearchesthroughtheunallocatedclusters
ofaspecificFATpartitionforthedot,doubledotsignatureofadeletedfolder;whenthe
signaturematches,EnCaseapplicationscanrebuildfilesandfoldersthatwerewithinthat
deletedfolder.
Notethatinthefigure,theC:\drivedeviceisselectedinthebackgrounddisplay.
Recovering NTFS Folders

EnCaseapplicationscanrecoverNTFSfilesandfoldersfromUnallocatedClustersandcontinue
toparsethroughthecurrentMasterFileTable(MFT)recordsforfileswithoutparentfolders.
ThisisparticularlyusefulwhenadrivehasbeenreformattedortheMFTiscorrupted.
RecoveredfilesareplacedinthegrayRecoveredFoldersvirtualfolderintherootoftheNTFS
partition.
TorecoverfoldersonanNTFSpartition:
1. RightclickonthevolumeandselectRecoverFolders.
2. TheRecoverFoldersmessageboxopenstoconfirmthatyouwanttoscanthevolumefor
folders.
3. ClickOKtobeginthesearchforNTFSfolders,orCanceltocanceltherequest.
WorkingwithEvidence
249
4. TheapplicationbeginssearchingforMFTrecordsintheUnallocatedClusters.Inthe
bottomrighthandcorneraprogressbarindicatesthenumberofMFTrecordsfoundand
theapproximatetimerequiredtocompletethesearch.
5. AftertheapplicationlocatestheMFTrecordsintheUnallocatedClusters,aprompt
appearsshowingthenumberofentriesfound.Duplicateorfalsehitsareparsed,sothe
numberofentriesthatappearsinthepromptmaybelowerthanreportedduringthe
recovery.
6. ClickOK.
7. TheapplicationresolvestherecoveredMFTrecordstodataonthevolume,andattempts
torebuildthefolderstructurewithchildrenfilesandfoldersunderparentfolders.This
processcantakealongtime;however,theresultsgreatlybenefitexaminationsofNTFS
volumes.
Sincerebuildingthefolderstructurecantakealongtime,youcanopttohavefasteraccesstothe
recoveredfiles.IftherecoveredMFTentriesintheunallocatedspaceareNTFS4,youcanchoose
to:
processtheentriesforparent/childrelationships,or
placeallrecoveredentriesintotheRecoveredFilesfolderimmediatelywithnofolder
structure.
Thisdialogboxshowsthenumberofpassesrequiredtosorttheentries.Thisnumbermaybe
large,butmostpassesprocessinstantly.Thelengthoftimerequiredtoprocessagivengroup
dependsonlyonthenumberofrecordswithinthatgroup.
ThischangedoesnotaffectNTFS5recoveredentries.Theseentriesareprocessedquickly,as
before.Ifyouchoosetoprocesstheentriesforthefolderstructure,theprogressbarindicates
whichpassiscurrentlyrunning.Therecoveredfolderstructureisplacedunderthevirtual
RecoveredFilesfolder.
250
Recovering UFS and EXT2/3 Partitions

EnCaseapplicationsuseadifferentmethodforrecoveringdeletedfilesandfoldersthathaveno
parentinUFSandEXT2/3partitions.Whenyoupreviewacomputeroraddanevidencefile
containingoneofthesepartitionstoyourcase,agrayfoldercalledLostFilesisautomatically
addedtothetreeintheEntriestabasachildofeachpartition.
IntheMasterFileTable(MFT)inNTFS,allfilesandfoldersaremarkedasafolderorfileandas
belongingtoaparent.Thefileswithinafolderarethatfolderschildren.Ifyoufirstdeletethe
files,thendeletethefolder,andthencreateanewfolder,theoriginallydeletedfilescanbelost.
ThenewfoldersentryintheMFToverwritesthedeletedfoldersentry.Theoriginalparent
folderanditsentryintheMFTareoverwrittenandgone.Itschildren,however,werenot
overwrittenandtheirentriesarestillintheMFT.AswithNTFS,withUFSandEXT2/3
partitions,theapplicationparsestheMFTandfindsthosefilesthatarestilllisted,buthaveno
parentdirectory.AllofthesefilesarerecoveredandplacedintothegrayLostFilesfolder.
Recovering Folders from a Formatted Drive

Iftheevidencefileshowsalogicalvolumebuthasnodirectorystructure,theharddrivehas
probablybeenformatted.IfthisisaFATbasedsystem,EnCaseapplicationscanrecoverthe
originaldirectorystructure.RightclickoneachlogicalvolumeandchooseRecoverFolders.This
searchesthroughthedriveandrecoversfolders,subfoldersandfilesfromwithinthosefoldersif
theinformationisstillavailable.
YoumayoccasionallyencounteradevicecontainingafilesystemunsupportedbyEnCase.
Whenthisoccurs,theEntriestreedisplaysthedeviceicon,buttheEntriestableonlylists
UnallocatedClusters.Althoughthereisnowaytoviewfilestructure,itmaybepossibletorun
textsearchesthroughtheUnallocatedClusters.
Recovering Partitions
OccasionallyadeviceisformattedorevenFDISKedinanattempttodestroyevidence.
FormattingandFDISKingaharddrivedoesnotactuallydeletedata.Formattingdeletesthe
structureindicatingwherethefoldersandfilesareonthedisk.FDISKingadrivedeletesa
drivespartitioninformation.EnCaseapplicationscanrebuildbothpartitioninformationand
directoryandfolderstructure.
WorkingwithEvidence
251
Adding Partitions
AformattedharddriveorFDISKharddriveshouldbeacquiredusingnormalprocedures.When
theseevidencefilesareaddedtoacase
AformatteddrivedisplayslogicalvolumeswithinEnCase,buteachvolumehasonlyan
UnallocatedClustersentryinthetable.
AnFDISKharddrivewillnotshowlogicalvolumeinformation.Theentiredriveis
displayedasUnusedDiskAreainthetable
252
WorkingwithEvidence
253
Torestructuretheseportionsofthedisk:
1. Inthefilterpane,expandEnScripts>Examples.
2. DoubleclickCaseProcessor.
3. CheckthecaseyouareworkingonandclickNext.
4. EnteraBookmarkFoldernameandoptionally,aFolderComment.
5. CheckthePartitionFinderModuleintheModuleslist.
6. ClickFinish.TheEnScriptprogramruns.
7. WhentheEnScriptprogramfinishes,clickBookmarksintheTreepane.
8. Inthetree,clickSetIncludedtoshowallthebookmarkstheEnScriptprogramhas
found.Notethepartitiontypeandsizeinthecomment.
9. HighlighttheentryintheTablepane,andthenselectDisk.
10. IntheDisktab,thecursorappearsonthebookmarkedsector.RightclickandselectAdd
Partition.TheAddPartitionscreendetectsthesectorsandpartitiontypeautomatically,
populatingthefields.
11. ClickOKtorestorethepartition.
12. Toseethecontentsofthepartitionyoujustadded,clickEntriesintheTreepane.The
newpartitionappearsbelowthedevicetheSweepCaseEnScriptprogramwasrun
against.
13. Ifthedrivehadmultiplepartitions,clickBookmarksintheTreepane,thenrepeatthe
processfromstep9.
Deleting Partitions
Ifapartitionwascreatedatthewrongsector,youmustdeletetheentryforthatpartitionatthe
sectoratwhichitwascreatedontheevidencefileimageoftheharddrive.
To delete a partition
1. OntheDisktaboftheTablepane,navigatetothevolumebootrecordentry,asindicated
byapinkblock.
2. RightclickandselectDeletePartition.
3. ClickYestoconfirmtheremovalofthepartition.
TherowintheTableviewnowcontainsanentryforUnusedDiskSpaceinsteadofthenow
deletedpartition.
254
Restoring Evidence
EnCaseapplicationsallowaninvestigatortorestoreevidencefilestopreparedmedia.Restoring
evidencefilestomediatheoreticallypermitstheinvestigatortoboottherestoredmediaand
viewthesubjectscomputingenvironmentwithoutalteringtheoriginalevidence.Restoring
media,however,canbechallenging.Readthischaptercarefullybeforeattemptingarestore.
DONOTbootuptheSubjectsdrive.DonotbootupyourforensicharddrivewiththeSubject
driveattached.Thereisnoneedtotouchtheoriginalmediaatall.Remember,itisstillevidence.
Physical vs. Logical Restoration

EnCaseallowstheinvestigatortorestoreeitheralogicalvolumeoraphysicaldrive.Alogical
volumeisavolumethatdoesnotcontainaMasterBootRecord(MBR)ortheUnusedDisk
Space.AphysicalvolumecontainstheMasterBootRecordandUnusedDiskSpace.Unused
DiskSpace,however,istypicallynotaccessibletotheuser.
Mostoften,whencomplyingwithdiscoveryissues,onemustperformaphysicalrestore,nota
logicalone.Logicalrestoresarelessdesirableastheycannotbeverifiedasanexactcopyofthe
subjectmedia.Whenadriveisrestoredforthepurposesofbootingthesubjectmachine,a
physicalrestoreisthecorrectchoice.
Whetherrestoringadrivephysicallyorlogically,restoretheevidencefilestoadriveslightly
largerincapacitythantheoriginalSubjectharddrive.Forexample,ifrestoringa2gighard
driveimage,restoretheimagetoa2to4gigharddrive.Restoringmediatoadrivethatis
substantiallybiggerthanthesubjectmediacanpreventtherestoredclonefrombootingatall,
possiblydefeatingthepurposeoftherestore.
Preparing the Target Media

Preparationofthetargetmediawheretheimageisgoingtoberestoredisessentialfora
forensicallysoundrestore.
Thetargetmediamustbewiped.
Forlogicalrestores,thetargetmediamustbeFDISKed.
Forlogicalrestores,thetargetmediamustbepartitionedandformattedwiththesame
filetypesystemasthevolumetoberestored(e.g.,FAT32toFAT32,NTFStoNTFS,etc.).
Forphysicalrestores,donotFDISK,partition,orformattheharddrive.Instead,start
yourEnCaseapplicationandrestoretheimagephysicallytothetargetmedia.
WorkingwithEvidence
255
Physical Restore
Restoringaphysicaldrivemeansthattheapplicationwillcopyeverything,sectorbysector,to
thepreparedtargetdrive,therebycreatinganexactcopyofthesubjectdrive.Thetargetdrive
shouldbelargerthanthesubjectharddrive.Whentherestorecompletes,itprovideshashvalues
verifyingthatthelabdriveisanexactcopyofthesubjectdrive.Ifaseparate,independentMD5
hashofthelabdriveisrun,becertaintochoosetocomputethehashoveronlytheexactnumber
ofsectorsincludedonthesuspectsdrivesothattheMD5hashwillbeaccurate.
Drive0cannotberestoredto.IfthepreparedtargetmediaisDrive0,anotherdrivemustbe
addedtothesystem,asamaster,tostoretherestoredimage.
Restoredsectorscanalsobeverifiedtoconfirmthatthereisindeedasectorbysectorcopyofthe
originalsubjectmedia
SometimestheConvertDriveGeometrysettingisavailable.Thisisentirelydependentonthe
drivegeometryoftheoriginaldriveincomparisontotherestoredrive.Everydriveisdefinedby
specificCylindersHeadsSectors(CHS)drivegeometryinformation.IftheHeadsandSectorsof
theoriginaldriveimagedareidenticaltothetargetrestoredrive,thenthedrivesareofthesame
typeandtheConvertDriveGeometrysettingisnotavailable.Ifthesourceandtargetdrivesare
ofdifferenttypes(forexample,theheadssectorssettingsaredifferent),thentheConvertDrive
Geometryisavailable.
256
To restore a physical hard drive:

1. Installasterile,unpartitioned,unformattedrestorationdrivetoyourforensicmachine,
usingaconnectionotherthanIDE0.EnCaseapplicationscannotrestoreaphysicaldrive
toIDE0.Ensurethattheintendedrestorationdriveisatleastaslargeas(butpreferably
largerthan)theoriginalfromwhichtheimagewastakensothattherestoreddatawill
neveroverwriteallsectorsonthetargetharddrive.EnCaseapplicationscanwipethe
remainingsectorsofthetargetharddriveaftertheactualdatafromtheevidencefileis
restored.Wipingremainingsectorsisrecommended.
2. LookattheacquireddriveintheReportpaneandnotetheprecisephysicaldrive
geometryoftheforensicimageyouarerestoringfrom,includingCylinders,Headsand
Sectors.Notetheacquisitionhashforlatercomparisonontherestoreddrive.
3. OntheEntriestree,ontheTreepane,rightclickonthephysicaldiskyouwishtouseas
thesourceandselectRestore.
4. Selectthedestinationdrivefromthelistofpossibledestinationdevices,andclickNext.
5. SelectthedrivetorestoretheimagetoandclickNext.
6. Ifitisdisplayed,selectConvertDriveGeometry,andthenclickFinish.
7. Toconfirmtherestoretothedesignateddrive,typeYesinContinue,andthenclickYes
tostartthephysicalrestore.
Whentherestoreisfinished,averificationmessagedisplaysinformationsuchasany
readorwriteerrorsandthehashvaluesforboththeevidencefileandtherestoreddrive.
Thehashvaluesshouldmatch.Ifthehashvaluesfromtherestoredonotmatch,restore
theevidencefileagain.Itmightbenecessarytoswapthetargetmediaforcorrectresults.
8. Whenthedriveisrestored,physicallypullthepowercordfromthecomputer.
9. Attachtherestoreddriveasneartotheoriginalconfigurationaspossible(e.g.,ifthe
drivewasoriginallyonIDEchannel0ontheoriginalcomputer,installitthere.)Thiswill
helpthecomputertoallocatetheoriginaldriveletters,providingthepropermappingfor
.lnkfiles,etc.
10. Onolderdriveslessthan8.4GB,youmayneedtorebootusinganEnCaseBarebones
BootDiskette,andduringthebootsequencesettheCHSsettingsoftherestorationdrive
intheCMOStothephysicaldrivegeometryoftheoriginaldrive,whichyounoted
earlier.Settingthephysicaldrivegeometrywillprobablyrequireoverridingtheauto
detecteddrivegeometry.
11. UseLinEntocalculatethehashvalueoftherestoreddrive,andcompareittothe
acquisitionhashvaluetoensureitsintegrity.
12. Ifyouwanttobootthedrive,useanEnCaseBarebonesBootDiskwithFDISKcopiedto
it.RunFDISK/MBR.Therestoreddiskshouldnowbebootable.Beawarethatassoonas
youbootit,theunderlyingdatawillbealtered.
WorkingwithEvidence
257
NotethatdifferencesmayoccurdependingonwhetheryouarerestoringanNTFSorFAT32file
system,andwhethertherestoreddriveisbeingbootedontheoriginalhardwareplatformthe
drivewasacquiredfrom.EnCaseapplicationsrestoreusingoneofthefollowingmethods:
WithoutFastBlocSE
WithFastBlocSE
RestoringwithoutFastBlocSE,becausethediskdriversforWindows2000,XPand2003donot
allowdirectdiskaccess,canbeperformedthroughtheASPIlayer.ASPIhasaproblemwith
roundingoffthelastfewsectorsthatdonotfitonthelastcylinderofadrive.Thisisthereason
whyallsectorsarevisiblewhenthedriveisread,yetwhenwritesareattemptedasmallnumber
ofsectorsmaybemissing.ThisisaWindows/ASPIlimitation,notEnCase.Becauseofthis
limitation,youmayneedtouseaslightlylargerdrivewhenperformingtherestore.
IfyoupurchasedtheFastBlocSEmodule,youcanrestoretoadrivethatiscontrolledthrough
FastBlocSE.WhenyourestorewithFastBlocSE,FastBlocSEreplacestheWindowsdriversand
allowsdirectdiskaccess,therebycircumventingtheASPIlayeranditsassociatedproblems.
BecauseFastBlocSEcanwritedirectlytothedisk,youcanrestoretothesamesizedrive.
Drivemanufacturersalsostatethateventhoughdrivesmayappearidentical,oncepartitioned
theymaynothavethesamecapacity.Ifpossible,drivesfromthesamebatchshouldbeusedso
thatbothwillbereadwiththesamecapacity(checkthedateonthedriveslabel).Olderhard
drivesmayhave2platters,whilethenewerversionmayonlyhaveone,withthesingleplatter
drivehavingafewlessbytesavailable.
258
Logical Restore
MediahavedifferenttypesdependingontheCHS(cylindersheadssectors)information.The
sametypemighthavedifferentcylinderssettings,buttheirheadsandsectorsinformation(the
HSinCHS)willbethesame.Iftheheadssectorsinformationisdifferent,thenthemediatype
differsandyoushouldusanothertargetrestoreharddrive.Alogicalvolumemustberestored
toavolumeofthesamesize,orlarger,andofthesametype.
Toprepareforalogicalrestore,thetargetmediashouldbe:
wiped
FDISKed
partitioned
formattedpriortorestore
Formatthetargetdrivewiththesamefiletypesystemasthevolumetoberestored(e.g.,FAT32
toFAT32,NTFStoNTFS,etc.).
Theprocedureforrestoringalogicalvolumeisidenticaltothatofrestoringaphysicaldevice.
Foralogicalvolume:
1. InCaseview,rightclickonthevolume.
2. SelectRestore.
Whenyoufinishthelogicalrestore,aconfirmationmessagedisplays.Youmustrestartthe
computertoallowtherestoredvolumetoberecognized.Notethattherestoredvolumecontains
onlytheinformationthatwasinsidetheselectedpartition.
Booting the Restored Hard Drive

Aftertherestoreoperationhasfinishedwithnoerrors,removethetargetharddrivefromthe
storagesystemandplaceitintoatestsystem.Switchthepoweron.Dependingonwhat
operatingsystemthesubjectran,thetestsystemshouldbootupexactlyasthesubjectcomputer.
Therearequiteafewdifficultiesthatcanoccuratthisstageoftheinvestigation.Themost
commonisthatthecloneofthesubjectdrivewillnotboot.Beforetryinganythingelse,checkthe
restoreddiskusingFDISKandverifyitissetasanActivedrive.Ifnot,setthedriveasActive
(usingtheFDISKutility)anditshouldboot.
WorkingwithEvidence
259
Toboottherestoredharddrive:
1. Ensuretheintendedrestorationdriveisatleastaslargeastheoriginalfromwhichthe
imagewastaken.
2. Installasterilerestorationdrivetoyourforensicmachine,usingaconnectionotherthan
IDE0.Note:EnCasecannotrestoreaphysicaldrivetoIDE0.
3. Createbut,donotformatasinglepartitionontherestorationdrive.
4. UsingReportpane,notethediskgeometryoftheforensicimageofthedriveyouare
restoringfrom,sothephysicalgeometryusediscorrect.
5. RestoretheforensicimageofthephysicaldrivetotherestorationdriveusingtheRestore
Drivesetting.
6. TomaketherestoreddriveactiveinWindows,rightclickMyComputerandselect
Manage>DiskManagement,andthenrightclicktherestoreddriveandselectMake
Active.
7. Shutdownthecomputerandattachtherestoreddriveasneartotheoriginal
configurationaspossible.Thishelpsthecomputertoallocatetheoriginaldriveletters,
making.lnkfiles,etc.workbetter.
8. RebootandsettheCHSsettingsoftherestorationdriveintheCMOStothephysical
geometryoftheoriginaldrive,overridingtheautodetectedgeometryifnecessary.
Therestoreddiskshouldnowbebootable.
If the Restored Disk Does Not Boot

TheCylindersHeadsSectorsinformation(CHS)intheMasterBootRecord(MBR)fromthe
imagemaynotmatchtheCHSinformationoftheactualharddrive.
ResettheCHSinformationfortheMBR.BootwithaDOSbootdiskand,attheA:\>prompt,
typeFDISK/MBRtoresettheMasterBootRecord.
VerifythattheMBRhasthecorrectio.sysfile.ReSYSthebootdrivewiththecorrectsysversion.
Forexample,ifthesubjecthadWindows95B,thentheharddriveshouldhaveasyscommand
performedonitfromaWindows95Bcreatedbootdisk.AttheA:\>prompt,typeSYS C:
260
Snapshot to DB Module Set

ThisscripttakessnapshotsofnodesacrossanetworkandstoresthesnapshotsinaSQL
database.Italsoreadsfromthedatabasetocreatereportsonthesnapshotstaken.Itallowsfor
minimalmaintenanceonthedatabasesoyoucancontroltheamountofdatastoredaswell.
ThreeEnScriptsworkwiththedatabasetoperformtheirtasks:
InitializeDatabase.EnScript
SnapshottoDB.EnScript
SnapshotDBReports.EnScript
Eachisdiscussedindetailbelow.
Initializing the Database

TheInitializeDatabase.EnScript:
initializesthedatabase
maintainsthedatabase
You must run this script first.
WorkingwithEvidence
261
1. MakesureyousetupanODBCconnectionproperlyandnotedowntheinformation
usedforthatconnection.
2. RunInitializeDatabase.EnScript.TheInitializeDatabasedialogopens:
Choosing Database Sources

SelecttheDatabaseSourceOptionstabtospecifyconnectioninformationforthedatabase:
DataSourceName:ThisisthenameyougavetheODBCconnectionwhenyoucreatedit.
EnterUserName(NotNeededIfUsingNTAuthentication):Specifyausername.Ifyouset
uptheODBCconnectiontouseNTAuthentication,itremembersyourusernamesoyoudo
notneedtoenteritmanually.
EnterPassword(NotNeededIfusingNTAuthentication):Likeyourusername,youmust
specifyapasswordtogainaccesstothedatabase.IfyousetuptheODBCconnectiontouse
NTAuthentication,itremembersyourpasswordsoyoudonotneedtoenteritmanually.
DBTimeoutInterval(minutes):SpecifyhowlongyouwanttowaitbeforeaDBtimeout
occurs.Thisindicateshowlongtheprogramwaitsbeforeassumingtheconnectionisbad
(thedefaultis5minutes).
ShowQueriesinConsole:Checkthisboxtoproducecommentsonwhatishappeningbehind
thescenes.
DatabaseName:Sinceadatabasemanagementsystemcanhousemanydatabases,youmust
specifytheoneyouwanttouse.
262
Maintaining the Database

1. RunInitializeDatabase.EnScript.TheInitializeDatabasedialogopens:
2. SelecttheMaintenanceOptionstabtorunbasiccleaningmaintenanceonthedatabase
itself(includingdeletingdatabaserecords)andfillinthevariousfieldsorcheckthe
appropriatebox:
NoMaintenance:Usethisoptionifyouwanttoinitializethedatabase(selectedby
default).
DeleteAllRecords:Onceadatabaseiscreated,selectthisoptiontodeletetheentire
contentsinthedatabase(butnotthedatabaseitself).
DeleteRecordsOlderThan:Youcanautomaticallyschedulecleaningthedatabaseby
selectingthisoption.Withthisoptionselected,thefollowingoptionsbecomeactiveand
configurable:
Days:Specifiestheageofarecordyouwanttodelete.Forexample,selecting1
meansyouwanttodeleterecordsatleastonedayold.
RunMaintenanceDaily:Thischeckboxrunsthecleanereverydayatspecifiedhours
andminutes.
WorkingwithEvidence
263
Updating the Database

1. RunSnapshotToDB.EnScript.YouwillberequiredtologintoaSAFE.Whenyou
successfullylogin,thisdialogopens:
Thisiswhereyou:
specifythenodesyouwanttoscan
takeasnapshot
ChoosetheRoleYouWanttoAssume:inthetree,selectthespecificroleyouwanttouse
whenconnectingtothenodes.
Be sure to select a valid Role to enable the Next button.
ClickNetworkTreetoopenadialogwhereyoucanselectnodesaddedtotherolevia
SAFE.
Lowertextbox(underNetworkTree):manuallyenterIPaddresses,hostnames,and
rangeshere.
Validrangesmustbedefinedassuch:IPAddress1IPAddress2
IPAddress2mustbegreaterthanIPAddress1;thatis,,IPAddress1isthelowestIP
AddressintherangeandIPAddress2isthehighestIPAddress.
2. Onceyouspecifywhichnodestoscanforsnapshots,youmustspecifywhichdatabaseto
use.
264
3. ClickNext.TheSnapshotDataSourceOptionsdialogopens:
EnterUserName(NotNeededIfUsingNTAuthentication):Specifyausername.Ifyou
setuptheODBCconnectiontouseNTAuthentication,itremembersyourusernameso
youdonotneedtoenteritmanually.
EnterPassword(NotNeededIfusingNTAuthentication):Likeyourusername,you
mustspecifyapasswordtogainaccesstothedatabase.IfyousetuptheODBC
connectiontouseNTAuthentication,itremembersyourpasswordsoyoudonotneedto
enteritmanually.
ShowQueriesinConsole:Checkthisboxtoproducecommentsonwhatishappening
behindthescenes.
DatabaseName:Sinceadatabasemanagementsystemcanhousemanydatabases,you
mustspecifytheoneyouwanttouse.
WorkingwithEvidence
265
4. ClickNext.Ifthedatabaseconnectionissuccessful,aconfirmationmessagedisplays:
Specifying Database Content

UsetheProcessOptionsdialogtospecifywhatinformationtoinsertintothedatabase.
266
1. SelecttheappropriateSnapshotWriteOptionsbutton:
SaveAllProcessestakesasnapshotofeachnodeandinsertstheseitemsintothe
database:
Process
Netusers
Netinterfaces
Openports
SaveNotApprovedOrHiddenProcessesinsertsnotapprovedorhiddenprocessesinto
thedatabase.
2. ClickFinishtobeginthescanningprocess.
Generating Reports on the Database

Onceyougatherdataintothedatabase,youcangeneratereports.
1. RunSnapshotDBReports.EnScript.TheSnapshotDatabaseSourceOptionsdialogopens:
EnterUserName(NotNeededIfUsingNTAuthentication):Specifyausername.Ifyou
setuptheODBCconnectiontouseNTAuthentication,itremembersyourusernameso
youdonotneedtoenteritmanually.
EnterPassword(NotNeededIfusingNTAuthentication):Likeyourusername,you
mustspecifyapasswordtogainaccesstothedatabase.IfyousetuptheODBC
connectiontouseNTAuthentication,itremembersyourpasswordsoyoudonotneedto
enteritmanually.
WorkingwithEvidence
267
ShowQueriesinConsole:Checkthisboxtoproducecommentsonwhatishappening
behindthescenes.
DatabaseName:Sinceadatabasemanagementsystemcanhousemanydatabases,you
mustspecifytheoneyouwanttouse.
2. ClickOK.TheSnapshotDBReportsdialogopens:
3. Selectthecheckboxforthereportsyouwanttogenerate.
4. ClickOKtobegingeneratingthereport.
268
Using the Snapshot DB Reports Dialog

Thisdialoglistsreportsgeneratedfromthedatabasesnapshot.Youcanaddormodifyreports,
aswellasexportreportstoafileorimportthemfromafile.
Items
Thislistboxcontainsinformationonreportsalreadygenerated.Ifyoucreateoraddareport,
thatreportandtheoptionsyouselectforitarestoredinthedatabase,enablingyoutoregenerate
itasneeded.
Doubleclickaniteminthelisttomodifyit.
Rightclickanitemtodeleteit.Ifyoudeleteanitemwithoutselectingitscheckbox,you
mustclickOKandthenclickYesontheresultingwarningmessage.
Add
ClickAddtocreateanewreportdefinition.TheReportSetupdialogopens:
IntheReportNamefield,specifythenameofthereport.
IntheReportOutputPathfield,specifythelocationtosavethereport.
InReportType,selectthetypeofreportyouwanttogenerate:
ProcessData
ProcessandPortData
UserData
WorkingwithEvidence
269
ExcelFile:SelecttooutputthereportasaMicrosoftExcelfile.
HTMLFormat:SelecttooutputthereportasanHTMLfile.
EditCondition...:Selecttoaddasetofconditionstoreporton.
Modify
Selectaniteminthelist,makingsurethecheckboxiscleared,thenclickModify.TheEdit
Reportdialogopens:
Makethemodificationsyouwant,thenclickOK.Themodificationsaresavedtothedatabase.
Export Selected to File
ClickExportSelectedToFiletoexportareportdefinitionfromthedatabase.TheExportToFile
dialogopens:
270
ClicktheBrowsebutton
tospecifywheretosavethereportdefinition,thenclickOK.
Import from File

ClickImportfromFiletoimportareportdefinitiontothedatabase.TheImportfromFiledialog
opens:
ClicktheBrowsebutton
tolocatethefiletoimport,thenclickOK.
Time between Queries (Minutes)

Enterorselectthenumberofminutesyouwanttopausebetweenqueries.
WinEn
WinEnisastandalonecommandlineutilitythatcapturesthephysicalmemoryonalive
computerrunningaWindowsoperatingsystem(Win2korhigher).Thephysicalmemoryimage
capturedbyWinEnisplacedinastandardevidencefile,alongwiththeusersuppliedoptions
andinformation.
WinEnrunsfromacommandpromptonthecomputerwhereyouwanttocapturethememory.
WinEnhasaverysmallfootprintinmemory,anditistypicallyrunfromaremovabledevice
suchasathumbdrive.Althoughthismethodmakesminorchangestothecomputerrunning
WinEn,thisisthemosteffectivewaytocapturephysicalmemorybeforeshuttingdowna
computer.Asalways,itisrecommendedthatexaminersdocumentandexplaintheirprocedures
forlaterreference.
WorkingwithEvidence
271
Running WinEn
TorunWinEn,openacommandpromptonthetargetcomputer.Theuserloggedonmusthave
localadministratorprivilegesonthecomputer,andyoumuststartthecommandpromptwith
thatprivilegelevel.Onceyouopenacommandprompt,runWinEnusingthesyntaxbelow.Itis
recommendedthatyoucompresstheevidencefilethatiscreatedandsaveittoremovablemedia
sothatnoadditionalchangesaremadetothetargetcomputer.
TherearethreewaystosupplynecessaryinformationtoWinEnwhenrunningfromthe
commandline:
Commandlineoptions
Configurationfile
Promptforvalue
272
Command Line Options

Syntax:winen<option><option>
p<EvidencePath>*
Pathandfilenameoftheevidencefileto
becreated(maximum32768characters)
d<Compress>*
Levelofcompression(0=none,1=fast,
2=best)
e<Examiner>*
Examinersname(maximum64characters)
m<EvidenceName>*
Nameoftheevidencewithintheevidence
file(maximum50characters)
c<CaseNumber>*
Casenumberrelatedtotheevidence
(maximum64characters)
r<EvidenceNumber>*
Evidencenumber(maximum64
characters)
s<MaxFileSize>
Maximumfilesizeofeachevidencefile
segmentinMB(default:640,minimum:1,
maximum:10737418240)
g<Granularity>
Errorgranularityinsectors(default:1,
minimum:1,maximum:1024)
b<BlockSize>
Sectorsperblockfortheevidencefile
(default:64,minimum:1,maximum:1024)
ComputeHASHwhileacquiringthe
evidence(default:TRUE,values:TRUEor
FALSE)
a<AlternatePath>
Asemicolondelimitedlistofalternate
paths(maximum32768characters)
n<Notes>
Notes(maximum32768characters)
f<ConfigurationFile>
Pathtoaconfigurationfileholding
variablesfortheprogram(maximum
32768characters)
Helpmessage
*=Requiredfield
WorkingwithEvidence
273
Configuration File
Youcancreateaconfigurationfiletofillinsomeorallofthevariables.Theconfigurationfile
needstobeintheformatOptionName=Value,andcanbeusedinconjunctionwithcommand
lineoptions.
Alloftheseoptionshavethesamerestrictionsastheircommandlinecounterparts.
Note that options entered on the command line will override the same option in the configuration file. This
way, users can override a specific setting in the configuration file by entering the appropriate information
on the command line.
Optionsfortheconfigurationfileareasfollows:
EvidencePath*
Pathandfilenameoftheevidencefileto
becreated(maximum32768characters)
Compress*
Levelofcompression(0=none,1=fast,
2=best)
Examiner*
Examinersname(maximum64characters)
EvidenceName*
Nameoftheevidencewithintheevidence
file(maximum50characters)
CaseNumber*
Casenumberrelatedtotheevidence
(maximum64characters)
EvidenceNumber*
Evidencenumber(maximum64
characters)
MaxFileSize
Maximumfilesizeofeachevidencefile
segmentinMB(minimum:1,maximum:
10737418240)
Granularity
Errorgranularityinsectors(minimum:1,
maximum:1024)
BlockSize
Sectorsperblockfortheevidencefile
(minimum:1,maximum:1024)
Hash
ComputeHASHwhileacquiringthe
evidence(TRUEorFALSE)
AlternatePath
Asemicolondelimitedlistofalternate
paths(maximum:32768characters)
Notes
Notes(maximum:32768characters)
*=Requiredfield
274
Configuration File Notes

Youcanusethepoundsign(#)asacommentdelimiter.Anythingafterapoundsignona
lineisignored.
Emptylinesintheconfigurationfileareignored.
Optionsintheconfigurationfilearenotcasesensitive.
Whitespacebeforeorafterthe<option>andbeforeorafterthe<value>isignored.White
spaceinthemiddleofanoptionisretained(suchasaspacebetweenanexaminersfirst
andlastname).
Prompt for Value

Theconsoleasksforanyrequired(*)values(Please enter a value for the option
<option>)iftheyarenotprovidedinoneoftheformatsabove.
Error Handling
Theprogramchecksallvaluesenteredtomakesuretheyconformtoexpectations.Anydeviation
causestheprogramtoexitorpromptforacorrectvalue.
Additional WinEn Information

ProgressBar:Whiletheprocessisrunningituseshash(|)marksacrossthescreenasa
statusindicator,usingthefullwidthofthescreenasthe100%mark.
Cancel:Tostoptheprocesswhileitisrunning,usetheCTRL-BREAK(orCTRL-C)key
combination.
WinEnDriver:Atruntime,WinEndropsitsdriverfileinthesamedirectorywhere
WinEnisrunning.ThisdriverisnamedWinEn_.sysorWinEn64_.sys.
Changestotargetsystem:WhenWinEnrunsonasystem,thefollowingchangescanbe
expected:
Whenexecuted,WinEnloadsintomemoryonthetargetsystem.Thisisunavoidable
andwilltakeupapproximately2.8MBofRAM.
WindowsServiceControlManagercreatesregistrykeyswhenitloadstheWinEn
driver.Thesekeysaretypicallystoredin:
HKEY_LOCAL_MACHINE\SYSTEM\<ControlSet>\Enum\Root\LEGACY_WIN
EN_
HKEY_LOCAL_MACHINE\SYSTEM\<ControlSet>\Services\winen_
DataiswrittentothePageFilebasedonoperatingsystemmemoryuse.
WorkingwithEvidence
275
RenamingWinEn:Asnotedabove,WinEnleavesremnantsonthesystemwhereitis
run.Ifdesired,youcanrenametheWinEnexecutablesothattheremnantsare
obfuscated.RenamingtheexecutablealsocausestheWinEndrivertoberenamed
similarly.
CHAPTER 8
Viewing File Content

In This Chapter
Viewing Files 278
File Viewers
292
View Pane
296
Viewing Compound Files
297
Viewing Base64 and UUE Encoded Files

NTFS Compressed Files
Gallery Tab
318
318
Lotus Notes Local Encryption Support
316
321
278
Viewing Files
Filesparsedfromdevicepreviewsandacquisitionscanbeviewedinvariousformats.EnCase
Enterprisesupportsviewingthefollowingfiles:
Text(ASCIIandUnicode)
Hexadecimal
Doc,nativeformatsforOracleOutsideIntechnologysupportedformats
Transcript,extractedcontentwithformattingandnoisesuppressed
Variousimagefileformats
TheDocpaneandtheTranscriptpaneuseOracleOutsideIntechnologytodisplayhundredsof
differentdocuments.
Thisallowsinvestigatorstoviewdocumentswithoutowningacopyoftheapplicationinorder
toviewthecontents.Italsoallowstheinvestigatortobookmarkanimageofthecontentsinside
aparticularapplication(suchasadatabase),oritallowsbookmarkingexacttextinsidethe
documentusingasweepingbookmark.
BeyondthoseformatssupportedbytheEnCaseapplications,investigatorscanusethirdparty
viewerstoextendtherangeoffilestheycanview.Oncetheinvestigatoraddstheviewertotheir
environmentandassociatesfileextensionswiththeviewer,thefilesofthattypecanbeviewed.
Compoundfilescontainotherfiles.Examplesofcompoundfilesincludeemailmessagesand
theirattachmentsorzipfilesandthefilestheycontain.Viewingcompoundfilesexposetheirfile
structure.
EnCaseEnterprisecanviewthestructureofthesetypesofcompoundfiles:
OutlookExpress(DBX)
Outlook(PST)
Exchange2000/2003(EDB)
LotusNotes(NSF)forversions4,5,and6
MacDMGFormat
MacPAXFormat
JungUmKoreanOfficedocuments
ZipfilessuchasZIP,GZIP,andTARfiles
Thumbs.dbfiles
Othersnotspecified
ViewingFileContent
279
Someaudiofiles,videofilesandcertaingraphicfileformatsarenotimmediatelyviewable;
however,investigatorscanassociatethirdpartyviewerstoexaminethesefilesproperly.
Copying and Unerasing Files and Folders

EnCaseSoftwarerecoversandunerasesfilesonabyteperbytebasis.Thisfeatureiscalled
Copy/UnErase.UsetheunerasefunctiontoviewdeletedfileswithinWindows.
DeletedfilesonaFATvolumehaveahex\xE5characteratthebeginning.EnCaseapplications
allowyoutoreplacethischaracterwithoneofyourchoice.Theunderscore(_)characterisused
bydefault.TheCopy/UnErasewizardprovidessettingsforunerasingthefileandthecharacter
usedtoreplacethedeletedfilecharacter.
Copy and Unerase Features

EnCaseapplicationsprovidethefollowingCopyandUneraseFeatures:
Copy/UneraseWizard
CopyFoldersDialog
Note: The Copy/Unerase functionality does not preserve folder structure, while Copy Folders functionality
does.
280
Copy/UnErase Wizard
UsetheCopy/UnErasewizardtospecifywhatfilesareunerased,howtheyareunerased,and
wherethefilesaresavedaftertheyareunerased.
TheCopy/UnErasewizardconsistsof
FileSelectionpage
Optionspage
Destinationpage
ViewingFileContent
281
File Selection Page of the Copy/UnErase Wizard

TheFileSelectionpageoftheCopy/UnErasewizardindicateswhetherasinglefileorasetof
selectedfilesarebeingcopiedandunerased.Inaddition,thecharacterthatwillbeusedto
replacethecharacterthatFATvolumesusetoindicatedeletedfilesissethere.
282
Fromcontainsthesettingsthatdetermineifonefileorseveralfileswillbecopiedandunerased.
HighlightedFile:IfnofilesareselectedintheTablepane,choosethissettingbecauseatleast
onefileisalwayshighlightedontheTablepane.Thehighlightedfilewillbecopiedand
unerased.
Allselectedfiles:WhenseveralfilesareselectedintheTablepane,usethissetting.Whenyou
choosethissetting,youhavetheoptiontocopyandunerasethehighlightedfile,ortheselected
files.
Tocontainssettingstodeterminehowmanyfileswillbeoutput,whichisonlyrelevantwhen
severalfileswereselectedtobecopiedandunerased.
SeparateFilesoutputseachfilebeingcopiedandunerasedtoitsownfile.
Mergeintoonefilemergestheoutputofalltheselectedfilesintoonefile.
ReplacefirstcharacterofFATdeletedfileswithdetermineswhichcharacterisusedtoreplace
thefirstcharacterinthefilenameofdeletedfilesintheFATfilesystem.
Status:Thislineindicatesifonefileorseveralfileswillbecopiedandunerased.
ViewingFileContent
283
Options Page of the Copy/UnErase Wizard

TheOptionspageoftheCopy/UnErasewizarddetermines:
Theextentoftheevidencefilecopied
WhethernonASCIIcharactersencounteredwillappearintheoutputtedfileorfiles
WhetherdotswillreplacenonASCIIcharactersintheoutputtedfileorfiles
Whethererrorsinthefileswillpausetheoperationandwaitforuserinput
SettingsonthispageinvolveRAMslack,whichisthebufferbetweenthelogicalareaandthe
startofthefileslack.RAMslackissometimesreferredtoassectorslack.
284
Copycontainsthesettingsthatdeterminetheextentofthecontentoftheevidencefiletobe
copied.
LogicalFileOnly:Copy/Uneraseisperformedonthelogicalfileonly,whichdoesnotinclude
thefileslack.
EntirePhysicalFile:Copy/Uneraseisperformedontheentirephysicalfile,whichincludesthe
logicalfileandfileslack.
RAMandDiskSlack:Copy/UneraseisperformedonboththeRAManddiskslack.
RAMSlackOnly:Copy/UneraseisperformedontheRAMslackonly.
CharacterMaskcontainssettingsthatdeterminewhatcharactersarewrittenintothefileorfiles
createdbytheCopy/UnEraseoperation.
None:Nocharactersaremaskedoromittedfromthefilenamesoftheresultingfiles.
DonotWriteNonASCIICharacters:NonASCIIcharactersaremasked,oromitted,fromthe
filenamesoftheresultingfiles.AllcharactersexceptnonASCIIcharactersareused.
ReplaceNONASCIICharacterswithDOT:NonASCIIcharactersarereplacedwithperiodsin
thefilenamesoftheresultingfiles.
ShowErrors:Theapplicationqueriestheuserwhenerrorsoccur.Thispreventsunattended
executionofthecopyanduneraseoperation.
ViewingFileContent
285
Destination Page of the Copy/UnErase Wizard

TheDestinationpageoftheCopy/UnErasewizarddetermineswheretheoutputofthecopyand
uneraseoperationissaved,howmanyfileswillbecreatedwhenafiletobeoutputgrowstoo
large,whethertheinitializedsizeisused,andthedestinationfoldercontainingtheoutputofthe
copyanduneraseoperation.
Copydisplaysthenumberoffilestobecopiedandunerased,andthetotalnumberofbytesthat
comprisethefileorfilesbeingcreated.
Pathcontainsthepathandfilename,withinthefilesystemoftheinvestigatorsmachine,ofthe
fileorfilescreated.
Splitfilesabovecontainsthemaximumlength,notexceeding2000MB,ofanyfilecreatedbythe
Copy/Uneraseoperation.Whenthetotalnumberofbytescomprisinganoutputfileexceedsthis
value,theadditionaloutputiscontinuedinanewfile.
UseInitializedSizedeterminesifonlytheinitializedsizeofanentrywillbesearched,as
opposedtothelogicalsize(whichisthedefault)orthephysicalsize.Thissettingisonlyenabled
forNTFSfilesystems.WhenanNTFSfileiswritten,theinitializedsizecanbesmallerthanthe
logicalsize,inwhichcasethespaceaftertheinitializedsizeiszeroedout.
286
Copy Folders Dialog

UsethisdialogwhencopyingentirefoldersselectedintheTreepanewhilepreservingthefolder
structure.
ViewingFileContent
287
SourcedisplaystheEntitiesfolderbeingcopiedandunerased.
Copydisplaysthenumberoffilestobecopiedandunerased,andthetotalnumberofbytesthat
comprisethefileorfilesbeingcreated.
Pathcontainsthepathandfilename,withinthefilesystemoftheinvestigatorsmachine,ofthe
fileorfilescreated.
ReplacefirstcharacterofFATdeletedfileswithdetermineswhichcharacterisusedtoreplace
thefirstcharacterinthefilenameofdeletedfilesintheFATfilesystem.
Splitfilesabovecontainsthemaximumlength,notexceeding2000MB,ofanyfilecreatedby
thecopyanduneraseoperation.Whenthetotalnumberofbytescomprisinganoutputfile
exceedsthisvalue,theadditionaloutputisdirectedtoandcontinuedinanewfile.
Copyonlyselectedfilesinsideeachfolder:Ifindividualfileswereselectedwithinafolderor
folders,thissettingdeterminesifonlythefilesorallthefilesinthefolderwillbecopiedand
unerased.
ShowErrors:Whenselected,theapplicationdoesnotquerytheuserwhenerrorsoccur.This
allowsunattendedexecutionofthecopyanduneraseoperation.
288
Copying and Unerasing Files
To copy and unerase a file

1. IntheTreepane,highlightthefoldercontainingthefileorfilestobeunerased.
TheTablepanedisplaysthecontentsofthefolder.
2. IntheTablepane,highlightthefileorselectthefilesyouwanttounerase.
ViewingFileContent
289
3. RightclickonthehighlightedfileandclickCopy/UnErase.
TheFileSelectionpageoftheCopyandUnErasewizardappears.
4. CompletetheFileSelectionpageoftheCopy/UnErasewizard.Fordetailedinstructions,
seeCompletingtheFileSelectionPage.
5. ClickNext.
TheOptionspageoftheCopy/UnErasewizardappears.
6. CompletetheOptionspageoftheCopy/UnErasewizard.Fordetailedinstructions,see
CompletingtheOptionsPage.
7. ClickNext.
TheDestinationpageoftheCopy/UnErasewizardappears.
8. CompletetheDestinationpageoftheCopy/UnErasewizard.Fordetailedinstructions,
seeCompletingtheDestinationPage.
9. ClickFinish.
Thecopyanduneraseoperationexecutes.Theresultingfilesaresavedinthedirectory
specifiedontheDestinationpage.
Completing the File Selection Page

TheFileSelectionpageisthefirstpageoftheCopy/UnErasewizard.
1. IfseveralfileswereselectedontheTablepanebeforeyouopenedthewizard:
a. Determineifthehighlightedfile,ortheselectedfilesshouldbecopiedand
unerased.
b. ClickeitherHighlightedFile,orAllselectedfiles,asappropriate.
2. IfseveralfileswereselectedontheTablepanebeforeyouopenedthewizard:
a. Determineifyouwantacollectionoffilesorasinglefileastheresultofthecopy
anduneraseoperation
b. ClickeitherSeparateFiles,orMergeintoonefile,asappropriate.
3. Ifyouwanttouseacharacterotherthantheunderlinecharacterasthereplacementfor
theFATfilesystemdeletedfileindicator,typethecharacterintotheReplacefirst
characterofFATdeletedfileswithfield.
4. ClickNext.
TheOptionspageoftheCopy/UnErasewizardappears.
290
Completing the Options Page

TheOptionspageisthesecondpageoftheCopy/UnErasewizard.
1. Determinethescopeofwhatistobecopiedandunerased,andclickonthecontrolthat
capturestheappropriatescope.
2. Determinethetypeofmaskyouwanttoemployduringthecopyanduneraseoperation,
andclickonthecontrolthatusesthemask.
3. Decideifyouwantthecopyanduneraseoperationtostopwhenitencountersanerror,
orcontinueexecutioneveniferrorsarefound.Thisisthesameasaskingifyouwantthe
copyanduneraseoperationtorununattended.Forunattendedexecution,selectShow
Errors;otherwise,clearShowErrors.
4. ClickNext.
TheDestinationpageoftheCopy/UnErasewizardappears.
Completing the Destination Page

TheDestinationpageisthelastpageoftheCopy/UnErasewizard.
1. Ifdesired,provideapathtoandfilenamewheretheresultsoftheCopy/Unerase
operationwillbesaved.
2. Ifdesired,changetheSplitfilesabovevalue.
3. IfUseInitializedSizeisenabledandyouwanttouseit,selectUseInitializedSize.
4. ClickFinish.
Thecopyanduneraseoperationbegins.Asitruns,thethreadstatuslineprovidesan
indicationofprogress.Whenthethreadcompletes,aresultsdialogisdisplayed.The
resultsaresavedintheappropriatefolderinthefilesystemand,ifrequested,theresults
filesareburnedontothediscinthedefaultorspecifieddirectory.
Note: The thread status line provides an indication of progress.
Copying and Unerasing Bookmarks

YoucanCopy/Unerasebookmarkedfilesaswell.Theprocessisthesamewhethercopying
singleormultiplebookmarks.Ifthefilewasdeletedandresidesinunallocatedspace,the
Copy/UnErasewizardtriestocopytheentireunallocatedspace,sincethedatapertainingtothe
fileresidesthere.
1. OntheBookmarkTreetab,selectthedesiredbookmarkfolder.
2. IntheTablepane,selectthedesiredbookmarks.
ViewingFileContent
291
3. RightclickintheTablepane,andselectTagSelectedFiles.
Thefilesassociatedwiththedeletedbookmarksareselectedandconsolidatedonthe
EntriesTablepane.
4. MovetotheEntriespane,andintheTablepane,rightclickoneoftheselectedfiles.
5. ClickCopy/Unerase.
TheFileSelectionPageoftheCopy/UnErasewizardappears.
6. Continuethecopyanduneraseprocessatstep4ofCopyingandUnerasingFiles
Thefilesassociatedwiththeselectedbookmarksarecopiedandunerased.
Copying Folders
292
1. IntheTreepane,selectthefolderorfolderstocopyandunerase.
2. Ifdesired,intheTablepaneclearanyindividualfilesthatshouldnotbecopiedand
unerased.
3. RightclickintheTablepane,thenselectCopyFolders.
TheCopyFolderdialogappears.
4. Modifythesettingsonthisdialogasdesired.Formoreinformation,seeCopyFolders
Dialog(onpage286).
Thecopyoperationbegins.Asitruns,thethreadstatuslineprovidesanindicationof
progress.Whenthethreadcompletes,aresultsdialogappears.Theresultsaresavedin
theappropriatefolderinthefilesystem.
Note: The thread status line provides an indication of progress. You can terminate processing at the thread
status line.
File Viewers
Occasionally,aninvestigatorfindsfiletypesthatEnCaseapplicationsdonothavethebuiltin
capabilitiestoview,oryoumightwanttoviewafiletypeusingathirdpartytoolorprogram.In
eithersituation,youmust:
AddafileviewertoyourEnCaseapplication.SeeAddingaFileViewertoyourEnCase
Application(onpage294).
Associatethefileviewersfiletypeswiththeviewer.SeeAssociatingtheFileViewers
FileTypeswiththeViewer(onpage295).
File Viewer Features

EnCaseapplicationsprovidethefollowingfileviewerfeatures:
NewFileViewersDialog
ViewFileTypeDialog
ViewingFileContent
293
New File Viewer Dialog

UsetheNewFileViewerdialogtoaddfileviewerstoyourEnCaseapplication.
Nameisthenameofthefileviewer.
MaximizeViewDialogchecktoopenthefileviewerinamaximizednewwindow.
ApplicationPathcontainsthefilenameandpathtotheviewersexecutable.
CommandLinecontainsareferencetotheexecutableandanyparametersusedtocustomizethe
executionoftheviewer.
Viewer File Type Dialog

TheViewerFileTypedialogassociatesfiletypeswithviewers.
294
Descriptionisthefiletypetobeassociatedwiththefileviewer.
Extensionsisalistoffiletypestobeassociatedwiththefileviewer.
Picture:checktodisplaythefileasapictureintheGallerytab.
Viewercontainsoptionsselectingthetypeofviewer,andinthecaseofInstalledViewers,a
specificviewerassociatedwiththefiletypeyoudefine.
ClickEnCasetoassociatethebuiltinEnCaseviewerwiththefiletypeyoudefine.
ClickWindowstoassociateWindowswiththefiletypeyoudefine.
ClickInstalledViewertoassociateaninstalledviewerwithafiletype.UsetheInstalled
ViewersTreetoselectthespecificviewer.
InstalledViewersTreeliststheFileViewerscurrentlyknowntoyourEnCaseapplication.
Adding a File Viewer to Your EnCase Application

Figure30
1. DisplaytheFileViewerstreeintheTreepane:
Onthemainwindow,clickView>FileViewers,or
OntheTreepane,clickFileViewers.
TheFileViewertreeappears.
ViewingFileContent
295
2. RightclicktherootoftheFileViewerstree,andselectNew.
TheNewFileViewerdialogappears.
3. Browsetothefileviewersexecutable,makeanyotherchangestothesettingsonthe
dialog,andclickOK.
Thefileviewerappearsinthefileviewertable.
Associating the File Viewer's File Types with the Viewer

WhenyouaddanewfileviewertoyourEnCaseapplication,youmustassociatethatviewers
filetypes.
1. DisplaytheFileViewerstreeintheTreepane:
296
Onthemainwindow,clickView>FileTypes,or
OntheTreepane,clickFileTypes.
TheFileTypestreeappears.
2. RightclickontherootoftheFileTypestree,andselectNew.
TheViewerFileTypedialogappears.
3. IntheViewerbox,clickInstalledViewerandselectthefileviewertoassociatewiththe
filetypefromtheFileViewerstree.
4. Enteradescriptionandthefileextensionsofthefiletypes.
5. Ifthefileviewerdisplayspictures,checkPicture.
6. ClickOK.
Thefilesenteredarenowassociatedwiththeselectedfileviewer.
View Pane
TheViewpaneprovidesseveralwaystoviewfilecontent:
TheTexttaballowsyoutoviewfilesinASCIIorUnicodetext
TheHextaballowsyoutoviewfilesasstraightHexadecimal.
TheDoctabprovidesnativeviewsofformatssupportedbyOracleOutsideIn
technology.
TheTranscripttabdisplaysthesameformatsastheDoctab,butfiltersoutformatting
andnoise,allowingyoutoviewfilesthatcannotdisplayeffectivelyintheTexttab.
ThePicturetaballowsyoutoviewgraphicfiles.
ViewingFileContent
297
Viewing Compound Files

Youcanviewtheindividualcomponentsofcompoundfileswithinanevidencefile.
Compoundfilesaretypicallycomprisedofmultiplelayerscontainingotherfiles.Youcanview
thesetimesofcompoundfilesintheEnCaseapplication:
RegistryFiles
OLEFiles
CompressedFiles
LotusNotes
MSExchange
OutlookExpressemail
MSOutlookemail
WindowsThumbs.db
AmericanOnlineARTFiles
HangulKoreanOfficedocuments
MacintoshPAXfiles
Note: In addition, the File Mounter EnScript program allows the examiner to select a file type (DBX, GZip,
PST, Tar, Thumbs.db or Zip), provided they have a valid signature, and mount them automatically.
Viewing File Structure

Oncefilesarepartofthecase,theycanbeviewedinvariousoutputformats.Viewingthe
structureofacompoundfilerevealswhichfilescompriseit.
Beforeyoubegin:
1. Openacase.
2. Enablesinglefiles.
3. TheEntriestreeontheEntriestabandEntriestablearedisplayed.
298
4. DraganddropthefilestobeviewedintotheEntitiestableintheTablepane.
To view a compound file:

1. NavigatetothecompoundfiletobeviewedasitappearsintheTablepane.
2. Rightclickthecompoundfiletobeviewed,andclickViewFileStructure.
TheViewFileStructuremessageboxappears.
3. ClickYes.
ThecompoundfileisreplacedintheTreepaneandTablepanewithafolderanda
compoundvolumeicon.
Thefilestructureofthecompoundfiledisplays,andcomponentfilesdisplayintheviewofyour
choice.
ViewingFileContent
299
Viewing Registry Files

TheWindowsregistrycontainsvaluabledatathatprovidesagreatdealofinformationaboutthe
setupofthesubjectcomputer.RegistryfilesofWindows95,98,ME,NT4.0,2000,andXP
computerscanbemounted.
Windows95,98,andMEcomputershavetworegistryfiles.Theyarelocatedinthesystemroot
folder,whichisnormallyC:\Windows.Thefilenamesaresystem.dat anduser.dat.
WindowsNT4.0,2000,andXPdividetheregistryintofourseparatefiles.Theyare:
Security
Software
SAM
System
ThesefilesarestoredinC:\%SYSTEMROOT%\system32\config\.
300
To view or mount registry files:

1. Navigatetotheregistryfileyouwanttoviewormount.
2. Continuewithstep2ofViewingFileStructure.
Thefilestructureoftheregistryfiledisplays,andcomponentfilesorlayersinthe
compoundvolumefoldercanbeopenedanddisplayedintheviewofyourchoice.
ViewingFileContent
301
Viewing OLE Files

OLEisMicrosoftsObjectLinkingandEmbeddingtechnologyusedintheMicrosoftOfficesuite
ofproducts.Forexample,OLEallowsanExcelspreadsheettobeseamlesslyembeddedintoa
Worddocument.MicrosoftOfficedocumentsthatusethistechnologyarelayeredcompound
files.
To view or mount OLE files

1. NavigatetotheOLEfileyouwanttoviewormount.
2. Continuewithstep2ofViewingFileStructures.
ThefilestructureoftheOLEfiledisplays,andcomponentfilesorlayersinthecompound
volumefoldercanbeopenedanddisplayedintheviewofyourchoice.
302
Viewing Compressed Files

EnCaseapplicationscanmountcompressedfilesincludingWinZip(.zip)GZip(.gz)andUnix
tapearchive(.tar)files.Thecontentsaredisplayedaslongasthecontainerisnotpassword
protected.
Onlythemodifieddateandtimesareshownon.gzand.tarfiles,asthecompressionprocesses
donotstoreanyotherdatesortimes.GZipfilesarenotlabeledbyname,onlybytheircontent
filetypeanda.gzextension.Forexample,decompressingthefiledocument.doc.gzdisplaysthe
uncompressed.docfile.
To view or mount compressed files:

1. Navigatetothecompressedfileyouwanttoviewormount.
Thefilestructureofthecompressedfiledisplays,andcomponentfilesorlayersinthe
compoundvolumefoldercanbeopenedanddisplayedintheviewofyourchoice.
ViewingFileContent
303
Viewing Lotus Notes Files

LotusNotesversions5,6,6.5,and7provideNSFsupport,whichallowsyoutoviewemail,
appointments,andjournalentries.
1. Navigatetothe.NSFfileyouwanttoviewormount.
2. Asneeded,selectCalculateunallocatedspace,thenselectFinddeletedcontent.
Thefilestructureoftheemail(.nsf)filedisplays,andcomponentfilesorlayersinthe
compoundvolumefoldercanbeopenedanddisplayedintheviewofyourchoice.Notice
theiconforthecompoundemailfilelookslikeadiskdrive,andnocompoundvolume
indicatorisaddedtotheiconafteritisparsed.
Viewing MS Exchange Files

MSExchange2000/2003.edbsupportprovidestheabilitytoviewmailboxesandemails.
1. Navigatetothe.edbfileyouwanttoviewormount.
2. AsneededselectCalculateunallocatedspace,thenselectFinddeletedcontent.
Thefilestructureoftheemail(.edb)filedisplays,andcomponentfilesorlayersinthe
thattheiconforthecompoundemailfilelookslikeadiskdrive,andnocompound
volumeindicatorisaddedtotheiconafteritisparsed.
Exchange Server Synchronization

TheMSExchangeServerstoresemailmessagesinanEDBfileonaserverwithacorresponding
logfilenamedE##.log.ThelogfileiswhereExchangestoresdatatobecommittedtotheEDB
file.InolderServerversions,thereisalsoacorresponding.stmfile.Whenthelogfilecontains
datathathasnotbeencommittedtotheEDBfile,theEDBfileisinaninconsistentordirty
state.EnCaseisunabletoparseinconsistentEDBfiles.
Tosynchronizethestructure,dothefollowing:
1. StoptheExchangeServerservice(ifrunning).
2. TurnExchangeServerfileshadowingon.
3. CopythefollowingfoldersfromtheExchangeServertoanEnCaseworkingfolder:
Thebindirectorytogettheeseutil.exeprogram.
ThemdbdatadirectorywhichcontainsboththeprivateandpublicEDBfiles.
304
4. Starteseutil.exeusingtheWindowsStartRun[location]\eseutilcommand.
5. Usetheeseutil.execommandlinetooltochecktheconsistencyofthestatefieldas
follows:
[file location]\eseutil /mh [filepath]priv1.edb
[file location]\eseutil /mh [filepath]pub1.edb
IftheEDBfileisinaninconsistentstate,firsttrytorecover,asfollows:
C:\Exchange\BIN\Eseutil.exe /r E##.ClickYestoruntherepair.
Notethatthethreecharacterlogfilebasenamerepresentsthefirstlogfile.
Filesaresequentiallynamed,withE##.logbeingthefirstlogfile.
Runacheck(step5)ontheresultingEDBfile.Ifthefileisstillinaninconsistentstate,attemptto
repairtheEDBfile.Thismayresultinthelossofsomedatacurrentlyinthe.logfiles.Runthe
repairasfollows:
C:\Exchange\BIN\Eseutil.exe /p
ForadditionalinformationontheEseutilprogram,readtheMicrosoftarticleat
http://support.microsoft.com/kb/272570/enus(http://support.microsoft.com/kb/272570/enus).
Cleaning an EDB Database

TheMSExchangeServerstoresemailmessagesinanEDBfileonaserverwithacorresponding
logfilenamedE##.log.ThelogfileiswhereExchangestoresdatatobecommittedtotheEDB
file.InolderServerversions,thereisalsoacorresponding.stmfile.Whenthelogfilecontains
datathathasnotbeencommittedtotheEDBfile,theEDBfileisinaninconsistentordirty
state.EnCaseisunabletoparseinconsistentEDBfiles.
WhenanEDBfileisdirty,thereareseveralteststhatcanberunonittodeterminewhetherthe
filesaremerelyoutofsync,orareinfactcorruptandunusable.
Thenextsectiondiscussesthesetests.
ViewingFileContent
305
Testing an EDB File

ThissectiondescribeshowtodeterminewhethertheEDBdatabaseisinausablestate.
AcquiretheEDBdatabase,includingtheentirebinandmdbdatafolderspriortorunningthese
checks.Makesureallcodepagesareinstalledonyourcomputer.
Themdbdatafoldercontainsthepublicandprivatedatabasesandthetransactionallogswhich
aremostimportantwhencleaningadatabase.TheBINfoldercontainseseutil.exe.
1. Runeseutil.exefromWindowsStartRun.
2. Usetheeseutil.execommandlinetooltochecktheconsistencyofthestatefieldas
follows:
[file location]\eseutil /mh [filepath]priv1.edb
[file location]\eseutil /mh [filepath]pub1.edb
IftheEDBfileisinaninconsistentstate,firsttrytorecover,asfollows:
C:\Exchange\BIN\Eseutil.exe /r E##.ClickYestoruntherepair.
Notethatthethreecharacterlogfilebasenamerepresentsthefirstlogfile.
Filesaresequentiallynamed,withE##.logbeingthefirstlogfile.
Runacheck(step2)ontheresultingEDBfile.Ifthefileisstillinaninconsistentstate,attemptto
repairtheEDBfile.Thismayresultinthelossofsomedatacurrentlyinthe.logfiles.Runthe
repairasfollows:
C:\Exchange\BIN\Eseutil.exe /p
ForadditionalinformationontheEseutilprogram,readtheMicrosoftarticleat
http://support.microsoft.com/kb/272570/enus(http://support.microsoft.com/kb/272570/enus).
306
Recovering a Database
TheseinstructionsdescribehowtorecoverfromadirtyEDBdatabase.
Enterthesecommands:"C:\Exchange\BIN\Eseutil.exe" /r E## [options]
Optionsinclude:
/l<path>locationoflogfiles
/s<path>locationofsystemfiles
/i<path>ignoremismatched/missingdatabaseattachments
/d<path>locationofdatabasefiles
/osuppresslogo
Repairing a Database
TheseinstructionsdescribehowtorepairanEDBdatabase.
Enterthesecommands:"C:\Exchange\BIN\Eseutil.exe" /p <database name>
[options]
Optionsinclude:
/s <file>setstreamingfilename
/ibypassthedatabaseandstreamingfilemismatcherror
/osuppresslogo
/createstmcreateemptystreamingfileifmissing
/grunintegritycheckbeforerepairing
/t <database>settemporarydatabasename
/f <name>setprefixtousefornameofreportfiles
ViewingFileContent
307
Viewing Outlook Express Email

EnCaseapplicationscanreadOutlookExpress.dbxfiles.Afterthefilestructureisparsed,the
EntriesandRecordstablesintheTablepanelistsindividualemailsbytheirsubjectline.The
recordstablepaneliststheattachments.TheViewpanedisplaysthecontentsoftheselected
emailorattachment.
Deletedemailsandattachmentscanberetrievedfromunallocatedclusters.
308
1. Navigatetothe.dbxfileyouwanttoviewormount.
2. AsneededselectCalculateunallocatedspace,thenselectFinddeletedcontent.
ViewingFileContent
309
Thefilestructureoftheemail(.dbx)filedisplays,andcomponentfilesorlayersinthe
310
Viewing MS Outlook Email

TheprocessofmountingOutlook.pstfilesisidenticaltothatofOutlookExpressaspreviously
described.WhenEnCaseapplicationsmountanOutlook.pstfile,messagesareviewableby
clickingonthePR_BodyfileandselectingtheTexttabintheViewpane.Becausethetextis
likelyUnicode,applyaunicodetextstyletomakeiteasiertoread.
Whenexpanded,thetoplevel(ortoproot)ofthe.pstfiledirectorycontainsmultiplefolders,
including
Inboxprops(properties)
Messagestore(storage,containingthePR_PST_PASSWORDfileandotherIDs)
Nametoidmap
Rootfolder
TheRootfoldercontains:
SearchRoot(reservedforfutureuse)
TopofPersonalFolders,containingtheInbox,SentItems,andDeletedItems
Each.pstemailmessagefileappearsasafolderwithallmessagepropertieswithinthefolderas
wellasanyattachments.
Manyofthefieldswithinthe.pstmailfolderareduplicated,whichispartofthe.pstformat.Ifa
keywordisamatchwithinacertainfield,itisduplicatedinthesecondaryfieldaswell.Created,
writtenandmodifieddatesaresetbytheemailmessages.Outlookcalendarentries(created,
writtenandmodifieddates)aresetbythecalendarapplications.
ViewingFileContent
311
ToviewormountanMSOutlookemail:
1. Navigatetothe.pstfileyouwanttoviewormount.
Thefilestructureoftheemailfiledisplays,andcomponentfilesorlayersinthe
thattheiconforthecompoundemailfilelookslikeavolumeafteritwasmounted.
Viewing Macintosh .pax Files

YoucanparseMacintosh.paxfilesformattedwiththecpiofileformatcanbeparsedusingView
FileStructure.
1. Navigatetothe.paxfileyouwanttoviewormount.
312
Thefilestructureoftheemail(.PAX)filedisplays,andcomponentfilesorlayersinthe
ViewingFileContent
313
Viewing Windows Thumbs.db

EnCaseapplicationssupportparsingtheWindowsthumbs.dbcacheforimages.Oncemounted
thethumbnailcachevolumeandtheversionappear.V2thumbnailsareinbitmapformat,
whereaslaterversionsaremodified.pngs.TheRootEntryfoldercontains:
thecatalogfileofcachedthumbnailnames
theirfullpath
thecachedimagesthemselves
Thumbs.dbalsocontainsarecordoftheimagesLastWrittendate.
314
ToviewormountaWindowsthumbs.dbfile:
1. Navigatetothedesiredfileinthethumbs.db.
2. Rightclickthefile,thenclickViewFileStructure.
3. Asneeded,selectCalculateunallocatedspace.
Thefilestructureoftheemail(.PST)filedisplays,andcomponentfilesorlayersinthe
compoundvolumefoldercanbeopenedanddisplayedintheviewofyourchoice.The
compoundvolumeindicatorisaddedtothethumbs.dbfolderafteritisparsed.
America Online .art Files

EnCaseapplicationssupportAmericaOnline.artformatimagesinthePictureandGallerytabs.
.artsupportrequiresinstallationoftheInternetExplorerAOLSupportmoduleontheexaminer
machine.Theinstallerisavailabletodownloadfrom
http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/aolsupp.mspx
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/aolsupp.mspx).
Thisinstallsthefiles:
Jgaw400.dll
Jgdw400.dll
Jgmd4.dll
Jgpl400.dll
Jgsd400.dll
Jgsh400.dll
This update is only required for Windows 2000. Newer operating systems do not need this patch.
Viewthefileinthepictureorgalleryviewasanyotherimagefile.
Occasionally corrupt .art files can cause EnCase to stop responding. If this occurs, try lowering the invalid
picture timeout setting (In Global Options) or simply disable "Enable ART and PNG image display", also in
Global options.
ViewingFileContent
315
Viewing Office 2007 Documents

MicrosoftsOffice2007documentsarestoredintheOfficeOpenXMLfileformat.Thisisa.zip
fileofvariousXMLdocumentsdescribingtheentiredocument.TheEnCasesuitesupports
viewingOffice2007Word,ExcelandPowerPointdocumentfiles.
EnCaseextractstextfromWord,Excel,andPowerPointdocumentsItparsesExcelworksheet
valuesaswell.
Rightclickthedesiredfile,thenclickViewFileStructure.
1. NavigatetoanXMLfilecontainingchildnodes.
2. Theviewerdisplaystextfromthedocument.
316
Viewing Base64 and UUE Encoded Files

EnCaseapplicationsautomaticallydisplayBase64andUUEencodedattachmentswhenthemail
fileismounted.Fortheseencodedfiles,youeitherperformakeywordsearchforBase64orUUE,
oryounoticethatafileisencodedassuch.
ViewingFileContent
317
To view Base64 and UUE encoded files

1. HighlightthefileintheTablepane,sothatthecontentofthefileappearsintheTexttab
oftheViewpane.
2. Highlightthefirstcharacter,rightclick,andclickBookmarkData.
318
TheBookmarkDatadialogappears.
3. InDataType,selecteitherBase64EncodedPictureorUUEEncodedPicture.
ThepicturedisplaysintheContentspane.
NTFS Compressed Files

EnCasedecompresses,viewsandsearchesNTFScompressedfilesinrealtime,orinanonthefly
mannerbydetectingacompressedfile,thenautomaticallypreparingitforanalysis.
TheinvestigatorcanviewuncompressedfiledataintheDisktaboftheTablepane.
Gallery Tab
TheGallerytabprovidesaquickandeasywaytoviewimagesstoredonthesubjectmedia.This
includesallimagespurposelystoredaswellasthoseinadvertentlydownloadedfromtheWeb.
Youcanaccessallimageswithinahighlightedfolder,highlightedvolume,ortheentirecase.Ifa
folderishighlightedintheTreepane,allfilesinthefolderaredisplayedintheTablepane.
ClickingafoldersSetIncludeselectsallfilesinthatfolderandfilesinanyofitssubfolders.
OnceselectedontheTablepane,anyimagesintheselectedfilesdisplayinGallerytab.
YoucanbookmarkimagesintheGallerytabanddisplaytheminthereport.
TheGallerytabdisplaysfilesbasedontheirfileextensionbydefault.Forexample,ifa.jpgfile
hasbeenrenamedto.dll,itWILLNOTbedisplayedintheGallerytabuntilyourunaSignature
Analysis(onpage327).Oncethesignatureanalysisrecognizesthatthefilewasrenamedand
thatthefileisactuallyanimage,itisdisplayedintheGallerytab.
EnCaseapplicationsincludebuiltincrashprotection,whichpreventscorruptedgraphicimages
fromappearingintheGalleryorPicturetab.Thecorruptimagesarestoredincachesothatthey
arerecognizedthenexttimetheyareaccessed.Noattemptismadetodisplaythem.These
imagesarecachedatthecaselevelsotheydonotattempttodisplayinthatcasefileagainuntil
yourunasignatureanalysis.
Youcanclearthecache.Thissettingappearsontheshortcutmenuonlyifacorruptimageis
encountered.Thetimeoutdefaultsto12secondsforthethreadtryingtoreadacorruptimage
file.YoucanmodifythetimeoutontheGlobaltaboftheOptionsdialog.
ViewingFileContent
319
Bookmarking an Image
YoucanbookmarkimagesontheGallerytaboftheTablepane.
Figure31
1. Selectthedesiredimageorimages.
2. Rightclickthehighlightedimage,andclickBookmarkFile.
TheBookmarkFilesdialogappears.
3. Modifythesettingsasneeded,andclickOK.
Theimageorimagesarebookmarked.TheyareintheTablepanewhentheBookmark
treedisplays.
320
Reducing the Number of Images Per Row

YoucanreducethenumberofimagesdisplayedinarowintheGallerytab.
To reduce the number of images displayed in a row in the gallery tab

RightclickonanyimageontheGallerytab,andclickFewerColumns.
Increasing the Number of Images Per Row

YoucanincreasethenumberofimagesdisplayedperrowintheGallerytab.
To increase the number of images displayed per row in the gallery tab
RightclickonanyimageintheGallerytab,thenclickMoreColumns.
ViewingFileContent
321
Clearing the Invalid Image Cache

Theprogramincludesbuiltincrashprotection,whichpreventscorruptedgraphicimagesfrom
appearinginGalleryorPictureview.ThecorruptimagesarestoredinacachesothatEnCase
recognizesthemthenexttimetheyareaccessed,anddoesnotattempttodisplaythem.These
imagesarecachedatthecaselevelsothattheimagesdonotattempttodisplayinthatcasefile
again.
Beforeyoucanclearthecache,theCasestreedisplaysintheCasestaboftheTreepane.Youcan
clearthecacheonlyifacorruptimageisencountered.
1. RightclickontheCasesrootobjectintheCasesTree.
2. ClickClearinvalidimagecache.
Lotus Notes Local Encryption Support

EnCasecandecryptalocalLotusNotesusermailbox(NSFfilesuffix).Thelocalmailboxisa
replicaofthecorrespondingencryptedmailboxontheDominoserver.
EachDominoserveruserhasacorrespondingNSFfilerepresentingthatusersmailboxin8.3
format.Thedefaultpathis<Domino Installation Folder>\Data\Mail\<user>.nsf.
TheLotusNotesclientissetuptousethelocalmailbox.Synchronizationbetweenthelocaland
servermailboxesoccursaccordingtoareplicationscheduledeterminedbytheDomino
administrator.
Encryptionofthelocalmailboxisnotmandatorybutitisadvisable,becausewithoutencryption
apersonfamiliarwiththeNSFfilestructurecouldreademailwithoutneedingLotusNotes.
Encryptionoccursatblocklevel.
322
Determining Local Mailbox Encryption

Lookintheheader(thefirst0x400bytes)atoffset0x282.Ifthebyteis0x1,themailboxislocally
encrypted.
Parsing a Locally Encrypted Mailbox

1. ObtainthecorrespondingIDfilefromtheDominoserver.AlluserIDfilesarebackedup
ontheservereitherondiskasafileorintheDominodirectoryasanattachmenttoemail.
2. ParseitusingViewFileStructure,sothattheprivatekeyisinsertedinSecureStorage.
ViewingFileContent
323
Encrypted Block
Theexamplebelowshowsanencryptedblockatoffset0x22000:
Thedecryptionalgorithmusesaseedthatisbasedonthebasicseedfromtheheaderandthe
blockoffset.
324
Decrypted Block
Hereisanexampleofadecryptedobjectmapatoffset0x22000:
ViewingFileContent
Locally Encrypted NSF Parsing Results

AsuccessfullyparsedlocallyencryptedNSFlookslikethisinEntryview:
325
326
IfthecorrespondingIDfilecannotbeparsedsuccessfully,theSecureStorageisnotpopulated
withthedataneededtoparsethelocallyencryptedNSF;thus,theLotusvolumeisempty:
CHAPTER 9
Analyzing and Searching

Files
In This Chapter
Signature Analysis
327
EnScript Programming Language
337
Hash Analysis 338

File Hashing 339
Hash Sets
340
Keyword Searches
343
Encode Preview
363
Indexing
365
Generating an Index 367

Searching for Email
369
App Descriptors
378
Encryption Support
381
EFS Files and Logical Evidence (LO1) Files 399
328
Signature Analysis
Therearethousandsoffiletypes,someofthemarestandardized.TheInternationalStandards
Organization(ISO)andtheInternationalTelecommunicationsUnionTelecommunication
StandardizationSector(ITUT)areworkingtostandardizedifferenttypesofelectronicdata.
TypicalgraphicfileformatssuchasJPEG(JointPhotographicExpertsGroup)havebeen
standardizedbybothorganizations.Whenafiletypeisstandardized,asignatureor
recognizableheaderusuallyprecedesthedata.Fileheadersareassociatedwithspecificfile
extensions.Signatureanalysiscomparesfileheaderswithfileextensions.
File Signatures
Fileextensionsarethecharacters(usuallythree)followingthedotinafilename(e.g.,
signature.doc).Theyrevealthefilesdatatype.Forexample,a.txtextensiondenotesatextfile,
while.docconnotesadocumentfile.Thefileheadersofeachuniquefiletypecontainidentifying
informationcalledasignature.Allmatchingfiletypeshavethesameheader.Forexample,.BMP
graphicfileshaveBM8asasignature.
Atechniqueoftenusedtohidedataistoattempttodisguisethetruenatureofthefileby
renamingitandchangingitsextension.Becausea.jpgimagefileassigneda.dllextensionisnot
usuallyrecognizedasapicture,comparingafilessignature,whichdoesntchange,withits
extensionidentifiesfilesthatweredeliberatelychanged.Forexample,afilewitha.dllextension
anda.jpgsignatureshouldpiqueaninvestigatorsinterest.
Note: The software performs the signature analysis function in the background.
AnalyzingandSearchingFiles
329
File Signatures with Suffixes

Ashadowdirectoryisadirectorytypecontainingsymboliclinksthatpointtorealfilesina
directorytree.Thisisusefulformaintainingsourcecodefordifferentmachinearchitectures.You
createashadowdirectorycontaininglinkstotherealsource,whichyouusuallymountfroma
remotemachine.
TheVistaoperatingenvironmentusesshadowdirectories,andEnCasesoftwaresabilityto
suffixafilesignaturetakesthesedirectoriesintoaccount.Extensionsuffixesarecreatedby
addinganunderscoreandasterisktotheendoftheextension.Thefigureshowssucha
TrueTypeextensionandsuffix(ttf_*).
Viewing the File Signature Directory

AFileSignaturetablelistssignaturestheEnCasesoftwarerecognizes.Thetableisorganizedinto
datatypessuchas:
database
email
Internet
330
Toviewthetable:
1. SelectView>FileSignaturesfromthemenubar.
Adirectoryoffilecategoriesappears.
2. SelectafolderfromtheTreepane.ThefigureshowsDocumenttypesselected.
AlistofthefilesignaturesinthecaseappearsintheTablepane.
IfSetInclude
ischecked,allfilesignaturesarelisted.
ThecolumnsintheFileSignaturedisplayare:
Namedisplaysthefilenameassociatedwiththesignature.
SearchExpressiondisplaysthestringorGREPexpressionusedtolocatethefile
signature.
GREPistrueifthesearchtermisdefinedasaGREPexpression.
CaseSensitiveindicateswhetherthesearchtermiscasesensitive.
331
Extensionsliststhethreeletterfileextensions.
Youcanaddneworeditexistingsignatures.
Adding a New File Signature

Afilesignaturemaynotbeinthetable.Usethisproceduretoaddanewone.
Youneedtoknowthefilesignaturesearchexpression.Thisisnotnecessarilythesameasthe
threeletterfileextension.
To add a file signature to the table:
1. ClickView>FileSignatures.Thefilesignaturedisplayappears.
2. RightclickafiletopicfolderandselectNew.
TheNewFileSignaturedialogappears:
3. SelecttheSearchExpressiontab(thedefaultdisplay)andenterthesearchexpressionin
theSearchExpressionfield.
4. Givethefilesignatureadescriptivename.
5. SelectCaseSensitiveifappropriate.
332
6. ClicktheExtensionstabandenterthefilesthreeletterextension.Youcanentermore
thanonefileextensionbyseparatingthemwithasemicolon.
7. Addthesuffix_*tothefileextensiontoincludeitinVistaShadowDirectories.Itlooks
likethis:<extension>_*
8. ClickOK.
Thefilesignatureisaddedtothetable.
Editing a Signature
Usethisproceduretoeditanexistingfilesignature.
1. ClickView>FileSignatures.
ThefilesignaturecategorylistappearsintheTreepane.Whenyouselectacategory,its
signaturecontentsappearintheTablepane.
2. RightclickasignaturefromtheTablepaneandselectEdit.
AnEditselectedsignaturenamedialogappears.
3. ChangetheSearchExpressionandotherfieldsasdesired,andclickOK.
Performing a Signature Analysis

Tobeginasignatureanalysis,clickSearch.
333
334
ChecktheVerifyfilesignaturesboxintheAdditionalOptionsareainthelowerright,then
clickStart.Thesignatureanalysisroutinerunsinthebackground.Oncompletion,asearch
completedialogappears.Thedialogpresentssearchstatus,times,andfiledata.
Youcanviewthesesamedataintheconsole.
Viewing Signature Analysis Results (Part 1)

ClickSetIncludeintheTreepanetodisplayallfilesinthecase.
Atthislevel,SetIncludeselectseverythingintheevidencefile.
1. OrganizethecolumnsintheTablepanesothattheName,FileExt,andSignature
columnsarenexttoeachother.
2. SortcolumnswithSignatureatfirstlevel,FileExtatsecondlevelandNameatthird
level.
335
Scrollupordowntoseeallthesignatures.

1. ClickSetIncludeintheEntriesselectionintheTreepane.
AlistofcasefilesandtheirassociatedfilesignatureandotherdataappearsintheTable
pane.
2. Sortthedataifdesired.Inthiscase,theredtriangleintheNamecolumnindicatesthe
displayissortedalphabeticallybyname.
336
Signature Analysis Legend

Signatureanalysisidentifiesandorganizesfilesignatureswithreferencetowhatitfindsin:
thesignaturetable
thefileheader,and
extensionastheyappearintheevidencefile.
MatchintheLegendcolumnindicatesdatainthefileheader,extensionandFileSignaturetable
allmatch.
AliasmeanstheheaderisintheFileSignaturetablebutthefileextensionisincorrect,for
example,aJPGfilewitha.ttfextension.
Thisindicatesafilewitharenamedextension.ThenameintheLegendcolumnbelow(nextto
theasterisk)displaysthetypeoffileindentifiedbythefilesignature.
Note: An alias is preceded by an asterisk, such as *AOL ART.
UnknownmeansneithertheheadernorthefileextensionisintheFileSignaturetable.
!BadSignaturemeansthefilesextensionhasaheadersignaturelistedintheFileSignature
table,butthefileheaderfoundinthecasedoesnotmatchtheFileSignaturetableforthat
extension.
Thetableshowspossibleresultsofasignatureanalysis.
337
EnScript Programming Language

TheEnScriptlanguageisaprogramminglanguageandApplicationProgramInterface(API)
designedtooperatewithintheEnCasesoftwareenvironment.Althoughsimilarinmanywaysto
C++andJava,notalltheirfunctionsareavailableintheEnScriptlanguage.Classes,andtheir
includedfunctionsandvariables,arefoundintheEnScriptTypestabintheTreepane.
Note: The EnScript language uses the same operators and general syntax as C++, though classes and
functions are different.
Ourmessageboardathttps://messageboards.guidancesoftware.com/forumdisplay.php?f=11
(https://messageboards.guidancesoftware.com/forumdisplay.php?f=11)providesadditional
informationabouttheEnScriptlanguage.
Included Enscript Components

EnCasesoftwarecomesbundledwithanumberofEnScriptprograms.
TheEnCaseinstallerputstheseprogramsinthedefaultEnCasefolder.Itsaddressistypically
C:\Program Files\EnCase\EnScript.Thisfolderinturncontainsfoursubfoldersvisible
byclickingEnScriptintheFilterspane.Theyare
Examples
Forensic
Include
Main
EnterpriseusershaveanadditionalEnterprisefolder.Eachfoldercontainstheincludedirectory
andlibraries.
338
EnScript Types
EnScripttypesreferenceresourcesinEnScriptlanguageclasses.Perusingtheseprovides
informationaboutEnCaseclassesandfunctions.
ToviewEnScriptTypes,clickView>EnScriptTypes.
TheTreepanecontainsalistofclasses.Doubleclickinganentryprovidesadditionaldetailfor
theclass.
Hash Analysis
Ahashfunctionisawayofcreatingadigitalfingerprintfromdata.Thefunctionsubstitutesor
transposesdatatocreateahashvalue.Hashanalysiscomparescasefilehashvalueswith
known,storedhashvalues.
Thehashvalueiscommonlyrepresentedasastringofrandomlookingbinarydatawrittenin
hexadecimalnotation.Ifahashvalueiscalculatedforapieceofdata,andonebitofthatdata
changes,ahashfunctionwithstrongmixingpropertyusuallyproducesacompletelydifferent
hashvalue.
Afundamentalpropertyofallhashfunctionsisthatiftwohashes(accordingtothesame
function)aredifferent,thenthetwoinputsaredifferentinsomeway.Ontheotherhand,
matchinghashvaluesstronglysuggeststheequalityofthetwoinputs.
339
File Hashing
Hashingcreatesadigitalfingerprintofafile.Thisfingerprintisusedtoidentifyfileswhose
contentsareknowntobeofnointerest,suchasoperatingsystemfilesandthemorecommon
application.
EnCaseusesanMD5hashingalgorithm,andthatvalueisstoredintheevidencefiles.TheMD5
algorithmusesa128bitvalue.Thisraisesthepossibilityoftwofileshavingthesamevalueto
onein3.402821038.
Anymounteddrive,partition,orfilecanbehashed.Thehashvalueproducedcanbevalidated
andusedintheprogram.Bybuildingalibraryofhashvalues,theapplicationchecksforthe
presenceofdatawithahashvaluecontainedinthehashlibrary.Thehashvalueisdetermined
bythefilescontents.Itisindependentofthefilesname,sothefileshashvalueiscalculatedby
theprogramandidentifiedasmatchingavalueinthehashlibrary,evenifthefilesnamehas
changed.
Hash a New Case

Whenacaseisinitiallycreated,itisnothashed.Beforecomparingthecasesdatawithalibrary
ofknownornotablefiles,hashthecase.TheTablepanedisplaymaylooklikethis:
Openacasethatneedshashinganddisplayitscontents.
1. ClicktheSearchtab.
TheSearchdialogappears.
2. MakeanysearchchoicesandthenselecttherequiredvaluesintheHashOptionsareaof
thedialog.
3. ClickStart.
340
TheTablepanecontentschangesandshowsthenewlycreatedhashvaluesforthefiles.
Hash Sets
Hashsetsarecollectionsofhashvalues(representinguniquefiles)thatbelongtothesame
group.Forexample,ahashsetofallWindowsoperatingsystemfilescouldbecreatedand
namedWindowsSystemFiles.Whenahashanalysisisrunonanevidencefile,thesoftware
identifiesallfilesincludedinthathashset.Thoselogicalfilescanthenbeexcludedfromlater
searchesandexaminations.Thisspeedsupkeywordsearchesandotheranalysisfunctions.
Create a Hash Set

AnalyzingfilesbyidentifyingandmatchingtheuniqueMD5hashvalueofeachfileisan
importantpartofthecomputerforensicsprocess.Thehashlibraryfeatureallowsthe
investigatortoimportorcustombuildalibraryofhashsets,enablingtheexpedient
identificationofanyfilematchesintheexaminedevidence.
Computerforensicsanalystsoftencreatedifferenthashsetsofknownillegalorunapproved
images,hackertools,ornoncompliantsoftwaretoquicklyisolateanyfilesinaninvestigation
thatareincludedinthatset.
Hashsets,oncecreated,arekeptindefinitelyandaddedtoonacasebycasebasis.Addingnew
filesastimegoesbysavestimeandeffortinsubsequentinvestigations.
Note: When creating hash sets to identify suspect software (such as non-licensed software,
steganography or counterfeiting utilities), it is important that the investigator carefully construct sets to
prevent false positives.
341
1. OpenthecaseandclickSearch.
Thesearchdialogappears.
2. IntheHashOptionsarea,checkComputeHashValues.
3. Selectfilestobeincludedinthehashset.
4. RightclicktheTablepaneandselectCreateHashSetfromthemenu.TheCreateHash
Setdialogappears.
5. EnterasetNameandCategory,andclickOK.
Ahashsetiscreated.
Note: While the Category entry can be anything, the two industry standards are Known and Notable, with
the latter being assigned hash values that are of interest to the investigator.
342
Rebuild a Hash Library

Toselectahashsettousedinacase,rebuildthelibrary.
Note: Only items selected on the Hash Sets tab are included in the library.
1. SelectView>HashSets.Alistofhashsetsappears.
2. Selectthedesiredhashset.
3. RightclickandselectRebuildLibraryfromthemenu.WhenRebuildcompletes,a
messageindicatingthenumberofrebuiltlibrariesappears.
Viewing Hash Search Results

Whenfilesinacasearehashed,theyarecomparedtothelibrary,thenthehashsetandhash
categorycolumnspopulate.
Afterrebuildingyourlibraryandhashingthecasefiles,viewtheresultsintheTablepane.
1. SelectView>HashSetsfromthemainmenu.
AlistofallhashsetsappearsintheTablepane.
Ifafilewiththesamehashvalueiscontainedinthehashlibrary,itscolumnsarepopulated.
343
Keyword Searches
EnCaseapplicationsprovideapowerfulsearchenginetolocateinformationanywhereon
physicalandlogicalmediainacurrent,opencase.Globalkeywordscanbeusedinanycase,or
theycanbemadecasespecificandusedonlywithintheexistingcase.
Akeywordinasearchisanexpressionusedtofindwordswithinacasethatmatchthekeyword
entries.TheEnCasesearchengineacceptsanumberofoptions,andisparticularlypowerful
searchingregularexpressionswithaGREPformattedkeyword.
Note: In addition to GREP, the search can be limited by making it case sensitive and selecting particular
codepages. Codepages are alphabet sets of a variety of Latin and non-Latin character sets such as
Arabic, Cyrillic, and Thai.
Thekeywordsincludedinthesoftwaregiveaninvestigatortheabilitytosearch
Emailaddresses
Webaddresses
IPaddresses
Creditcardnumbers
Phonenumbers
Dateswithafourdigityear
344
Creating Global Keywords

Globalkeywordlistsshouldbeanalyzedandtargeted,thenassignedtodiscretefolders.These
foldersareaccessiblebyanycase.
1. ClickKeywordsfromtheTreepane.
Thismenuappears:
2. RightclicktheKeywordsiconintheTreepane,andclickNewFolder.
TheTreepaneofthekeywordstabchangesshowinganadditionalfolder.
3. Renamethefolderasdesired.
Adding Keywords
Addkeywordsdirectlytoanewfolder,anexistingfolder,ortherootfolder.
OpentheTreepanefromtheKeywordstab.
1. RightclickakeywordentryintheTreepane.
ThismenuappearsifthemainKeywordsiconisselected.Ifasubfolderisselected,the
menuisslightlydifferentinappearance,butfunctionsthesame.
345
2. ClickNew.
TheNewKeywordDialogappears.
3. Completethedialogasdescribedhere:
SearchExpressionistheactualtextbeingsearched.
Nameisthesearchexpressionnamelistedinthefolder.CaseSensitivesearchesthe
keywordonlyintheexactcasespecified.
GREPusesGREPsyntaxforthesearch.
Note: Previously the ANSI Latin - 1 option was called Active Code Page. Since the Active Code
Page varied according to the Active Code Page running on the Examiner machine at the time, it
was replaced by ANSI Latin - 1 to insure consistent search results.
ANSILatin1isthedefaultcodepage.ItsearchesdocumentsusingtheANSILatin1
codepage.
346
Unicode:selectifyouaresearchingaUnicodeencodedfile.Unicodeuses16bitsto
representeachcharacter.UnicodeonIntelbasedPCsisreferredtoasLittleEndian.The
UnicodeoptionsearchesthekeywordsthatappearinUnicodeformatonly.Formore
detailsonUnicode,seehttp://www.unicode.org.
Note: The Unicode standard attempts to provide a unique encoding number for every character,
regardless of platform, computer program, or language.
BigEndianUnicode:selectifyouareinvestigatingaBigEndianUnicodeoperating
system(suchasaMotorolabasedMacintosh).BigEndianUnicodeusesthenonIntel
dataformattingscheme.BigEndianoperatingsystemsaddressdatabythemost
significantnumbersfirst.
UTF8meetstherequirementsofbyteorientedandASCIIbasedsystems.UTF8is
definedbytheUnicodeStandard.EachcharacterisrepresentedinUTF8asasequenceof
uptofourbytes,wherethefirstbyteindicatesthenumberofbytestofollowinamulti
bytesequence.
Note: UTF-8 is commonly used in Internet and Web transmission.
UTF7encodesthefullBMPrepertoireusingonlyoctetswiththehighorderbitclear(7
bitUSASCIIvalues,[USASCII]).Itisdeemedamailsafeencoding.
Note: UTF-7 is mostly obsolete, and is used when searching older Internet content.
347
Creating International Keywords

YoucansearchinternationalkeywordsofnonEnglishcharactersets.Thisallowsaninvestigator
toenter,search,andlocatewordswritteninJapanese,Arabic,orRussian,forexample.Keyword
hitsandthedocumentdisplayintheoriginallanguage.
1. SelecttheCodePagetabontheNewKeyworddialog.Alistofsupportedlanguagesets
appears.Here,theArabicCodePageischecked:
2. ReturntotheSearchExpressiontabofthedialogandenterthekeyword.Performa
searchasusual.
Resultsappearasinausualkeywordsearch.
348
Keyword Tester
Totestasearchstringagainstaknownfile,clicktheKeywordTestertab.Enteranexpressionin
theSearchExpressionfieldandbesuretoselecttheproperkeywordoptions.
1. Addanewkeyword(seeAddingKeywords(onpage344)).
2. Addanexpressionandnamethekeyword.
Inthiscase,aGREPkeyworddesignedtocapturetelephonenumbersisentered:
3. Selectthedesiredoptions(forexample,CaseSensitiveorGREP).
349
4. SelecttheKeywordTestertab.
5. Locateatestfilethatcontainsthesearchstring,entertheaddressintotheTestDatafield,
andclickLoad.
ThetestfileissearchedanddisplaysinthelowertaboftheKeywordTesterform.
Note: Hits are highlighted in both text view and hex view.
350
Local Keywords
Alocalkeywordisassociatedwithauniquecase,andcanbesearchedforonlywhenthatcaseis
open.Ifalocalkeywordiscreatedinonecase,andanotherisopened,thelocalkeywordis
unavailable.
Openacaseandpreparealistofkeywordsspecifictothiscaseonly.
1. SelectView>CasesSubTabs>Keywords.
TheTreepaneappearswithadisplaysomethinglikethis.Thisspecificdisplayshowsthe
localkeywordsfolderwithanewfolderadded.
Import Keywords
Youcanimportkeywordsandkeywordlistsfromotherusers.Toimportakeywordlist:
1. RightclickakeywordfolderintheTreepane.
2. SelectImport.
3. EnterorbrowsetothepathofthedesiredfileandclickOK.
TheimportedlistappearsintheTreepane.
Export Keywords
Keywordsareexportedin.txtfileformat.Youcanexportallkeywordsatonetimeorcreatealist
ofselectedkeywordsfortransfer.
1. RightclickakeywordintheTablepane.
2. SelectExport.
351
Completethedialog.
3. CheckExportTree(forImport)andclickOK.
Note: To export a .txt file into Excel, do not select Export Tree.
CheckXMLFormattedtoexporttablerowsorthetreestructuretoanXMLformattedfile.
352
Searching Entries for Email and Internet Artifacts

RecordsarecreatedwhenemailorInternethistorysearchesareperformed.
EnCasesearchingcanparseareasoutsideoflogicalfilecontent(unallocatedclustersandvolume
slack)forInternetHistoryandaddthisdatatotheRecordstabforfurtherinvestigation.
TheSearchdialogboxfeaturesanewcheckbox,Comprehensivesearch,tosupportthisfeature.
WhenyouselectSearchforInternethistory,theComprehensiveSearchboxisenabled.
Note: Selecting Comprehensive Search increases the time it takes to complete the search.
To create a record :
1. ClickSearch.
Asearchdialogappears.
2. SelectoptionsandclickStart.
3. SelectSearchforInternetHistoryandComprehensiveSearchtosearchforInternet
history(includingsearchingfileslackandunallocatedspace).
4. Whenthesearchfinishes,clickView>CasesSubTabs>Records.
Findinghistoryandcacheresultsmayrequiremovingdownthetreeseverallevels.
353
NewlycreatedrecordsdisplayintheTablepane.TheTreepaneshowsthetypeofrecordand
theTablepaneshowsthefileswithinthatrecord.Ifthereareadditionaldetailsregardingafile
selectedintheTablepane,clickAdditionalFieldsintheTreepanetoseethatinformation.
354
CommoncolumnsintheReportpaneare:
Nameisthefilenameandextension.
Filtershowsifafilterwasapplied.
InReportisaTrueorFalseindicatoroffilespresentinareport.Tochangetheselection,enter
CTRL+R.
SearchHitsindicateswhetherthefilecontainsakeywordsearchword.
AdditionalFields:whenTrue,indicatesthatadditionalfieldswerefoundintherecord.Data
containedintheAdditionalfieldsvariesdependingonthetypeofdataintherecord.
MessageSize:themessagesizeinbytes.
CreationTimeisthedateandtimethemessagewascreatedinmm/dd/yyhh:mm:ssformat.AM
orPMisattachedasappropriate.
ProfileNameistheownerofthemessage.
URLNameisthenameoftheURLwherethemessageoriginated.
URLHostisthenameoftheURLhostwherethemessageoriginated.
BrowserCacheTypeshowstheformatinwhichcacheddataarestored.Optionsincludeimage,
code,HTML,andXML.
BrowserTypeisthebrowserwheretheartifactwasviewed,suchasInternetExplorerorFirefox.
LastModificationTimeisthelasttimethecacheentrywasupdated.
MessageCodepageisthecodepagetypeforreadingthiscacheentry.
LastAccessTimeshowsthelasttimethecacheentrywasretrievedorloaded.
Expirationisthetimewhenthiscachebecomesstaleandisdeletedfromthecache.
VisitCountisnumberoftimesthiscacheentrywasaccessedbythebrowser.
ServerModifiedisthelasttimethecacheditemwasmodifiedontheserverwhereitwas
cached.
355
Internet History Searching

Currently,fivebrowsersandtwotypesofInternethistoryaresupported.Theyare:
InternetExplorer,historyandcache
MacintoshInternetExplorer,historyandcache
Safari,historyandcache
Firefox,historyandcache
Opera,historyandcache
Note: The difference between a regular search and a search of unallocated is that keywords are added
internally and marked with a special tag indicating it is for Internet history searching only.
Comprehensive Internet History Search

AcomprehensiveInternethistorysearchdiffersfromaregularInternetsearch.Speciallytagged
keywordsareaddedinternallyandthesoftwaretakesadifferentcodepaththanaregular
search.Inthiscomprehensivesearch,EnCaseexaminestheentiredevice(includingfileslackand
unallocatedspace)forspecificmarkersthatindicateInternetartifacts.ThebasicInternethistory
searchparsesknownfiletypesforInternetartifacts.
ThelatestversionofEnCasesoftwareandeitherWindowsXPor2000mustbeinstalled.Begin
anunallocatedspacesearchthesamewayyoubeginaregularsearch.
1. SelectComprehensiveSearchintheSearchDialog.
356
SelectingSearchforInternetHistoryatthesametime,asshowninthefigure,performsa
regularInternethistorysearchinadditiontotheexhaustivesearch.
ThesefieldsareaddedtotheBrowserCacheTypefield:
Audio
Video
XML
Text
Internet Searching
ThesearchenginecansearchevidencefilesforvariousWebartifacttypes.TheInternetsearch
featurecansearchInternetExplorer,MozillaFirefox,Opera,andSafari.
UsethesearchdialogforInternetsearching.ResultsareviewedontheRecordstab.For
informationonthatprocedure,seeSearchingEntriesForEmailandInternetArtifactsand
ViewingRecordSearchHits.
357
Performing a Search
Youcansearchanentirecase,anentiredevice,oranindividualfileorfolder.Forexample,when
searchinginformationinunallocatedspace,suchasafileheader,selecttheUnallocatedClusters
toavoidhavingtosearchtheentirecase.
1. ClicktheSearchbuttononthetoolbar.TheSearchformappears.
2. CompletethedialogandclickStart.
SeeSearchOptions(onpage357)forhelpcompletingthesearchdialog.
Search Options
Youcanuseanumberofoptionstocustomizeasearch.
358
Selecteditemsonlyrunsasearchforitemslimitedtothefiles,folders,records,ordevicesthat
youchecked.
Searchentriesandrecordsforkeywords:executesakeywordsearchwhenchecked.When
unchecked,othercheckedfunctionsareperformed,butthekeywordsearchisnot.Thisallows
youtorunasignatureanalysisorahashanalysiswithoutrunningakeywordsearch.This
optionalsoenables:
Selectedkeywordsonly
Searchentryslack
Useinitializedsize
Undeleteentriesbeforesearching
SearchonlyslackareaofentriesinHashLibrary
Selectedkeywordsonlyrestrictsthenumberofkeywordsusedduringthekeywordsearchto
thenumberofkeywordsspecified(showninNumberofKeywords).
Searchentryslacksearchestheslackareabetweentheendoflogicalfilesandtheendoftheir
respectivephysicalfiles.
Useinitializedsizesearchesonlytheinitializedsizeofanentry(asopposedtothelogicalor
physicalsize).
Note: Initialized size is only pertinent to NTFS file systems; when a file is opened, if the initialized size is
smaller than the logical size, the space after the initialized size is zeroed out. Thus, searching the
initialized size searches only data a user would see in a file.
Undeleteentriesbeforesearchingundeletesdeletedfilespriortosearching.
SearchonlyslackareaofentriesinHashLibraryisusedinconjunctionwithahashanalysis.
Verifyfilesignaturesperformsasignatureanalysisduringasearch.
Computehashvalueperformsahashanalysisduringasearch.
Recomputehashvalueregeneratespreviouslycomputedhashvalues.
SearchforEmailturnsondialogemailsearchoptions.
RecoverDeletedaccessesdeletedemail.
EmailTypeListprovidesoptionsforemailthatcanberecovered.
VerifySignaturesperformsasignatureanalysisduringasearch.Itdetermineswhetherthefile
extensionmatchesthesignatureassignedtothatfiletype.
IdentifyCodepagestriestodetectthecodepageforafile.
SearchforInternetHistoryrecoversWebdatacachedintheWebhistoryfile.
ComprehensiveSearchsearchesforInternethistoryinunallocatedspace.
Viewing Record Search Hits

RecordsarevirtualfilescreatedwhenemailorInternethistorysearchesareperformed.
Searchingrecordsisstraightforward.
1. ClickRecordswhenthesearchfinishes.
2. SelectSetInclude.
3. Selectarecordthatshowsasearchhit.
4. SelectHitsontheFilterpane.
5. Clickkeywordfoldersonebyonetoseesearchhits.
Thenewlycreatedrecordsarenowvisible.
359
360
Viewing Search Hits

SearchhitsareorganizedbyeachkeywordappearingintheTreepane.Searchhitswithineach
keywordappearintheTablepane.
Toviewyoursearchhits:
ClicktheSearchHitstabinthemenubaror
ClickView>CasesSubTabsSearchHits
Exclude Files
Sometimesakeywordsearchreturnsmorefilesthanareusefultoreport.Hidethesefilesfrom
viewbyexcludingthem.
Run,thenviewakeywordsearch.
1. Selectfilestoexclude,thenrightclicktheview.
2. SelecteitherExcludeorExcludeAllSelected.
361
SelectingExcludeAllSelecteddisplaysasecondoptiondialog.
3. SelecttheappropriateoptionandclickOK.
Theselectedfilesdisappearfromview.
Show Excluded Files

Excludedfilesarenotdeleted.Theyaremerelyhiddenfromview.Toseethemagain,selectthe
ShowExcludedfunction.
Toshowexcludedfiles:
1. SelectShowExcluded.
ExcludedfilesreappearinTableandReportview.
362
Deleting Items
WhenusingSearchHits,deleteisconsideredasoftdeletewhichyoucanundeleteuntilthecase
isclosed.Ifasearchhitremainsdeletedwhenthecaseisclosed,thehitispermanentlydeleted.
Inothertabs,however,undeleteworksonlywiththelastselectiondeleted.Onceafileisclosed,
deleteditemsarepermanentlyremovedandcannotberecovered.
Run,thenviewakeywordsearch.ThisprocessissimilartoExcludeFiles(onpage360).
ViewthesearchhitsreportintheTablepanebeforeexcludingthemfromthereport.
1. Selectfilestoexclude,thenrightclicktheview.
2. SelecteitherDeleteorDeleteAllSelected.
SelectingthelatterdisplaystheExcludeAllSelecteddialog.
3. SelecttheappropriateoptionandclickOK.
Theselectedfilesaretemporarilydeleted.
Note: Viewing the report shows the concatenated results.
363
Show Deleted Files

Excludedfilesarenotdeleted.Theyaremerelyhiddenfromview.Toseethemagain,selectthe
ShowExcludedfunction.
Note: Deleted files are stored in a temporary buffer until the file is closed, at which time the buffer and
deleted files are erased.
Excludeanumberoffiles.
Toreviewexcludedfiles:
1. ClickShowExcluded.
DeletedfilesreappearinbothTablepaneandinReportpane.
Encode Preview
EncodePreviewletsyouapplytextencodingtothePreviewcolumnontheBookmarksand
SearchHitstab.ThisfeatureallowsnonEnglishalphabetbookmarksandsearchhitstodisplay
properlyinthePreviewcolumn.
Turning On Encode Preview

ThepreviewcolumndisplayscertainnonEnglishlanguagesasplaintextbydefault.Whenthis
happens,thetextappearsasastringofsymbolsthathavenobearingontheactualtext
representation.TurningonEncodePreviewdisplaystheactualtextusingthepropercharacters.
ChangetheFonts>TablesoptiontoaUnicodefontthatsupportsthecharactersyouintendto
display.ArialUnicodeMSisrecommendedbecauseofthebreadthofthecharactersincluded.
1. OpenanevidencefileandclickTextorHexintheViewpane.Thedocumentappears.
2. Bookmarkthedesiredpassages(seeBookmarkingItems(onpage401)).
364
3. ClickBookmarksontheTabletaboftheTablePane.
Apreviewofthebookmarkappears.
4. RightclickthedesiredbookmarkandselectEncodePreview.
TheTabletabdisplaystheUnicodeinitsproperform.
365
Indexing
Textindexingallowsyoutoquicklyquerythetranscriptofentries.Creatinganindexbuildsa
listofwordsfromthecontentsofanevidencefile.Theseentriescontainpointerstotheir
occurrenceinthefile.
Therearetwosteps:
GeneratinganIndex
SearchinganIndex
GeneratinganIndexcreatesindexfilesassociatedwithevidencefiles.Indexcreationcanbe
timeconsuming,dependingontheamountofevidenceyouareindexingandthecapabilitiesof
yourcomputerhardware.Evidencefilesize,andthus,theresultantindexsizeisanimportant
considerationwhenbuildinganindex.Attemptstoindexextremelylargeevidencefilescanhave
aseriousimpactonacomputersresources.
Note: For quicker index files, select a limited number of files for indexing.
QueryinganIndexprovidesthemeanstosearchfortermsinthegeneratedindex.Queryingan
evidencefilesindexfortermslocatestermsmorequicklythankeywordsearching.Theindexis
queriedusingseveralconditionsaccessedintheConditionstab
366
Querying an Index Using a Condition

Youcanquerytheindexusingacondition.
ACasemustbecreatedwithEvidencefilesadded.
Theevidencefilemustalreadyhaveanindexgenerated.
1. DisplaytheConditionstabofyourinterface,andexpandtheIndexConditionsfolderby
clickingthe+nexttothefolder.
2. Doubleclickontheconditionyouwouldliketouse.AlloftheIndexConditionsusethe
samedialog.
3. EnterthetermyouwanttosearchforandclickOK.
Whencomplete,theTablepanelistsfilesthatmeettheconditionrequirements.
TheFiltercolumnshowstheconditionthatwasrun.
367
Generating an Index
Openacasecontainingevidencefiles.
1. Ifyouknowthefilesyouwanttospecificallyindex,selectthemintheTablepane.
2. SelectTools>IndexCase.
TheIndexCasedialogappears.
3. Ifyouwantonlytoindexselectedfiles,selectSelectedEntriesOnly.
4. Ifyouwanttoincludefileswithaknownfilesignature,selectInclude:KnownFiles.
5. IfyouwanttoincludeinternalfilesthatarepartoftheNTFSfilesystem,selectInternal
Files.
6. Ifyouwanttoexcludeanyfilenames:
a. RightclickintheExclude:NamelistandselectNew.
b. EnterthenameofthefileandclickOK.
368
7. Ifyouwanttoexcludefilesbyaparticularfileextension:
a. RightclickintheExclude:ExtensionlistandselectNew.
b. EnterthenameofthefileextensionandclickOK.
8. Tosetthenoisefile,clicktheNoiseFiletab.
9. SelecttheLanguageFileandifnecessary,modifythePath.
10. ClickOK.
TheEvidencefilestartsindexing.Thethreadbarindicatestheestimatedremainingtime
intheoperation.TheConsoletabindicatesdiagnosticinformationastheindex
progresses.
369
Searching for Email

Theprogramssearchenginecansearchvarioustypesofemailartifacts.Thisincludesmailfrom:
Outlook(.pst)(Outlook2000&2003)
OutlookExpress(.dbx)
Exchange(.edb)(2000&2003)
LotusNotes(.nsf)(5,6,6.5&7)
AOL
MBOX(Thunderbird)
1. IntheSearchdialog,selectthedesiredEmailSearchOptions.
2. ClickStart.
Note: In addition, clicking Tools > GSI > Webmail Parser specifically searches for Netscape, Hotmail,
and Yahoo! Web Mail.
370
Web Mail Parser

Webmail,includingNetscape,Hotmail,andYahooWebmailcanbesearched.
OpenacasethatisthoughttocontainWebmail.
1. SelectToolsGSI>WebmailParser.
TheWebmailparseroptionsdialogappears.
2. SelecttheWebmailtypesforcollection.Optionally,asearchcanberunonlyonselected
files.Thesearchstatusdisplaysonthestatusbar.
3. ClicktheRecordstab.
TheTreepanedisplaysalistofdiscoveredfiles.
4. OpenafoldertoviewitscontentsintheTablepane.
5. ToviewthedataintheReportpane,selectafileandclickReport.
371
Filecontentsappear.
Youcansaveorexportthereportasdesired.
Extracting Email
Theprogramssearchenginecansearchvarioustypesofemailartifacts,includingattachments.
SeeAcquisitionWizard(onpage198),PerformingaSearch(onpage357),andSearchingfor
Email(onpage369)foradditionalinformation.
Theproceduresoutlinedinthesesectionsdiscusshowtoextractandviewbothemailand
attachments.
372
Searching Email
Thisprogramfeaturedisplaysallemailsandanyassociatedattachmentsintreeview.Once
recovered,thesecanbeviewedintheReport,Doc,orTranscripttabsoftheReportpane.
1. ClickSearch.
TheSearchpageofthesearchwizardappears.
2. SelectthedesiredemailtypesandclickStart.
Viewsearchprogressinthestatusbar.
3. ClickOKwhenthesearchcompletedialogappears.
4. ClickRecords.
Aclosedtreeviewofalllocatedmailboxesappears.Selectingafiledisplaysonemail
filescontentsintheText,Hex,Transcript,andReporttabsoftheReporttab.Inaddition,
theemailfileanditsattachmentsarelistedintheTablepane.
5. Openthehighleveltreetoseethemailboxscontents.Emailcontainedinthemailboxis
visibleintheTreepane,andbothemailandattachmentsarevisibleintheReportpane.
Anenvelopeandpaperclipiconindicatesmailcontainingattachments.
373
Afteryoufinish,youcanviewandinteractwithattachment(seeViewingAttachmentson
page374)files.
Searching Selected Items

Ifyouchoosetosearchselecteditems,theitemsmustbeselectedinboththeRecordsandEntries
tabs.
1. BluecheckselecteditemsintheEntriesandRecordstabs.
2. IntheSearchdialogunderKeywordSearchOptions,clickSearchentriesandrecordsfor
keywords.
3. ClickStart.
374
Viewing Attachments
Anemailattachmentisafilethatissentalongwithanemailmessage.Anattachmentcanbe
encodedornot.
Completeasuccessfulemailsearch.SeeSearchingEmail(onpage371).
Emailattachmentsclearlycanhaveimportantevidentiaryvalue.Thissectioncoversviewing
attachmentsintheirnativeformat.
1. ClickRecords.
DiscoveredemailappearsintheTreepane.
2. Expandthehighlevelitemtoviewitscontents.
375
AlistofattachmentsappearsintheTablepaneandthecontentsoftheattachmentappear
intheReportpane.
Emailsandtheirattachmentscanbeaccessedandusedforinvestigativepurposes.
Export to *.msg
TheExportto.msgoptionformailfilesandmailfilesattachmentsletsyoupreservethefolder
structurefromtheparsedvolumedowntotheentryorentriesselected.Thisoptionisavailable
forthehighlightedentryorselecteditems.
376
Exporting to *.msg
PerformanemailsearchpriortoexecutingExportto.msg.
1. Selectan.msgfileanddisplayitsmailcontents.
2. Selectemailfilestoexport.
3. IntheReportpane,selectafileandrightclickit.
4. ClickExportto*.msg.
TheExportEmaildialogappears.
5. Selectdialogoptionsasneeded:
ExportSingleexportsonlytheselectedmessage.
ExportAllCheckedexportsallfileschecked.
PreserveFolderStructuresavesselectedemailfolderstructureinformation.
377
OutputPathcapturesthelocationoftheexportdatafile.Thedefaultis
...\EnCase6\Export\.
6. ClickOK.
Amessageappearswhentheexportfunctioncompletes.
7. ViewtheentirestructuredowntotheindividualmessageintheExportfolder.
8. Viewamessagebydoubleclickingit.
Themessagetextappearsinreadonlyform.Thefigureshowsatypicaltextmessage
presentation.
378
App Descriptors
Ataverybasiclevel,appdescriptorsarethehashfilesofacomputersEXEandSYSfiles.They
workinconjunctionwithmachineprofilesandareusedtoidentifyforbiddenorundesirable
softwareonacomputersharddrive.Theyareparticularlyusefulindetectingvirusesandother
malwareandforensuringaspecifieddiskimageisnotchanged.
TheEnCaseprogramcanidentifymaliciousprogramsviaahashanalysis.Itcomparesan
applications:
uniquedigitalidentification
itscalculated,known,andstoredhashvalue,withthatcapturedinasnapshot.
Whenthehashvaluesmatch,theprogramreturnstheprocessname,itshashvalue,andmachine
profiletowhichitbelongs.Anappdescriptorcategorizesexecutablesbyhashvalue,toenable
positiveidentificationofexecutablesrunningonasystem.
Appdescriptorsworksinconcertwithmachineprofiles.Profilesareinventoriesofwhatshould
berunningonaspecificmachine.Together,themachineprofileandappdescriptorletsan
examinerknowwhatshouldberunning,andwhatisrunningonaspecificcomputer.
Manually Create App Descriptor

Torunthisfeature,youmusthavecreatedamachineprofileandyoumustknowthehashvalue
ofthefileyouintendtoprocess.
1. ClickView>AppDescriptorstoseealistofappdescriptors.
2. RightclickafolderintheTreepaneorafileintheTablepaneandclickNew.
379
ANewAppDescriptordialogappears.
3. Completethesefields:
Nameismandatory,andistypicallythenameoftheworkingfile.
Commentisanoptionalfieldforinvestigatorcomments.
HashValueismandatoryandmustbeenteredmanually.Itcontainsthehashvalue
oftheselectedfile.
4. SelectthemachineprofileinwhichtoplacethenewappdescriptorandclickOK.
Thismethodrequiresmanualentryofthehashvalueforeachandeverynewappdescriptor.A
farbetterandmoreefficientmethodistouseanEnScriptprogram.
Forinformationonautomaticallycreatinganappdescriptor,SeeCreateAppDescriptorswith
anEnScriptProgram(seeCreateanAppDescriptorwithanEnScriptProgramonpage379).
380
Create an App Descriptor with an EnScript Program

ThescriptsforcreatingappdescriptorsareScanLocalMachineandCaseProcessor.
1. RunanEnScriptprogramsuchasScanLocalMachine.Anoptionswizardappears.
2. Completethefields:
BookmarkFolderNameisthenameofthefolderinthebookmarkarea.
FolderCommentisanoptionalfieldforenteringyourownnotes.
SnapshotDataisamandatorycheckbox.
HashProcessesischeckedbydefault.
3. ClickFinish.
4. Select,thendoubleclicktheAppDescriptorModuletoselectanoutputfile.Ifthereare
nofoldersdisplayed,createanewone.
381
Selectingaprocessstateisoptional.IfeithertheCreateAppDescriptorsforevery.EXE
and.SYSfileorCreateAppDescriptorsforeveryELFBinaryoptionisselected,Select
ProcessStateoptionsaredisabled.
5. ExecutetheselectedEnScriptprogram.
Whenthescriptiscomplete,thenewlycreatedappdescriptorsareavailable.
6. Changethedisplayasfollows:
a. ClickBookmarks.
b. DoubleclickthenewbookmarkintheTreepane.
c. SelectSnapshotsintheTablepane.
d. SelectSnapshotstab.SelecttheProcessestabandtheHometabtoviewthe
information.
7. SelectIncludeAllintheTablepanetoviewthename,hashvalue,andappdescriptor
dataforthefiles.
Encryption Support
Encryptionistheprocessofconvertingdataintoaformatthatcannotbereadbyothers.
Encryptionisusedtoprotectinginformationinmanykindsofsystems,includingcomputers,
networks.theInternet,mobiletelephones,andsoforth.
EnCasehastheabilitytodecryptavarietyofencrypteddocumentsincludingthoseusing
symmetricandasymmetrickeys.ThecommercialencryptionkeysthatEnCasecurrently
supportsincludesLotusNSF,PCGuardianEncryptionPlus,PCGuardianEncryptionPlus,
UtimacoSafeGuardEasy,Credant,andSafeBoot.
382
NSF Encryption Support

TheLotusNotesemailclienthassecuritybuiltintotheproduct.Noteswasthefirstwidely
adoptedsoftwareproducttousepublickeycryptographyforclientserverandserverserver
authenticationandforencryptionofdata,anditremainstheproductwiththelargestinstalled
baseofPKIusers.
TheEnCaseSuitecandecryptencryptedNSFdocumentsandsendthemtorecipientswithin
thesameDominoserver.
EachserveruserhasanIDfilethatcontainsausers:
encryptedprivatekey
publickey
passwordinformation
passwordrecoveryinformation
ItalsohasanNSFfilethatrepresentstheusersmailboxin8.3formatinthedefaultpath
<domino installation folder?\data\mail\<user>.nsf.
383
Recovering NSF Passwords

Toretrievetherecoverypassword,youmusthaveproperadministrativerightsontheDomino
server.
1. OpentheDominoServer.
2. Loginastheserveradministrator.
3. ClickOK.
384
ThepasswordIDlistappears.
4. ClickOK.
Therecoverypasswordappears.
5. ClickOKanddefineusersauthorizedtogeneraterecoverypasswords.
Disk Encryption Support

ThisfeatureprovidestheabilitytoviewandparseencrypteddisksandfilesprotectedbyPC
GuardianEdgeEncryptionAnywhere,PCGuardianEdgeEncryptionPlus,orUtimaco
SafeGuardEasyinboth32and64bitsystems.
Afterpreviewingtheencrypteddeviceortoacquireittoanevidencefile,youneedthetargets
username,passwordanddomaintoparsethediskinEnCase.
AmessageboxdisplaysaskingfortheuserID,password,anddomain.Ifthisinformationis
unavailable,youcanstillviewthevolumesintheTreepane,butthecontentsremainencrypted.
385
TheDomaincanbeaDNSname.
OnceaLogicalEvidenceFileoranewPhysicalDiskisaddedtoanewcase,themasterboot
recordischeckedagainstknownsignaturestodetermineifthediskisencryptedornot.Ifthe
diskisencrypted,youareaskedforusercredentialswhichconsistsofusername,password,and
domain.Whentheseareentered,thediskisdecrypted.
Note: Utimaco and PC Guardian need only a user ID and a password. The domain name is unnecessary.
Aftersuccessfulparsingofanencryptedevidencethesymmetricencryptionkeyisstoredinthe
caseoncethecaseissaved.Whenthiscaseisreopenedtheuserisnotaskedtoprovide
credentialsandthedecryptionisdoneusingthestoredkey.
SafeBoot Setup
EnCaseprovidesawayforyoutoviewSafeBootencryptedharddrivesduringaninvestigation.
Priortoanydecryptionhowever,theSafeBootinstaller,availablefromGuidanceSoftware
TechnicalSupportSupportPortal(https://support.guidancesoftware.com),mustbeinstalled.
Thissectiondescribesthatprocess.
ThefollowingfilesandfoldersareincludedintheSafeBootinstallerfile.
1. UnzipthefilescontentstoC:\Program Files\EnCase6\Lib\SafeBoot
Technology\SafeBootdirectoryoftheEnCaseinstalldirectory.
This is the default path and directory. You may change it, if necessary.
2. Copythefilesshownherefromtheservertotheappropriatelocation.Thetableassumes
theserverinstallationisc:\program files\sbaadmin.
386
AdditionalSafeBootinstallationfiles:
Exporting a Machine Profile from the SafeBoot Server

BeforeyoucanperformanofflinedecryptionofaSafeBootencrypteddrive,youfirstneedto
exportthetargetmachineprofilefromtheSafeBootserver.
Herearethestepstoaccomplishanofflinemachineprofile.
Be sure that you have obtained the SDMCFG.INI and SbAlg.dll files from the SafeBoot Server as
described in SafeBoot Setup (on page 385) .
1. LogontotheSafeBootserverwithanadministratoraccount.
2. LaunchSafeBootAdministrationToolsfromStartMenuProgramsSafeBoot
AdministratorToolsSafeBookAdministration.
3. LoginwiththeSafeBootadministratoraccount.
4. ClicktheDevicetab.
5. ExpandtheSafeBootMachineGrouptree.
6. DoubleclickontheSafeBootMachinechildintheSafeBootMachineGrouptree.
AlistofallcomputersregisteredtothisparticularSafeBootdatabaseappearsontheright
sideoftheSafeBootAdministratorscreen.
7. Rightclickthecomputernameyouwishtodecrypt,thenselectExportConfiguration
fromthemenu.
TheExportConfigurationscreendisplays.
8. ClickBrowsetospecifytheSDBfilesstoragelocation.
9. WerecommendusingthecomputernameastheSDBfilename.
10. OntheExportConfigurationscreen,selectIncludeallusersintheconfiguration,then
clickOK.
AnExportConfigurationdialogdisplays.
11. Repeatsteps710forallothercomputersyouwanttodecrypt.
387
Authentication
Modify the SDMCFG.INI File
Beforeperforminganonlineauthentication,modifythefilefromtheSafeBootserver:
1. OpenSDMCFG.INIfilewithatexteditorand,ifthelineexists,changethevalueof
AuthType=1toAuthType=0.
IfAuthTypeissetto1,communicationbetweentheSafeBootserverandEnCaseis
encryptedandtheonlineauthenticationprocessishindered.
2. Ifthelinedoesnotexistinthefile,enterAuthType=0totheendofthefile.
SafeBoot Encryption Support (Disk Encryption)

EnCaseprovidesawayforyoutoviewSafeBootencryptedharddrivesduringaninvestigation.
ThisfeatureisonlyavailabletoauserwithanEDScertenabled.
Note: If no EDS cert is found, the physical device will mount, but the encrypted file structure cannot be
parsed.
Use EnCase to perform SafeBoot Encryption as follows:

1. UsetheAddDeviceWizardtoaddthedeviceorvolume.
2. Whenprompted,selecttheappropriateencryptionalgorithmfromthelist,thenentera
username,servername,machinename,andpasswordwheninonlinemode.
388
TheSafeBootencrypteddrivewillbeparsed.
Theofflinedialogissimilar.TheOnlinecheckboxisblankandonlytheMachineName,
TransferDatabasefield,andAlgorithmareavailable:
3. Savethecaseonceasuccessfuldecryptioniscomplete.Thecredentialsenteredinthe
dialogarestoredinSecureStorage,eliminatingtheneedtoenterthemagain.
389
Thisillustrationshowsresultsofasuccessfuldecryption.TheTreepaneshowsa
SafeBootfolder,theTablepanecontainsalistofdecryptedfileswhiletheTextpane
showscontentsofadecryptedfile.
4. Thenextfigureshowsthesamefilesastheyappearencrypted.
390
Supported SafeBoot Encryption Algorithms

EnCasesSafeBootdecryptionfeaturesupportstheseencryptionalgorithms:
AES256FIPS
AES256
DES
RC512Rounds
RC518Rounds
CREDANT Encryption Support (File-Based Encryption)

EnCaseprovidesawayforyoutoaccessCREDANTencrypteddataonWindowsdevices.
You can obtain the CREDANT API installer from CREDANT Technical Support (http://www.credant.com/).
EnCasereviewsyourmountedfilesandlooksforCREDANTencrypteddata.Ifitfindsthisdata,
alogondialogdisplays.
1. Thedialogpopulateswithaknownusernameandpassword,Server,MachineID,and
theShieldCREDANTID(SCID).CREDANTfilesareprocessedanddecryptedwithno
furtherinteraction.
391
Theofflinedialogissimilar.TheOnlinecheckboxisblankandtheMachineIDandSCID
fieldsareunavailable.
2. Savethecaseonceasuccessfuldecryptioniscomplete.Thecredentialsenteredinthe
dialogarestoredinSecureStorage,eliminatingtheneedtoreenterthem.
392
Theillustrationbelowshowsresultsofasuccessfuldecryption:
TheTreepaneshowsaCREDANTfolder
TheTablepanecontainsalistofdecryptedfiles
TheTextpaneshowscontentsofadecryptedfile
Thenextillustrationshowsthesamefilesastheyappearunencrypted.
393
Supported Encryption Algorithms

EnCasesCREDANTdecryptionfeaturesupportstheseencryptionalgorithms:
AES128
AES256
3DES
Rijndael128
Rijndael256
Blowfish
CREDANT Encryption Support (Offline Scenario)

IfthemachinetobeinvestigatedisnotonthenetworkwiththeCREDANTserver,youmust
obtaintheCREDANTkeysandstoretheminalocationaccessibletotheExaminermachine.
Beforeyoubegin:
YoumustinstalltheCREDANTLibraryInstallertoruntheutilitywiththeappropriate
DLLs.YoucanobtaintheinstallerfromCREDANTtechnicalsupport.
YoumusthaveEnCaseDecryptionSuiteinstalledontheExaminerdonglethatwilldecrypt
theCREDANTencrypteddata.
YoumustobtaintheURLfortheCREDANTMobileGuardian(CMG)DeviceServer.
YoumustobtaintheAdministratorusernameandpassword.TheCREDANTadministrator
musthaveForensicAdministratorprivileges,asspecifiedintheCMGServerWebInterface
forCMGv5.4andlaterservers.TheadministratormusthaveSecurityAdministrator
privilegesforthev5.3server.
YoumustobtaintheAdministratorslogindomain(forCMG6.0andlaterserversonly),the
MachineIDforthetargetdevice(MUID),theShieldCREDANTID(SCID),theUsername
thatthekeymaterialisbeingdownloadedfor,andthePasswordtousetoencrypttheoutput
.binfile.
1. AtacomputerthathascommunicationtotheCREDANTServer,runtheutility
CEGetbundle.exefromtheWindowscommandprompt.CEGetBundle.exeissuppliedby
CREDANTintheCREDANTLibraryInstaller,whichalsoinstallstheDLLsnecessaryfor
thedecryption.CopytheDLLsandMACfiletothetargetdeviceaswell.
394
2. Supplytheparametersasfollows:CEGetBundle[L]XURLaAdminNameAAdminPwd
[DAdminDomain][dDuid][sScid][uUsername]oOutputFileoOutputFile
IOutputPwd
L
Legacymodeforworkingwithpre5.4
serverinstalls
URL
DeviceServerURL(e.g.,
https://xserver.credant.com:8081/xapi)
AdminName
Administratorusername
AdminPwd
Administratorpassword
AdminDomain
Administratordomain(optional:
requiredonlyiftheCMGServeris
configuredtosupportmultiple
domains)
MUID
MachineIDforthetargetdevice(also
knownastheUniqueIDorhostname)
SCID
ShieldCREDANTID(alsoknownas
DCIDorDeviceID)
Username
Nameoftheforensicadministrator
OutputFile
Filetosavethekeymaterialin
OutputPwd
Passwordtoencryptoutputfile
Hereisacommandexample:cegetbundleLXhttps://CredantServer:8081/xapi
aAdministratorAchangeitdCredantWorkstation.Credant.localsCI7M22CU
uAdministratoroC:\CredantUserKeys.biniChangeIt
3. Placethe.binfiledownloadedfromtheCREDANTserverinapathaccessiblefromthe
Examinermachine.OpenEnCaseandcreateanewcaseoropenanexistingone.You
musthaveEnCaseDecryptionSuiteinstalledontheExaminermachinethatdecryptsthe
CREDANTencrypteddata.
Note: In legacy mode, you must execute this utility for each user targeted for investigation on the
target device while specifying the same output file. The keys for each user are appended to this
output file.
4. AcquireadevicewithCREDANTencryptedfiles,orloadanevidencefileintotheCase.
TheEnterCredentialsdialogdisplays,promptingyouforonlytheUsername,Password,
Server/OfflineServerFile,MachineID,andShieldCREDANTID(SCID)information.
Note: In Offline mode, the only information you must provide is the Password and Server/Offline
Server File (full path and filename to the .bin file downloaded using the CEGetBundle.exe utility).
395
WhenEnCasedecryptsCREDANTencryptedfiles,thekeyinformationisplacedinSecure
StorageinEnCase,andsavedwiththecase.Youdonothavetoreenterthisinformation.
Enabling the Forensic Administrator Role on the CREDANT Server

ToenabletheForensicAdministratorroleontheserver,youmustchangesettingsasdescribed
below.
These instructions assume that the CREDANT installation folder is C:\Program Files\CREDANT.
1. EnabletheWebinterfaceforEnCasetodownloadtheencryptionkeys:
a. OpenC:\ProgramFiles\CREDANT\CMGEnterpriseEdition\DeviceServer
1.2\conf\context.properties.
b. Makesuretheforensicmethodisenabled:service.forensic.enable=true.
StopandrestartthedeviceserverfromtheStartmenu:
ClickStartCMGEEDeviceServerStopDeviceServerService,thenStartDeviceServer
Service.
1. AddtheForensicAdministratorrole:
a. OpenC:\ProgramFiles\CREDANT\CMGEnterpriseEdition\ServerWeb
Interface5.4\conf\context.properties.
b. EnabletheForensicAdministratortype:admin.type.forensic=true.
c. FromtheStartmenu,stopandrestarttheserverWebinterface.
Thenewroleshowsintheplacewhereyouconfigureadministratoraccounts.
S/MIME Encryption Support

TheEnCaseS/MIMEEncryptionSupportprovidestheabilitytodecryptS/MIMEencrypted
emailsfoundinPSTfiles.Emailsentorreceivedwiththefileextensions.pst,.mboxand.edb
supporttheS/MIMEPKCS#7standard.
ThemailattachmentmustmeetthePKCS12standard,andyoumusthavePFXcertificates
installed.PST,EDB,andMBOXmailcontainersaresupported.
396
To decrypt S/MIME data:

1. OpenorcreateacaseandenterSecureStorage.
2. Rightclickonafolderintheleftpane.
Adropdownmenudisplays.
3. SelectEnterItems.
TheEnterItemsdialogdisplays.
4. SelecttheEnterMailCertificatetab.
The only allowed certificate format is .PFX.
5. EnterthepathtothePFXcertificateandthepassword,thenclickOK.
ThePFXcertisdecryptedandstoredinSecureStorage.
397
398
S/MIMEdecryptionandsignatureverificationhappensinbackground.
Giventheproperpassword,thecertificateisstoredinSecureStorageunderEMailCertificates
folder.AfteryouimporttherequiredcertificatesintoSecureStorage,youcanparsetheemail
containerfilesusingtheViewFileStructurefeatureintheEntryView.
S/MIMEcontentsaredisplayedlikethispriortodecryption:
399
Whenparsingiscompleteandsuccessfuladirectorylistdisplays.Intheillustration,thefolderis
entitledsmime.p7m.ThetextoftheemailisshownintheTextpanewhiletheemails
attachmentsappearintheTablepane.YoushouldviewandworkwithcontentintheRecords
tab.
EFS Files and Logical Evidence (LO1) Files

TodecryptanencryptedEFSfileyouneedthefollowing:
1. TheEnCaseEDSmodule
2. The$EFSstream.Thisisessential,sinceitcontainsthedecryptionkey.
3. Amatchingunencryptedprivatekey.Thiscanbetherecoveryagentskeyorauserskey.
4. Fileslackmightbeneededifthefilesizeisnotamultipleof16.Thisisbecausefilesare
decryptedin16bytechunks.
400
For example, a 17-byte file needs 15 bytes of slack in order to decrypt the last chunk. Otherwise, only
multiples of 16 are decrypted.
InEnCaseversion6.11,therearedifferentscenariosfrompriorversionswhenaddingEFSfilesto
alogicalevidence(L01)case:
Thefileisencryptedandthe$EFSstreamismissingfromthesamefolderwithintheL01:thefile
cannotbedecrypted.
Thefileisencryptedandthe$EFSstreamisinthesamefolder:thefilecanbedecrypted(exceptfor
theremainderofthefile,ifany).
Thefileisdecryptedandthe$EFSstreamismissing:thefileremainsdecrypted.
twice.
The workaround in this case is to disable EFS or delete the private key from the secure storage.
Fromversion6.11on,allthescenariosabovearehandledgracefully,becausethe$EFSstreamis
addedinternally.
Ifthefileisencrypted,the$EFSstreamisautomaticallystoredwiththefileasmetadata.
Ifthefileisdecrypted,the$EFSstreamisnotautomaticallystored,asitisnot
needed.Thisdoesnotpreventyoufromstoringthestreambyspecificallysavingittothe
LEF.
If an encrypted file is decrypted and added, this is noted and displayed in the report.
CHAPTER 10
Bookmarking Items
In This Chapter
Bookmarks Overview 401
Bookmark Features
406
Creating a Bookmark 414

Using Bookmarks
422
402
Bookmarks Overview
EnCaseallowsfiles,folders,orsectionsofafile,tobemarkedandsavedforreference.Theseare
calledbookmarks.Bookmarksarestoredintheirassociatedcasefileandcanbeviewedanytime
byselectingtheBookmarkstab.Youcanmarkanyexistingdataorfolder.
Note: When a file is initially written to a multi-session CD it is assigned an address offset. When the file is
changed, it written again to the CD as a new file but with the same offset. Any revisions to this initial file
are all assigned the same offset.
The file, and all its revisions can be viewed.
EnCaseprovidesthefollowingbookmarktypes:
Highlighteddata
Annotatesselecteddata
Alsoreferredtoassweepingbookmarks
Notes
Allowstheusertowriteadditionalcommentsintothereport
Providessometextformattingcapabilities
Notbookmarksofevidence
Folderinformationandstructure
Annotatesthetreestructureofafolderorthedeviceinformationofspecificmedia
Nocommentfeature
Optionsincludeshowingdeviceinformation,suchasdrivegeometry,andthe
numberofcolumnstouseforthetreestructure
NotableFile
Annotatesindividualfiles
Fullycustomizable
Filegroup
Annotatesgroupsofselectedfiles
Noabilitytocomment
Snapshot
ContainstheresultsofaSystemSnapshotofdynamicdataforIncidentResponseand
SecurityAuditing
BookmarkingItems
403
Logrecord
ContainsresultsfromlogparsingEnScriptprograms
Datamark
ContainstheresultsofWindowsregistryparsingEnScriptprograms
Casetimesetting
ShowswhetherDaylightSavingsTimeisbeingusedontheevidencefileandwhether
datesshouldbeconvertedtoasingletimezone
Searchsummary
Containssearchresults,times,andkeywordsforaparticularcase
Note: Case time settings bookmarks and Search summary bookmarks are created automatically.
Highlighted Data Bookmarks

Thehighlighteddatabookmark,alsoknownasasweepingbookmarkoratextfragment
bookmark,canbeusedtoshowalargerexpanseoftext.Thisbookmarktypeiscreatedby
clickinganddraggingtext,hex,doc,ortranscriptcontentintheViewpane.
Notes Bookmarks
Thenotesbookmarkgivestheinvestigatoragreatdealofflexibilitywhenaddingcommentstoa
report.Thisbookmarkhasafieldreservedonlyforcommenttextandcanholdupto1000
characters.Italsocontainsformattingoptionsincluding:
italics
bold
changingfontsize
changingtheindentofthetext
404
Folder Information/Structure Bookmarks

Usefolderinformationbookmarkstobookmarkfolderstructuresordevices.Bybookmarkinga
folderstructure,theentiredirectorystructureofthatfolderanditschildrencanbeshownwithin
thereportorbookmarkedforlateranalysis.Individualdevices,volumes,andphysicaldiskscan
bebookmarkedaswell.Thisshowsimportantdevicespecificinformationinthefinalreport.
Note: This type of bookmark is useful for marking directories that contain unauthorized documents,
pictures, and applications. It is also a great way to show specific information about the type of media in the
case.
Notable File Bookmarks

Usenotablefilebookmarkstobookmarkindividualfiles.Thesebookmarksprovideameansof
focusingtheinvestigatorsattentiononspecificfiles.
File Group Bookmarks

Filegroupbookmarksannotateacollectionofindividualfilesselectedasagroup.Bookmarking
acollectionoffileshelpstheinvestigatororganizeevidence.
BookmarkingItems
405
Snapshot Bookmarks
Snapshotbookmarksincludeawidevarietyofvolatiledataresultingfromrunningthevarious
EnScriptprograms.
InEnCaseForensic,theScanLocalMachineprogramcreatessnapshotbookmarks.
Theoutputoftheprogramisalwaysbookmarked.AfterScanLocalMachineisrun,abookmark
toolbardisplaysthatcontainstheHometabandtheSnapshottab.TheSnapshottabhasatoolbar
associatedwithit.Thistoolbardisplaysatabcommandforeachtypeofsnapshotbookmark
createdbyoneoftheEnScriptprograms.
EachtypeofsnapshotbookmarkhasaTreepaneandTablepaneassociatedwithit.Eachtable
displaysdataspecifictotheclassofthesystemcomponentwhosedatadisplayedintheTable
pane.
Snapshotbookmarksinclude
MachinessnapshotontheHometab
Openports
Processes
Openfiles
Networkinterfaces
Networkusers
DLLs
Log Record Bookmarks

Thesebookmarksarecreatedwheneverconsoleandstatusdialogmessagesaresenttoalog
record.Acquiringadeviceisoneprocessthatoptionallysendsitsoutputstoalogrecord,which
resultsinalogrecordbookmark.
406
Datamarks
EnScriptprogramsorEnScriptmodulesthatexecutetheAddDatamarkmethodcreatea
datamark.Whenadatamarkiscreatedinabookmarkfolder,thatdatamarkcanbeusedasa
bookmark.Eachdatamarkhasatabassociatedwithit.Thetabdisplayswhenyouselectthe
datamarkintheBookmarkstableontheBookmarkstaboftheTreepane.
Bookmark Features
Featuresthatyouusewhileworkingwithbookmarksinclude:
BookmarkDatadialogforhighlighteddatabookmarks
AddNoteBookmarkdialog
EditFolderInformation/StructureBookmarksdialog
BookmarkDatadialogforfiles
BookmarkingItems
407
Bookmark Data Dialog for Highlighted Data Bookmarks

TheBookmarkDatadialogisusedwhenmanuallycreatingabookmark.Thedialogprovidesthe
meanstoaddcommentstothebookmark,determinethedatatypeofthebookmark,andto
selectadestinationfolderwherethebookmarkistobestored.
Commentcontainstextthatdescribesthebookmarkedcontent.
DataTypepanedeterminesthedatatypeofthebookmarkedcontent.
Typestreecontainsobjectsrepresentingthevariousformattingthatcanbeusedwhen
displayingbookmarkedcontent.
Note: Details of the content of the tree is described in Bookmark Content Data Types.
DestinationFolderdeterminesthepathtothefolderwherethebookmarkissaved.
Contentsdisplaysthecontentofthebookmarkintheformatselected.
Bookmark Content Data Types

TheTypestreeintheBookmarkDatadialogprovidesalistofsupporteddatatypes.Thedata
typesareorganizedbyparentobjectsrepresentingeachclassofsupporteddatatypes.Each
specificdatatypeisrepresentedbyachildobject.Theformatsinterprettheunderlyingcontent.
Theformatschangethewaythatthedataisbookmarked.
408
Text
Textisaparentobjectthatcontainschildobjectsrepresentingtheformattingthatcanbeused
whendisplayingbookmarkedcontentastext.
DonotShowhidesthecontentofthebookmark.Thisworksforallunderlyingdatatypes.
HighASCIIdisplaysthetextin256bitASCII.
LowASCIIdisplaysthetextin128bitASCII.
Hexdisplaysthetextashexadecimaldigits,ratherthancharacters.
UnicodedisplaysthetextinUnicodeencoding.
ROT13EncodingdecodesROT13encodedtexttoASCIItext.
HTMLrendersHTMLcodedasitappearsinabrowser.
HTML(Unicode)renderstheHTMLcodedasitappearsinabrowserusingUnicodeencoding.
Picture
Pictureisaparentobjectthatcontainschildobjectsrepresentingvariousfileformatsthatcanbe
usedwhendisplayingbookmarkedcontentasapictureorgraphic.
Picturedisplaysthebookmarkedcontentofthefollowingfileformats:
JPG
GIF
EMF
TIFF
BMP
AOL
ART
PSD
Thisisbasedonthefileextensionorthefilesignatureofthefilethatcontainedthebookmarked
content.
Base64EncodedPicturedisplaysthebookmarkedcontentinBase64(Unicode)format.
UUEEncodedPicturedisplaysthebookmarkedcontentinUUEformat.
BookmarkingItems
409
Integers
Integersisaparentobjectthatcontainschildobjectsrepresentingintegerencodingsthatcanbe
usedwhendisplayingbookmarkedcontent.
8bitdisplaysthebookmarkedcontentas8bitintegers.
16bitdisplaysthebookmarkedcontentas16bitLittleEndianintegers.
16bitBigEndiandisplaysthebookmarkedcontentas16bitBigEndianintegers.
Dates
Adateisaparentobjectthatcontainstheobjectsrepresentingvariousfileformatsthatcanbe
usedwhendisplayingbookmarkedcontent.
DOSDatedisplaysapacked16bitvaluethatspecifiesthemonth,day,year,andtimeofdayan
MSDOSfilewaslastwrittento.
DOSDate(GMT)displaysapacked16bitvaluethatspecifiesthetimeportionoftheDOSDate
asGMTtime.
UNIXDatedisplaysaUnixtimestampinsecondsbasedonthestandardUnixepochof
01/01/1970at00:00:00GMT.
UNIXTextDatedisplaysaUnixtimestampinsecondsastextbasedonthestandardUnixepoch
of01/01/1970at00:00:00GMT.
HFSPlusDatedisplaysanumericvalueonaPowerMacintoshthatspecifiesthemonth,day,
year,andtimewhenthefilewaslastwrittento.
WindowsDate/TimedisplaysanumericvalueonaWindowssystemthatspecifiesthemonth,
day,year,andtimewhenthefilewaslastwrittento.
LotusDatedisplaysadatefromaLotusNotesdatabasefile.
410
Windows
Windowsisaparentobjectthatcontainsobjectsrepresentingthevariousfileinterpretationsthat
canbeusedwhendisplayingbookmarkedcontent.
PartitionEntrydisplaysthecontentofthebookmarkascharactersthatconformtotheheader
formatofaWindowspartitionentry.
DOSDirectoryEntrydisplaysthecontentofthebookmarkascharactersthatconformtothe
formatofaDOSdirectoryentry.
Win95InfoFileRecorddisplaysthecontentofthebookmarkascharactersthatconformtothe
INFOdatastructuredefinition.
Win2000InfoFileRecorddisplaysthecontentofthebookmarkascharactersthatconformtothe
INFO2datastructuredefinition.
GUIDdisplaysthecontentofthebookmarkasstringsthatconformtotheWindowsGlobally
UniqueIdentifier(GUID)format.
SIDdisplaysthecontentofthebookmarkintheSecurityIdentifier(SID)format.
Styles
UsethesetextstyleswhenworkingwithnonEnglishlanguages.Formoreinformationsee
WorkingwithnonEnglishLanguages(onpage457)elsewhereinthisdocument.
BookmarkingItems
411
Add Note Bookmark Dialog

UsetheAddNoteBookmarkdialogtoenterthenoteortextcontainedinanotebookmark.A
notebookmarkcancontainupto1000characters.Youcanformatthebookmarkcontentasa
whole.Anotebookmarkcanannotateanotherexistingbookmark,oradddescriptionsofevents
youwanttoincludeinareport.
Notescontainsupto1000characters.
Showinreportwhenchecked,thecontentofthenotebookmarkappearsintheReporttabofthe
Tablepane.
Formattingcontainstheformattingcontrolsforallcharactersthatcomprisethecontentofthe
note.
Boldmakesallcontentofthenoteappearinbold.
Italicmakesallcontentofthenoteappearinitalics.
Increasefontsizesetsthefontsizeofallthecontentofthenote.
Increasetextindentsetsthetextindentofallofthetextblocksinthenote.
412
Bookmark Folder Information/Structure Dialog

UsetheBookmarkFolderStructuredialogtodeterminewhetherandhowmuchdevice
informationtoincludeinthefolderstructurebookmarkyouarecreating.
IncludeDeviceInformationincludesfolderstructureinformation.
Columnsspecifiesthenumberofcolumnsoffolderstructureinformation.
DestinationFolderdisplaystheBookmarkstree,soyoucannavigatetothedestination
folder.
BookmarkingItems
413
Bookmark Data Dialog for Files

UsetheBookmarkDatadialogforfileswhencreatingnotablefilesandfilegroupbookmarks.
Thedialogletsyou:
addashortcommenttothebookmark
createafolder
addafoldercomment
414
BookmarkSelectedItemsappearswhenmultiplefilesareselectedontheTablepane.When
checked,selectedfilesarebookmarkedasoneormorefilegroupbookmarks,andtheFolder
Commentfieldisdisabled.WhenBookmarkSelectedItemsiscleared,onlyasinglefilewas
highlightedintheTablepane,andthatsinglefileisbookmarkedasanotablefile.Anyother
selectedfilesarenotbookmarked.
Createnewbookmarkfolderdetermineswhetheranewfolderiscreated,andwhetherFolder
NameandFolderCommentaredisplayed.
FolderNamecontainsthefilenameforthenewbookmarkfolder.
FolderCommentcontainsthecommentdescribingthebookmarkedfilesthatthenewfolder
contains.
Commentcontainsashortcommentwhenusingthisdialogtocreateanotablefilebookmark.
DestinationFolderdisplaystheBookmarkstreesothedestinationfoldercanbeselected.
Creating a Bookmark
Youcancreatethesetypesofbookmarks:
HighlightedData
Notes
FolderStructure
NotableFile
FileGroup
LogRecord
EnScriptprogramscreatethesetypesofbookmarks:
Snapshot
Datamarks
EnCaseapplicationscreatethesetypesofbookmarksasaresultofacquiringadevice:
CaseTimeSettings
SearchSummary
BookmarkingItems
Creating a Highlighted Data Bookmark

YoucanselectanycontentdisplayedintheViewpaneandbookmarkit.
ContentmustdisplayinataboftheViewpane.
To bookmark highlighted content displayed in the View pane:

1. IntheViewpane,selectthedesiredcontent.
2. Onthehighlightedcontent,rightclickBookmarkData.
TheBookmarkDatadialogforhighlighteddataappears.
3. SelecttheappropriatedatatypeintheTypestree.
4. Enterthedesiredcomment.
5. ClickOK.
ThecommentappearsintheCommentcolumnoftheBookmarkstable.
415
416
Creating a Notes Bookmark

Anotecancontainupto1000characters.Youcanuseanotetoannotateabookmark.
Beforeyoubegin:
Createthedesiredbookmark
VerifythebookmarkitappearsintheBookmarkstableintheTablepane
To create a notes bookmark

1. IntheBookmarkstableintheTablepane,rightclickthedesiredbookmark,andclick
AddNote.
TheAddNoteBookmarkdialogappears.
2. Enterthetextofthenote,formatthetextasdesired,andthenchangetheAppearin
reportsettingasdesired
3. ClickOK.
ThenoteisaddedtotheBookmarkstableontheBookmarkspanelintheTablepane.
BookmarkingItems
417
Creating a Folder Information/Structure Bookmark

Useafolderstructurebookmarktobookmarkafolderordevice.
Beforeyoubegin:
TheEntriestreemustdisplayinEntriespaneloftheTreepane.
To create a folder structure bookmark:

1. Rightclickthedeviceorfoldertobookmark,andclickBookmarkData.
TheBookmarkFolderStructuredialogappears.
2. Acceptthedefaultsettings,orenterappropriatevalues.
3. ClickOK.
YoucannowviewthefolderstructurebookmarksintheBookmarkstableoftheTablepane.
418
Creating a Notable File Bookmark

Whenyoubookmarkasinglefile,anotablefilebookmarkiscreated.
Beforeyoucancreateanotablefilebookmark,oneofthefollowingisrequired:
TheEntriestreemustdisplayintheEntriespaneloftheTreepane.
TheRecordstreemustdisplayintheRecordspaneloftheTreepane.
To create a notable file bookmark:

1. Forthefiletobebookmarked,selectthedevicecontainingthefile.
2. IneithertheEntriestableontheEntriespaneloftheTablepane,ortheRecordstableon
theRecordspaneloftheTablepane,selecttherowdescribingthefile.
3. Rightclickontherowdescribingthefile.
4. ClickBookmarkData.
TheBookmarkDatadialogforfilesappears.
5. AcceptthedefaultsormodifythevaluesdisplayedontheBookmarkDatadialog
6. ClickOK.
ThenotablefilebookmarkisplacedintheBookmarkstableoftheTablepane.
BookmarkingItems
419
Creating a File Group Bookmark

AfilegroupbookmarkiscreatedifmorethanonefileisselectedintheEntriestable.
Beforeyoucancreateafilegroupbookmark,oneofthefollowingisrequired:
TheEntriestreemustdisplayintheEntriespaneloftheTreepane.
TheRecordstreemustdisplayintheRecordspaneloftheTreepane.
To create group file bookmarks:

1. Forthefilestobebookmarked,highlightthedeviceorparentfoldercontainingthefiles.
2. IneithertheEntriestableontheTablepane,ortheRecordstableontheTablepane,select
thefilesortobebookmarked.
3. ClickBookmarkData.
TheBookmarkDatadialogforfilesappears.
4. AcceptthedefaultsormodifythevaluesdisplayedontheBookmarkDatadialog
5. ClickOK.
ThefilegroupbookmarksareplacedintheBookmarkstableoftheTablepane.
420
Creating a Log Record Bookmark

Logrecordbookmarksarecreatedbyaprocessstatusdialog(forexample,theAcquisition
SearchResultsdialog)thatallowstheircontenttobesavedinalogrecord.
Beforeyoucancreatealogrecordbookmark,aprocessresultsdialogmustbeopen.
To create a log record bookmark:

1. Ontheprocessresultsdialog,selectLogRecord.
2. ClickOK.
ALogsentryappearsintheBookmarkstableintheTablepane.
BookmarkingItems
421
Creating a Snapshot Bookmark

SnapshotbookmarksarecreatedbyvariousEnScriptprograms.Note:Beforeyoucancreatea
snapshotbookmark,displaytheEnScriptpanelintheFilterpane.
To create a snapshot bookmark:

1. OntheEnScripttree,expandtheForensicfolderanddoubleclickScanLocalMachine.
TheOptionspageoftheEnScriptwizardappears.
2. EnteraBookmarkFolderName,selectthedesiredmodules,andclickFinish.
AdialogspecifictotheselectedEnScriptprogramappears.
3. CompletetheEnScriptprogramspecificdialog,andclickOK.
422
TheStatusLineshowstheprogressoftheexecutingEnScriptprogram.Whenthe
programfinishes,theresultappearintheBookmarksdisplayintheTreepaneandthe
Tablepane.
4. Seetheresultingbookmarksbyexpandingthebookmarkfolderspecifiedinstep2.
Creating a Datamark as a Bookmark

EnScriptprogramscancreatedatamarksandplacetheminanyfolder.Whendatamarksare
placedintheBookmarkfolder,theycanbeusedtocreateadatamarkanditsassociatedtab
panelcontainingdatafromtheexecutionoftheEnScriptprogram.
Tocreateadatamarkasabookmark,dooneofthefollowing:
IntheCodepanelontheTablepane,rightclickonthecode,andclickRun.
IntheEnScriptpaneloftheFilterspane,expandthetree,anddoubleclickthedesired
EnScriptprogramobject.
TheEnScriptprogramcreatesthedatagramasabookmarkandcreatesasubtabnamedto
matchthenameoftheprogramthatcreatedit.Inaddition,anentryisoutputtotheOutput
paneloftheViewpane.
Using Bookmarks
Youcancreatebookmarksonentriesandrecords.Theseoperationsareavailable:
Creating(seeCreatingaBookmark)(seeCreatingaBookmarkonpage414)
Editing(seeEditingBookmarks(seeEditingaBookmarkonpage423))
Extendingbyaddinganotebookmark(seeCreatingaNotesBookmark(onpage416))
Organizingintofolders(seeUsingFolderstoOrganizeaBookmarkReport(seeUsinga
FoldertoOrganizeaBookmarksReportonpage431))
Reportscancontainbookmarksandfieldscontainingbookmarkattributes:
Todeterminewhichtableentriesshouldappearinareport,seeViewingaBookmarkon
theTableReportTab(onpage436).
Todeterminewhichentryfieldsthatshouldappearinareport,seeCustomizingaReport
(onpage437).
BookmarkingItems
423
Editing a Bookmark
Youcaneditmostbookmarks.Theparticulareditordisplayedisdeterminedbythetypeof
bookmarkyouareediting.Seetheindividualeditdialogsforbookmarkspecificinformation.
Theinstructionsinthistopicapplytoeditinganybookmarkexceptfilegroupbookmarks,which
cannotbeedited.
Note: The contents of the Bookmarks table is driven by the object selected in the Tree pane.
To edit a bookmark:
1. IntheBookmarkpanelintheTablepane,rightclickthedesiredbookmark,andclick
Edit.
Theappropriateeditdialogappears.
2. Editthecontentintheeditdialog
3. ClickOK.
424
Bookmark Editing Dialogs

Thesedialogsletyoueditexistinginformationenteredwhenthebookmarkswerecreated.
However,forbookmarksthatwerecreatedautomatically,youcanonlyenterormodify
informationonce.
Note: File group bookmarks cannot be edited.
Theseeditorsarenotnecessarilytheonesusedtomodifythedatainthecolumnsofthe
BookmarkstableontheBookmarkspaneloftheTablepane.
Thebookmarkeditdialogsinclude
EditHighlightedData
EditNote
EditFolderInformation/Structure
EditNotableFile
EditSnapshot
EditLogRecord
EditDatamark
FolderscontainingbookmarksareeditedwiththeEditFolderDialog.
BookmarkingItems
425
Edit Highlighted Data Bookmarks Dialog

Usethisdialogtoedithighlighteddatabookmarks.
Commentcontainstextdescribingthebookmarkedcontent.
DataTypecontainsthedatatypeofthebookmarkedcontent.Selectingadifferentdatatype
doesnotalterthecontentofthebookmark.
Contentcontainshighlighteddatathatwasbookmarked.
Note: You cannot edit this field.
426
Edit Note Bookmarks Dialog

Usethisdialogtoeditnotesbookmarks.
Notescontainstextdescribingthebookmarkedcontent.Anotecancontainupto1000
characters.
Showinreport:whenchecked,thecontentofthenotebookmarkappearsinthereporttabpanel
oftheTablepane.
Formattingcontainscontrolsforformattingallcharactersinthenote.
Boldmakesallcontentbold.
Italicmakesallcontentitalics.
Increasefontsizesetsthefontsizeofallcontentinthenote.
Increasetextindentsetsthetextindentofalloftextblocks.
Edit Folder Information/Structure Bookmarks Dialog

Usethisdialogtoeditfolderinformation/structurebookmarks.
BookmarkingItems
427
CheckIncludeDeviceInformationtoshowfolderstructureinthebookmark.
Columnsdeterminesthenumberofcolumnsoffolderstructuretoshowinthebookmark.
Edit Notable File Bookmarks Dialog

Usethisdialogtoeditnotablefilebookmarks.
Commentcancontainupto1000characters.
Edit Snapshot Bookmarks Dialog

Usethisdialogtoeditsnapshotbookmarks.
Nameisthenameofthesnapshotbookmark.AnEnScriptprogramsuppliedthisnamevalue
whenthebookmarkwasoriginallycreated.Editingletsyouprovideamoremeaningfulname.
Commentcontainstextdescribingthebookmarkedcontent.AnEnScriptprogramsuppliedthis
textwhenthebookmarkwasoriginallycreated.Editingletsyouprovidemoremeaningful
comments.
428
Edit Log Record Bookmarks Dialog

Usethisdialogtoeditlogrecordbookmarks.
Nameisthenameofthelogrecordbookmark.TheEnCaseapplicationsuppliedthisname
whenthebookmarkwasoriginallycreated.Editingletsyouprovideamoremeaningfulname.
Commentcontainstextdescribingthebookmarkedcontent.Notextwassuppliedwhenthe
bookmarkwasoriginallycreated.
Edit Datamarks Dialog

Usethisdialogtoeditdatamarksastheyappearastableentries.Datamarkscanbeusedas
bookmarkswhentheyarecreatedintheBookmarkfolder.
BookmarkingItems
429
Nameisthenameofthesnapshotbookmark.TheEnScriptprogramthatcreatedthedatamark
suppliedthisnamewhenthedatamarkwasoriginallycreated.Editingletsyouprovideamore
meaningfulname.
Commentcontainstextdescribingthebookmarkedcontent.TheEnScriptprogramthatcreated
thedatamarksuppliedthisnamevaluewhenthedatamarkwasoriginallycreated.Editinglets
youprovidemoremeaningfulcomments.
Edit Bookmark Folder Dialogs

FoldersappearintheBookmarkstreeandtheBookmarkstable.Thesefolderscontainmetadata
andformattingfortheReportpanelsthatappearinboththeTablepaneandtheViewpane.
Note: The root of the Bookmarks tree is a folder.
Thesamedialog(seeEditFolderDialog)isusedtoedittherootbookmarkfolderandother
foldersintheBookmarkstreeandBookmarkstable.Therootbookmarkfoldercontainsdefault
reportformattingwhiletheotherfoldersdonot.
430
Edit Folder Dialog

Usethisdialogtomodify:
foldermetadata
reportcontentsgeneratedfromtheentriesinthefolder
ThisdialogworkswithanyfolderinanyTreeorTablepane.Whenthefolderistherootfolder
ofatree,defaultformattingisprovidedintheFormatfield.
Youcanalsousethisdialogtocustomizethereportgeneratedforthefoldercontent.Eachfolder
inatreehasitsownreport.Eachfolderdefinesitsownreport.
Showinreport:checkthisboxtodisplayfoldercontentinthereport.
ShowPictures:checkthisboxtodisplaypicturesinthefolderinthereport.
Commentcontainstextdescribingthebookmarkedcontent.
Formatcontainslabels(providedbytheapplicationorenteredmanually)andthefieldsselected
intheFieldslist.ThelabelComment:appearsinthereport.Squarebracketscontainafield.The
)isaliteral,asinanotherlabel.Everythingotherthanfieldsarelabels.
Fieldscontainsthelistoffieldsyoucanincludeinthereport.Thislistvariesfromentrytoentry.
Tablesdetermineswhetherthelisteddetailtablesdisplayindividuallyinthereport.
BookmarkingItems
431
Using a Folder to Organize a Bookmarks Report

Whenseveralbookmarksarecreated,theyappearinthebookmarkreportasselectedbyIn
ReportintheBookmarkstable.Usingfoldersisawayofselectingsubsetsofbookmarksto
appearinthebookmarksreport.
Beforeyoubegin:
TheBookmarkstreedisplaysintheTreepane
thedestinationfolderisintheBookmarkstree
432
Tousefolderstoorganizebookmarks:
1. Dooneofthefollowing:
Tomoveabookmarkandremoveitfromthesourcebookmarkobject,dragthebookmark
tothereportinthedestinationfolder.
Tocopyabookmarkfromthesourcebookmarkobject,rightclickanddragthebookmark
tothedestinationfolder,andselectCopyHere.
Thebookmarkisnowinthedestinationfolder,soitsentrynowappearsinthe
Bookmarkstableassociatedwiththedestinationfolder.
2. SelectthedestinationfolderintheBookmarkstree.
ThebookmarksinthefolderappearintheBookmarkstable.
3. IntheTablepane,clickReport.
Thebookmarksinthefolderappearinthereport.
Organizing Bookmarks
YoucanorganizebookmarksintofoldersintheTreepane.ThesefoldersappearintheTable
pane,butatableentrycannotbedraggedintoothertableentries.Instead,dragthetableentry
intoafolderontheBookmarkstree(seeUsingaFoldertoOrganizeaBookmarkReport(see
UsingaFoldertoOrganizeaBookmarksReportonpage431)).
Organizingbookmarksinvolvethefollowingtasks:
Copyingatableentryintoafolder(onpage433)
Movingatableentryintoafolder(seeMovingaTableEntryintoaFolderUsingthe
RightClickDragMethodonpage434)
BookmarkingItems
433
Copying a Table Entry into a Folder

YoucancopyanentryintheTablepanetoafolderintheTreepane.Copyingtheentryleaves
theentryinthetableandcreatesacopyinthetree.
To copy a table entry into a folder

1. Rightclickanddragthedesiredentryintothedesiredfolder.
2. DroptheentryonthefolderandselectCopyHere.
434
Moving a Table Entry into a Folder Using the Right-Click Drag Method
Youcanmoveatableentryintoafolderusingtherightclickdrag.Thetableentryismoved
fromthetabletothetree.
To move a table entry into a folder using the right-click drag method
1. Rightclickanddragthedesiredentryintothedesiredfolder.
2. DroptheentryonthefolderandclickMoveHere.
Theentryismovedtothefolderonthetreeandremovedfromthetable.
BookmarkingItems
435
Moving a Table Entry or Folder into a Folder Using the Drag Method
1. Dragthedesiredentryorfolderintothenewparentfolder.
2. Droptheentryorfolderonthenewparentfolder.
Theentryismovedtothefolderonthetreeandremovedfromthetable.
Bookmark Reports and Reporting

Bookmarkreportscontentcanbedefined
IntheTablepane,asdescribedinViewaBookmarkontheTableReportPane(see
ViewingaBookmarkontheTableReportTabonpage436)section.
Inthefoldereditor,asdescribedintheCustomizingaReport(onpage437)section.
436
Viewing a Bookmark on the Table Report Tab

Afteryousaveabookmark,itappearsontheReportpaneloftheTablepane.
Beforeyoubegin:
Makesurethecurrentlyopenedcasehasatleastonebookmarkassociatedwithit.Clickthe
BookmarkstabandexpandtheviewintheTablepanetodisplaythem.
To view a bookmark report on the Report panel of the Table pane
1. Selectthebookmarkfoldersyouwanttoincludeinthereport.
ThefoldercontentsappearcheckedintheTablepane.Thefirsttwodataitemsare
selectedtobeinthereport,thethirdisnot.
2. Toincludeabookmark,makesurethattheInReportcolumnvalueforthatbookmarkis
TRUE.
BookmarkingItems
437
3. OntheTablepanetoolbar,clickReport.ThereportappearsintheReportpanelofthe
Tablepane.
Note: To set the in-report value for multiple items, select several in the table panel of the table pane, and
then follow the sub-step in step 2.
Thereportcontainingthebookmarkedcontentandthemetadataaboutthebookmarkscannow
beviewed.
Customizing a Report
YoucancustomizeareportusingtheEditBookmarkFolderdialog.
Note: Any bookmarks that will appear in the report must be in the same folder in the Bookmarks tree.
To customize a report:
1. Rightclickthefoldercontainingentriesforthereport.
2. SelectEdit.
Theeditfolderdialogappears.
3. UsingtheFieldslist,doubleclickeachfieldintheorderyouwantittoappearinthe
report.
EachfieldismovedtotheFormatlist.
4. Enteranylabeltextneeded.ThetextappearsintheFormatlist.
5. Cutandpastethetextandfieldsasneeded.OncethecontentoftheFormatlistiscorrect,
clickOK.
438
6. OntheTablepane,clickReport.
Thereportappearswithitscustomizedcontents.
Excluding Bookmarks
HidingallorpartsofthelistingiscalledExcluding.Youcanexcludeanynumberofbookmarks
fromtheTreeandtheTablepanedisplayusingtheExcludeBookmarksfeature.
Exclude File Bookmarks

InBookmarksview,theTreepanedisplaysthebookmarkfoldersyouhavecreatedforanopen
case.YoucanpreventindividualbookmarkfilesfrombeingdisplayedintheTablepaneusing
theExcludeBookmarksfeature.
Beforerunningthisoption,bookmarksmusthavebeencreatedintheopencase.
Exclude an entire folder of bookmarks as follows:
1. Openthebookmarksfoldertoviewitscontents.
2. Select(blueclickorhighlight)afile.Theillustrationbelowshowsagraphicfilechecked.
3. RightClickorpressCTRLE,thenselectExcludefromthemenu.
Thedisplayreappears,buttheselectedfileisnotdisplayed.
BookmarkingItems
439
Exclude Folder
InBookmarksview,theTreepanedisplaysthebookmarkfoldersyouhavecreatedforanopen
case.YoucanpreventbookmarkedfoldersfrombeingdisplayedintheTablepaneusingthe
ExcludeBookmarksfeature.
Beforerunningthisoption,bookmarksmusthavebeencreatedintheopencase.
Exclude an entire folder of bookmarks as follows:
1. Select(bluecheckorhighlight)afolder.
Contentsofthefolder(scal local 01.07.08 intheillustration)appearcheckedin
theTablepane.
Ifyoubluecheckthefolder,asshownintheillustrationabove,thenopenthatfolder,
youllseethattheentirecontentsareselected,asbelow:
2. RightclickthefolderyouselectedintheTreepane.
440
Amenuappears.
3. SelectExclude.
TheTreedisplayreappears,buttheexcludedfolderismarkedwitharedX.
TheassociatedTableviewisalsomarkedasdeleted.
BookmarkingItems
441
Show Excluded
Excludedbookmarksarenotdeleted,theyaremerelyhiddenfromview.Itispossibletodisplay
themagainifnecessary.
YoucanshowexcludedfilesfromtheTreepane,theTablepanefromtheShowExcludedtooon
thetoptoolbar.Regardlessofthemethodyouselect,thestepsaresimilar.
1. IntheTreepane,selectandrightclickafolder.Thisdropdownmenudisplays:
Note: In addition to the menu, there is a toolbar button labeled Show Exclude that toggles the
hidden view.
2. SelectShowExcluded.
442
PreviouslyexcludedfilesappearinTableviewwhileexcludefoldersappearintheTree
view.ExcludeddataaremarkedwitharedX.
Note: The Excluded column of the display shows which files are excluded and which are not.
CHAPTER 11
Reporting
In This Chapter
Reporting
443
Creating a Report Using the Report Tab
444
Creating a Report Using Case Processor
456
444
Reporting
Thefinalphaseofaforensicexaminationisreportingfindings.Organizeandpresentreportsina
waythetargetaudienceunderstands.Formattingandpresentationconsiderationsshouldbe
shouldbemadewhentheevidenceisfirstreceived.EnCasesoftwareisdesignedtohelpmark
andexportfindingssothefinalreportisgeneratedquickly.
Thesoftwareprovidesseveralmethodsforgeneratingareport.Someinvestigatorspreferto
breakupthefinalreportintoseveralsubreportsinawordprocessingprogram,witha
summaryreportdirectingthereadertothecontents.Otherscreatepaperlessreportsona
compactdisc,usingahyperlinkedsummaryofthesubreportsandsupportingdocumentation
andfiles.
Creating a Report Using the Report Tab

Creatingreportsisusuallyoneofthelasttasksperformedwheninvestigatingacase.Withthe
EnCaseapplication,youcancreatereportsbasedondatainanytabintheTreepane.
Someofthemostcommonlycreatedreportscontainbookmarksorsearchhits.
Creatingareporttypicallyinvolvesthesesteps:
1. Selecttheitemstoreporton,whetherfiles,bookmarks,searchhits,orotherdata.
2. SelectthetypeofreportyouwantusingthetabsintheTreepane.
3. FromtheTabletab,intheViewPane,enabletheitemstoshowinthereport.
4. FromtheTabletab,switchtotheReporttab.
5. Modifythereportasneeded.
6. ExportthereporttoaformatviewableoutsideyourEnCaseapplication.
Examplesofdifferenttypesofreportsarediscussedindetailinlatersectionsofthischapter.
Reporting
445
Enabling or Disabling Entries in the Report

Beforeentrydatacanbeinsertedinaformalreport,theymustbemarkedforinclusion.
Report Single Files

OpenacaseanddisplayitscontentsintheTablepane.
1. Highlightthefiletoincludeinthereportorchecktheboxnexttotherecordnumber(542
inthefigure).
2. PlacethecursoranywhereintheInReportcolumnandrightclickforadropdownmenu.
446
3. SelectInReport.
OntheTablepane,theInReportcolumnentrychangestoatruevalue.
4. ClicktheReportpaneltoseeitscontents.
Report Multiple Files

OpenacaseanddisplayitscontentsintheTablepane.
1. Checktheboxesnexttotherecordnumberstoincludeinthereport(538,539,541,544,
and545inthefigure).
2. PlacethecursoranywhereintheInReportcolumnandrightclickforadropdown
menu.
3. SelectInReportInvertSelectedItems.IntheTableviewInReportcolumn,theselected
fileschangetoTrue.
4. ClicktheReporttabtoseeitscontents.
Reporting
447
Note: This menu selection is an XOR switch. It changes the status of the In Report column to the opposite
of what it was.
Changing Report Size

Tochangethepresentationsize,rightclickanywhereinthereportdisplayandselectZoomInor
ZoomOut.
Viewing a Bookmark Report

OpenacaseintheTablepane.
1. ClicktheBookmarkspanel.
Thereportappears.
Thereportisretained.
448
Email Report
Emailrecordsarecreatedwhenyouperformanemailsearch.
PerformanemailsearchasdescribedintheCreatingaReportUsingtheReportTabchapter.
1. SelectView>CaseSubTabs>Records.
AdisplayoftheTreeandTablepanesappear.TheTreepanedatashowtherecords,and
theTablepanedisplaystherecordscontents.ThefigureshowsthecontentsofHunter
XP.
2. SelectarecordfromtheTreepane,thenclicktheReportpaneloftheReportpane.
SelectinganentryfromtheTablepanedisplaysanindividualreportlikethis:
Reporting
449
Internet Report
RecordsforanInternethistoryreportarecreatedwhenyouexecuteanInternetsearch.
PerformanemailsearchasdescribedintheCreatingaReportUsingtheReportTabchapter.
1. SelectView>CaseSubTabs>Records.
TheTreeandTablepanesappear.TheTreepanedatashowtherecords,andtheTable
panedisplaystherecordscontents.Notethesubfolders,CacheandHistory.
2. SelecteitherCacheorHistorytodisplaytheircontentsintheTablepane.
3. SelectarecordfromtheTreepane,thenclicktheReportpaneloftheReportpane.
ThereportdisplaysintheReportpane.
Creating a Webmail Report

CompletetheWebmailParser
1. SelectthefoldertoseeitscontentsintheTablepane.
2. Selectafiletoreporton,thenselecttheReporttaboftheReportpane.Thereport
displays.
450
Alternative Report Method

YoucangenerateareportintheTablepaneaswell.
1. SelectthefileintheTablepane.
2. ClicktheInReportcolumntoincludetheiteminthereport.
3. ClicktheReportpaneloftheTablepanetoviewthereport.
Reporting
451
Search Hits Report

Keywordsearchesrequiregoodreports.Sometimesfoundkeywordsareasignificantpartofa
case.Thereareseveralpermutationsofkeywordsearchreports.
Runastandardkeywordsearch.
1. ClickSearchHits.
Thefourpanedisplayshowsresultsofthesearch.
2. SelectakeywordintheTablepane.
3. ClickReport.
452
ResultsoftheselectedTablepanekeywordappearintheReportpane.
4. SelectanitemintheTablepane.
Anreportcontainingthefilename,address,andthecontentsoftheTreepanekeyword
displays.
5. RightclickintheTablepane.
6. CompletethedialogandclickOK.
Reporting
453
Checkthefieldstodisplayinthereportanddesignateanoutputlocationandfilename
intheOutputFilefield.
Adelimitedtextfileiscreated.
Savethereportsinaccordancewithlocalpolicy.
Quick Entry Report

Often,aquickreportcontaininginformationregardingoneparticularfileinacaseisneeded.
Startbyopeningacasethathasbookmarkedfiles,thenlocatingthefileyouwanttoreporton.
1. Selectthefiletousetogenerateareport.
2. IntheViewpane,clickReport.
454
Ashortreportdisplays.
ThereportdisplaysintheReportpaneloftheTablePane.
Creating an Additional Fields Report

TheAdditionalFieldspanelisavailablewhenyouselecttheRecordspanel.Datainthe
additionalfieldsvariesdependingonthetypeofdatacontainedintherecord.YourEnCase
applicationisopen,andyouhaveacasecreatedwithevidenceinit.
Openacasecontainingevidence.
1. ClicktheRecordspaneltomaketheAdditionalFieldspanelavailable.
2. IntheTablepane,selecttheentrywhereyouwanttoviewadditionalfields.
3. ClicktheAdditionalFieldspanelintheTreepane.
Reporting
455
Note: Additional fields are only available on entries showing a true value in the Additional Fields
column in the Table Pane.
4. IftheInReportcolumnisnotshown,enableit:
a. RightclickintheTablepaneandselectShowColumns.
b. SelectInReportandclickOK.
TheInReportcolumnappearsintheTablepanel.
5. Selectthefieldsyouwanttoincludeinthereport.SeeEnablingorDisablingEntriesin
theReport(onpage445).
6. ClicktheReportPanelintheViewpane.
Thereportisgeneratedcontainingtheenabledfields.
Exporting a Report
Onceareportisgenerated,youcansaveittoafile.
Place the cursor in the report.
1. RightclickandclickExport.
TheExportReportdialogappearsaskingforoutputinformation.
2. Selecttheappropriateoutputformat.
3. Enterornavigatetothedesiredoutputpath.
Thenewlycreatedreportdocumentissavedtoafile.
456
HeresawebpagegeneratedfromtheExportroutine.
Creating a Report Using Case Processor

YoucancreatereportsusingtheCaseProcessorEnScriptprogram.
TheCaseProcessorReportGeneratorcontainsthesefeatures:
EntryAttributessuchasFileGroup,NotableFiles,HighlightedData,FolderInfo,Email
information,andRecords.
AbilitytoreportononlyitemstaggedInReport.
AbilitytoreportononlyselecteditemsintheRecordstab.
Thereportcapturestheinvestigatorsname,organizationnameandcreationdate.
ThereportisgeneratedasHTML,viewableoutsideofEnCase.Thedataisorganizedlike
theTabletab,andbreaksdowneachsetofinformationbyitsevidencefile.
CHAPTER 12
Working with NonEnglish Languages

In This Chapter
Working with Non-English Languages
Non-English Language Features
458
459
The Options Dialog Font Tab 460

Configuring Non-English Language Support 465
458
Working with Non-English Languages

Thischaptercoversaspecializedareaofinvestigations:workingwithlanguagesotherthan
English.
TheUnicodestandardattemptstoprovideauniqueencodingnumberforeverycharacter
regardlessofplatform,computerprogram,orlanguage.Unicodeencompassesanumberof
encodings.Inthisdocument,UnicodereferstoUTF16(Unicode16bitTransformationFormat).
Currentlymorethan100Unicodecodepagesareavailable.BecauseEnCaseapplicationssupport
Unicode,investigatorscansearchforanddisplayUnicodecharacters,andthussupportmore
languages.
Othercharactercodesbesides16bitUnicodearesupportedforworkingwithnonUnicodenon
Englishlanguagetext.
WorkingwithnonEnglishlanguagestypicallyinvolvesperformingthesetasks:
ConfiguringnonEnglishlanguagesupport
Creatingandapplyinganewtextstyle
CreatingnonEnglishlanguagesearchterms
BookmarkingnonEnglishlanguagetext
ViewingUnicodefiles
ViewingNonUnicodefiles
UsingCodePagesintheTextandHextabs
WorkingwithNonEnglishLanguages
459
Non-English Language Features

EnCaseEnterpriseapplicationsprovidenonEnglishlanguagesupportthroughvariousfeatures,
including:
TheOptionsdialogFontstab
Textstyles
Usetextstylestomodifythedisplayofcontent:
Thetextpane
Thetranscriptpane
TextstylesaredefinedgloballyontheTextStylestab.Whendefined,thesetextstylesarenot
associatedwithacase.IntheFilterpane,youcan:
Createtextstyles
Edittextstyles
ApplytextstylestocontentintheViewpane
460
The Options Dialog Font Tab

ThisOptionstabcontainsalistofEnCaseinterfaceelementsthatyouconfiguretosupportnon
Englishlanguages.Eachofthelistedelementshasfontsettingsassociatedwithit.Double
clickinganelementopenstheFontdialogwhereyouselecttheassociatedsettings.
DefaultFontscontainsthelistofinterfaceelementstobeconfigured.Doubleclickingonthese
interfaceelementsopenstheFontdialog.SelectingaUnicodefontenablesnonEnglishlanguage
texttodisplayintheseinterfaceelements.
461
Unicode Fonts
SpecificfontsintheFontsdialogareinstalledinWindows.IfnoUnicodefontsareinstalledon
yourcomputer,seeInstalltheUniversalFontforUnicodeathttp://office.microsoft.com/en
us/help/HP052558401033.aspxhttp://office.microsoft.com/enus/help/HP052558401033.aspx.
Unicodeinterpretsfontsas16bitwords.WhenUnicodefontsareselected,8bitcharactersets
and7bitASCIIcharactersdonotdisplaycorrectly.Usean8bitfontsuchasCourierNewfor
Englishtext
Toproperlydisplaythecharactersincertaincodepages,youshouldonlyselectaUnicode
displayfont.
Charactersthatarenotsupportedbythefontorcodepagedisplayasadefaultcharacter,
typicallyeitheradotorasquare.ModifythischaracterwhenusingtextstylesintheTextand
HextabsoftheViewpane.
Text Styles
ThedisplayofnonEnglishlanguagecontentiscontrolledbyboththetypefaceofthecontent,
andthetextstyleappliedtothecontent.Atextstyleappliesvariousattributedtofonts,
including:
Linewrapping
Linelength
Replacementcharacter
Readingdirection
Fontcolor
Classofencoding
Specificencoding
TextstylesareappliedintheText,Hex,andTranscriptpanes.SeeViewingNonUnicodeFiles,
andViewingUnicodeFilesformoreinformation.Youcancreateandedittextstyles.See
CreatingandDefiningaNewTextStyleformoreinformation.
Textstylesareglobal;therefore,theyarenotassociatedwithaspecificcase,butrathercanbe
appliedtoanycaseaftertheyaredefined.
462
New Text Styles Dialog

ThisdialogisusedtodefinetextstylesthatcanbeappliedtotextdisplayedintheText,
TranscriptorHextabsoftheViewpane.Thisdialogconsistsofthesetabs:
TheAttributestab
TheCodePagetab
New Text Styles Dialog Attributes Tab

TheAttributestabcapturesthetextstyledefinition.
463
Nameisthenameofthetextstyle.
LineWrapcontainscontrolsthatdeterminehowcontentappearsintheTextandHextabsofthe
Viewpane.
Fittopageeliminateslinebreaksindisplayedcontent,anddisplaysalltextinthewindow.
LineBreaksdisplayslinebreaksinthecontent.
MaxSizeignoreslinebreaksinthecontent,andwrapslinesatthevaluesetinWrapLength.
WrapLengthspecifiesthelengthwherealinebreakoccurs.WhenyouselectMaxSize,line
breaksoccuronlyatthevalueofthissetting.
DefaultCharcontainsthecharactertousetoindicatetheencodingorcodepagecouldnot
interprettheunderlyingvalue.
RTLReadingsetsthetextdisplaytoreadrighttoleft(RTL).
ColorElementcontainsalistoftextelementsthatcanhaveacolorassignedtothem.Double
clickalistelementtoeditcolorattributes.
464
New Text Styles Dialog Code Page Tab

TheCodePagetabletsyouselectthecodepageforthetextstyleyoudefine.
CodePagecontainssettingsthatdeterminesthecodepagetypeusedinthetextstyle.
UnicodespecifiesLittleEndianUnicode.IfUTF7orUTF8isused,selectOther,notUnicode.
UnicodeBigEndianspecifiesBigEndianUnicode.
OtherletsyouselectfromtheCodePagelist.
CodePageListcontainsalistofsupportedcodepages.
Configuring Non-English Language Support

NonEnglishlanguagesupportinvolves:
Configuringindividualinterfaceelements
CreatingandapplyingtextstylesusedontheTextandHextabs
CreatingnonEnglishkeywords
CreatingnonEnglishsearchterms
BookmarkingnonEnglishtext
ViewingUnicodefiles
Usingcodepages
465
466
Configuring Interface Elements to Display Non-English Characters

TheEnCaseapplicationsupportsnonEnglishlanguageuseintheinterfaceaswellasfornon
Englishlanguagecontent.
1. ClickTools>Options>Fonts.
TheFontstaboftheOptionsdialogappears.
2. ForeachinterfaceelementlistedinDefaultFontswhereyouwanttodisplaynon
English:
a. Doubleclicktheinterfaceelement.
TheFontdialogopens.
b. ChangethefonttoArialUnicodeMS,andclickOK.
c. Repeatstep2buntilalltheinterfaceelementsareconfigured.
467
3. ClickOK.
TheinterfaceisnowconfiguredtodisplaynonEnglishcontent.
Configuring the Keyboard for a Specific Non-English Language

WindowsletsyouconfigureakeyboardforaspecificnonEnglishlanguage.Oncethekeyboard
isconfigured,youneedakeyboardmaporfamiliaritywiththekeyboardlayoutofthelanguage.
TheseinstructionsareforWindowsXP.ConfiguringWindows2000,NT,and2003issimilar.
Toconfigurethekeyboardforaspecificlanguage:
1. ClickStart>ControlPanel>RegionandLanguageOptions.
TheRegionalOptionstaboftheRegionalandLanguageOptionsdialogappears.
2. InStandardsandformats,selectthedesiredlanguage.
3. SelecttheAdvancedtab.
TheAdvanceddialogappears.
4. InCodepageconversiontables,checkthedesiredcodepage.
468
5. ClickOK.
ThekeyboardismappedtotheselectednonEnglishlanguage.
Entering Non-English Content without Using Non-English Keyboard Mapping

WindowsprovidesacharactermapsoyoucanenternonEnglishcharacterstringswithout
remappingthekeyboard.
ToenternonEnglishcontentusingtheCharacterMaputility:
1. ClickStart>AllPrograms>Accessories>SystemTools>CharacterMap.
TheCharacterMaputilityappears.
2. Clickthedesiredcharacter,thenclickSelect.
ThecharacterisaddedtotheCharacterstoCopybox.
3. Repeatstep2toaddmorecharacters.
4. ClickCopy.
5. Pastethecharacterswhereyouwanttousethem.
Creating and Defining a New Text Style

TextstylesdeterminehowfilecontentsappearintheTextandHextabsoftheViewpane.
469
470
To create and define a text style:

1. ClickView>TextStyles.
TheNewTextStyledialogappears.
2. EnteraNameforthenewstyle.
3. EnterthedesiredcharacterinDefaultCharacter.
4. ClickRTLifthelanguageisreadrighttoleft.
5. ClickOKifyouareusingacodeotherthanUnicodeBigEndianencoding.Otherwise,
selecttheCodePagetab.
6. ClickUnicodeBigEndian,thenclickOK.
Anewtextstyleiscreatedanddefined.
IfyouaregoingtouseanonUnicodeencoding:
1. ClickOther.
2. SelectanencodingfromtheCodePagelist.
3. ClickOK.
471
Creating Non-English Keywords

CreatingnonEnglishkeywordsisthefirststeptotakebeforesearchingnonEnglishlanguage
content.
To create a non-English language keyword,

1. RightclickandselectNewfromtherootoftheKeywordstree.
472
TheNewKeyworddialogappears.
2. DothefollowingontheNewKeyworddialog:
a. ClickGREPandentertheGREPexpressionintoSearchExpressiontocreatea
GREPsearch.
b. UsetheCharacterMaptocreatethesearchstringifyourkeyboardisnotmapped
totheappropriatenonEnglishkeymapping.Ifmappingiscorrect,enterthe
desiredSearchExpression.
c. Makeanyotherselectionsasdesired.
d. Dooneofthefollowing,totestthekeywords:
Ifyouuseanothercodepageotherthanthecurrentlyselectedone,clickCodePage,
andproceedtoStep3.
ClickKeywordTester,thenexecuteStep4totestakeyword.
3. ClickOK.
Thedialogcloses.
4. Dothefollowing:
a. SelectthedesiredcodepagesfromtheCodePagelist.
b. ClickKeywordTestertotestthekeyword,otherwiseclickOK.
5. TestthekeywordusingtheinstructionsinTestingaNonEnglishLanguageKeyword
section,andclickOK.
Thedialogcloses.
473
Testing a Non-English Keyword

OpentheNewKeyworddialoganddefinethetestedkeyword.
To test a non-English language keyword do the following:

1. EnterthesearchexpressioninKeyword.
2. EnterorbrowsetothefilecontainingthenonEnglishlanguagecontentusedtotestthe
keyword.
3. ClickLoad.
TextappearsintheTextpane.
4. Iftextisincorrectlyrendered,selectothercodesheetsuntilthetextisrenderedcorrectly.
Whenaselectedencodingisnotonethatwasselectedwhenthekeywordwasdefined,
theExpressionfieldcontainsthismessage:Wrongcodepageforthisexpression.
5. ClickHextoviewcontentinhexadecimal.Thevaluesx\ FFx\EEinthefileheader
indicatesthatUnicodeisthecorrectencoding.Youmaywanttoredefinetheencoding
usedforthiskeyword.
Thehexrepresentationoftheunderlyingtextappears.
6. TestthekeywordandclickOK.
474
Querying the Index for Non-English Content

Afteryoucreateanindex,filesthatmightcontainnonEnglishcontentcanbequeriedusing
conditions.
To query for non-English language content:
1. IntheEntriestreeandEntriestable,selectfilestosearch.
2. ClickTools>IndexCase.
3. IntheFilterspane,clicktheConditionstab.
4. OpentheIndexConditionsfolderintheConditionstree.
5. SelectthenonEnglishcontent,[forexample,IndexTerms(Umlaut)].
475
Bookmarking Non-English Language Text

Onceyoufindsearchresults,bookmarkthem.Bookmarksassociatetextstyleswithbookmarked
content.
To bookmark non-English language text:

1. DisplaythetextintheViewpane.
2. Sweeporselectthedesiredtext,thenrightclickandclickBookmarkData.
TheBookmarkDatadialogappears.
3. EnteraComment.
4. SelectthedesiredtextstyleinDataType.
476
Thecontentappearswiththeselectedtextstyleapplied.
5. ClickOK.
Thetextisbookmarkedandthedialogcloses.
Viewing Unicode Files

Bydefault,EnCasedisplayscharactersinANSI(8bit)formatontheTextandHextabsin
CourierNewfont.ViewingUnicodefilesproperlyrequiresmodificationstoboththeformatting
andthefont.First,thefileordocumentmustbeidentifiedasUnicode.Thisisnotalways
straightforward.
Textfiles(.txt)containingUnicodebeginwithaUnicodehexsignature\xFF\xFE.Word
processordocumentswritteninUnicode,however,arenotsoeasytoidentify.Typically,word
processorapplicationshavesignaturesspecifictothedocument,makingidentificationofthefile
asUnicodemoredifficult.
Figure32
To view Unicode files do the following:

1. ClickTextStyles.
TheTextStylestabappearsintheFilterpane.Noticethedefaultcharactersbetweenthe
ASCIIcharacters.Thesecondeightbitsofthe16bitUnicodeencodingcannotbe
translated.
2. ClickthedesiredUnicodebasedtextstyle.
ThetextdisplayedintheTextorHextabisupdatedtoreflectthenewencoding.
477
Viewing Non-Unicode Files

Displayafileinanyencodingorcodepageafteryoudefineit.
ToviewnonUnicodefiles:
1. ClickTextStyleswiththetextdisplayedintheTextorHextaboftheViewpane.
TheTextStylespaneappearsintheFilterpane.
2. ClickthedesirednonUnicodebasedtextstyle.
ThedisplayedtextintheTextorHextabupdatestoreflectthenewencoding.
Associating Code Pages

NonEnglishlanguagefilescanbeassociatedwithaparticularcodepage.Acodepagelistis
checkedtopreventusageofanunavailablecodepage(if,forinstance,afileisopenonone
system,thenreopenedonanotherthatdoesnothavethecompleteset).
Ifanoriginalcodepageisunavailablewhenafileisopened,thecodepageassociationis
removed.Whilethisprocessistransparent,ifyoudoopenacaseormountavolumewitha
missingcodepage,amessagelistingthemissingcodepagesappears.
YoucanassociatecodepagesmanuallyorautomaticallythroughWindowsidentification.
Tomanuallysetthecodepage:
1. ApplyaTextStylewiththedesiredcodepagetotheentry.
2. CheckthecodepagecheckboxontheEnCasemainwindow.
TohaveWindowsautomaticallyassociatecodepagestoentries:
1. SelecttheSearchbuttonandchecktheIdentifycodepageoption.
2. Afterthesearchcompletes,thecodepagecolumnpopulates.
478
Toremovetheassociation,clearthecheckbox.
CHAPTER 13
EnScript Analysis
In This Chapter
EnScript Analysis
479
Enterprise EnScript Programs

EnScript Example Code
Packages
481
499
505
Send To HBGary Responder EnScript
511
480
EnScript Analysis
TheEnScriptlanguageisascriptinglanguageandApplicationProgramInterface(API).Itis
designedtooperatewithintheEnCasesoftwareenvironment.AlthoughsimilartoANSIC++
andJava,notallthefunctionsavailableintheselanguagesareavailable.TheEnScriptlanguage
usesthesameoperatorsandgeneralsyntaxasC++,thoughclassesandfunctionsaredifferent.
Classes,andtheirincludedfunctionsandvariables,arefoundintheEnScriptTypespanelinthe
Treepane.
Note: For general information on a particular element, highlight it in the Code panel and press F1 to find
the element in the EnScript Types panel.
EnScriptprogramsallowinvestigatorsandprogrammerstodeveloputilitiestoautomateand
facilitateforensicinvestigations.Theprogramscanbecompiledandsharedwithother
investigators.Aprogrammingbackgroundandanunderstandingofobjectoriented
programmingarehelpfulforcodinginEnScript.
Note: For more detailed information on the EnScript programs included with the EnCase application, refer
to the EnCase Programs User Manual.
Note: For additional help in programming with the EnScript language, you can attend a training class or
visit the EnScript message board.
EnScriptAnalysis
481
Enterprise EnScript Programs

EnterpriseEnScriptprogramscontainprogramstypicallyusedwithenterprisecases.Manyof
theseprogramsrequireaSAFEtobesetuptoproperlyusethem.
TheavailableEnterpriseEnscriptProgramsare:
DocumentIncident:usedtogenerateareportcontainingthedetailsofanincidentthatrequired
investigation.
MachineSurveyServletDeploy:usedtomanage,deploy,removeandinstallSAFEsand
servletstomachinesonthenetwork.
QuickSnapshot:usedtoquicklytakeasnapshotofamachinethatiscurrentlybeing
investigated.
RemoteAcquisitionMonitor:usedtomonitorremoteacquisitionsbetweentheservletsanda
networkstoragedevice.
SnapshotDifferentialReport:usedtoreportondifferencesofsnapshotstakeoveraperiodof
time.
SweepEnterprise:usedtoconductthoroughexaminationsoncomputersspecifiedfromthe
networktree.
ToviewEnterpriseEnScriptprograms:
1. IntheFilterpane,clickEnScripttodisplaytheEnScriptpanel.
2. OpentheEnterprisefolderfromtheEnScripttreetoseeavailablescriptslistedinthe
Tablepane.
3. Torunascript,doubleclickitinthetable.
482
Document Incident
UseDocumentIncidenttogenerateareportcontainingdetailsofanincidentthatrequired
investigation.
Openacase.
1. DoubleclickontheDocumentIncidentEnScriptProgram.
2. EnterthefollowingdetailsintheGeneralInfotab:
IncidentReferenceNumber
PrimaryContact
AlternateContact
IncidentTiming
EnScriptAnalysis
483
3. ClicktheIncidentDetailstabandenterinformationinthefollowingfields:
IncidentType
OtherType
Status
Intent
IncidentCause
IncidentImpact
AffectedSystems
484
4. ClicktheConclusiontabandentertherecommendedcourseofactionandcomments:
5. ClickOK
TheProgramgeneratesareport.Clickthenameoftheincidentinthebookmarkspaneltoview
thereportinthetablepane.
Machine Survey Servlet Deploy

UseMachineSurveyServletDeploytodeployservletstomachinesonthenetwork.
Tousethismethodofdeployment,youwillneedthefollowing:
IPaddresses,orarangeofallnodeswhereyouwanttodeploy
Acommonusernameandpasswordforallnodeswhereyouwanttodeploy
To deploy servlets using Machine Survey Servlet Deploy:
1. OpentheEnCaseProgram.
2. ClicktheEnScripttabinthefilterpane.
3. ExpandtheEnterprisefolderbyclickingthe+nexttoit.
EnScriptAnalysis
485
4. DoubleclickMachineSurveyServletDeploy.
5. Therearedifferentwaystoaddtothelistofmachinesthatwillreceivethenewservlet.
Chooseoneorbothofthembelow:
ClickSelectMachine,thenlogontoyourSAFE,selectarole,andselectmachines
usingtheNetworkTree.
EnteranIPaddressorIPRange,UsernameandPasswordandClickAdd.Ifyou
prefertospecifyanIPrangeusingClasslessInterDomainRouting(CIDR),youcan
enterit.
Note: If you enter an IP range, all machines must use the same username and password.
6. IfyouenteredanIPRangeandwanttoexcludespecificaddresses,entertheaddressin
theMachinefieldoftheExcludeMachinegroupandclickExclude.
7. ClicktheManagementtabandselectInstallservletprocess.
Note: You can also use this program to check for or stop servlet and SAFE processes. For
information on how to use these features, see the EnCase Enterprise Administrator Manual .
486
8. ClickInstallSettings.
9. Completethedialogasappropriateusingthefollowingfunctions:
Installifservletprocessnotfound:onlyinstallsaservletifoneisnotfound.
AlwaysInstall:installsaservletonallmachines.
WindowsServletPath:EnterorBrowsetotheservletlocationonyourmachine.
LinuxServletPath:EnterorbrowsetheLinuxservletonyourmachine.
CommandLineparameters:Enteranycommandlineparametersyouwanttousein
conjunctionwiththeservlet.
Verifyinstallation:Verifiesthattheinstallcompletessuccessfully.
Retryfaileddeploys:Controlshowoftentheprogramtriestoredeployaservletona
machinethatfailed.
10. ClickOK
EnScriptAnalysis
487
11. ClickontheSettingstabtosettheoutputoptions.
12. Selectanoutputoption:
Bookmarks:Outputsresultstobookmarksinthecurrentcase.
Excel:OutputsresultsinanExcelfile.Ifyouselectthisoption,browsetoorenteran
outputfolder.
13. ClickOK.
TheprogramwilloptionallycreateabookmarkfoldercalledMachineSurveyRun#(Withan
incrementinginteger).TheprogramwillalsooptionallycreateanExcelspreadsheetcalled
MachineSurvey.xlsinthefolderspecifiedabove.
488
Quick Snapshot
UseQuickSnapshottoquicklytakeasnapshotofamachinecurrentlybeinginvestigated.Quick
Snapshotdoesnotofferadeepoptionsset,soifyouwantschedulingoptionsortheabilityto
runEnScriptprogrammoduleswhiletakingasnapshot,usetheSweepEnterpriseprogram.
BeforeyourunQuickSnapshot:
OpenEnCaseandlogon
Createacase.
Addadevicetothecase.
To create a quick snapshot:
1. DoubleclicktheQuickSnapshotEnScriptProgram.
2. NotethemachineintheIPList,andselectanAvailableSAFEandRole.
3. ClickOK.NotetheIPlistdisplaysthemachinetobeinvestigatedusingQuickSnapshot.
Thislistisforinformationpurposesonly,andyoucannotaddadditionalnodes.
TheSnapshotiscreatedandplacedintheQuickSnapshotfolderinyourbookmarks.
Remote Acquisition Monitor

UsetheRemoteAcquisitionMonitorEnScriptProgramtomonitorremoteacquisitions.
EnScriptAnalysis
489
Snapshot Differential Report

UsetheSnapshotDifferentialReporttocomparedifferencesinseveralsnapshotsofaparticular
machine.Itquicklydetectstrendsoflivedata.
Beforeyoubegin:
SnapshotswerecreatedandstoredinaLogicalEvidenceFile(LEF).
MicrosoftExcelmustbeinstalled.
AddtheLEFcontainingthesnapsotsintoanewcase.
1. DoubleclicktheDocumentIncidentEnScriptProgram.
2. EnterthenameofthetargetmachineandclickRetrieveSnapshots.
3. IntheChooseSnapshotsForReportlist,selectthesnapshotsyouwanttocompare.
4. Choosethetypesofitemstoreport.
5. ChooseOutputOptions,andprovideanoutputpath.
6. ClickOK.
YoucanviewresultsintheEnCaseprogram,MicrosoftExcel,oranInternetbrowser,depending
ontheoutputoptionsyouchose.
490
Sweep Enterprise
TheSweepEnterpriseEnScriptprogram:
Collectsdatafromsomenamedsubsetofthenetworktree
Savesthebookmarkeddata
Optionallycreatesnapshots
Runsmodulestoextractdataasbookmarksorexportedfiles
Ifyouplantorunmodules,youmustlogonandopenacase.
ifyouchoosetodeployaservlet,boththeWindowsservletandLinuxservletsmustbeavailable
onyourmachine.TheLinuxservletmustbeavailableevenifyoudonothaveanyLinux
machines.SeetheEnCaseEnterpriseAdministratorManualforthepathstotheservletsonyour
SAFEmachine.
To run the Sweep Enterprise EnScript program:
1. DoubleclickontheSweepEnterpriseobjectintheEnScripttreeontheFiltersPane.
TheCaseOptionspageoftheSweepEnterprisewizardappears.
2. Ifyouneedtochangeyouruser,orSAFE:
a. ClickChangeSafe.
TheUserpageoftheLogonwizardappears.
b. Selecttheuser,enterapassword(ifrequired),thenclickNext.
TheSAFEspageoftheLogonwizardappears.
c. SelecttheSAFE,thenclickFinish.
3. IfyouneedtochangeyourRole:
a. ClickChangeRole.
TheRoledialogappears.
b. SelectthedesiredroleandclickOK.
TheNodetoSweeppageoftheSweepEnterprisewizardappears.
4. Ifyouneedtochangethemachinesswept(thosethatappearinMachines)clickNetwork
Tree,navigatetotheappropriatesubtreeormachineandclickOK.
TheappropriateIPaddressesappearinMachines.
5. ReviewtheavailablemoduleslistedinCaseProcessorModulesinForensicEnScript
Programs,thenselectthedesiredmodulestorun,ifany,fromtheModulesList.
EnScriptAnalysis
491
TheSweepOptionspageoftheSweepEnterprisewizardappears.
6. Ifservletsneedtobedeployedonthemachinestobeswept:
a. ClickServletOptions.
TheServletOptionsdialogappears.
b. ClickDeployServlet.
Youcannowchangethesettings.
c. Iftheusernameandpasswordmustbeupdated,enterthisinformationinUpdate
MachinesUsername/Password,andclickUpdate.
d. Ifmachinesinthesubtreetobesweptalreadyhaveservletsdeployed,shouldnot
haveservletsdeployed,orshouldnotbeswept,entertheIPaddressofthe
machineinMachine,andclickExclude.
7. Ifthepathstotheservletsonyourmachinemustbechanged,enterorbrowsetothe
appropriatepaths.
8. ClickOK.
SweepEnterpriserunsandtheresultsappearintheBookmarktableontheBookmark
Homepanel.
Forensic EnScript Code

ToviewEnScriptprogramsintheEnScriptpaneloftheTreepane,clickView>EnScript.
ToviewEnScriptcomponentsintheFilterpane,clickEnScriptstodisplaytheEnScriptpanel.
OpenafolderfromtheEnScriptobjecttoseeavailablescriptslistedintheTablepane.
Torunascript,doubleclickitinthetable.
492
Case Processor
UseCaseProcessortorunoneormoreEnScriptmodulesagainstanopencase.
TorunCaseProcessor,doubleclicktheprogramname.ACaseProcessorwizardappearswith
thenameoftheopencase.
1. EnteraBookmarkFolderName.
2. EnteraFolderComment(optional).
3. ExportPathpopulateswiththedefaultexportpath.
4. ClickNexttodisplaythemoduleselectionwizard.
EnScriptAnalysis
5. MakethedesiredselectionsandclickFinish.
493
494
Case Processor Modules

EachmoduleavailableinCaseProcessorprovidesdifferentinformation:
$LogfileParserparsesspecificinformationfromthe$Logfile.
ActiveDirectoryInformationParserprovidesinformationaboutadirectoryinselectedformats.
AOLIMInformationprovidesdatafromAOLInstantMessengerdata.
AppDescriptorUtilitycreatesappdescriptorsetsstoredgloballyintheappdescriptors.inifile.
CompromiseAssessmentModuleexaminesmachinesforacompromisesuchasahackorvirus.
ConsecutiveSectorssearchesconsecutivesectorsfilledwiththesamecharacter,which
characterizesattemptstowipeadrive.
CreditCardFindersearchesanentirecaseforcreditcardnumbers.
EMailAddressFinderlocatesemailaddressesviaaGREPsearchandbookmarksthem.
EDSRegistryParserparsesEDSRegistryentries.
EXIFViewersearchesselectedfilesfortheEXIFtagandbookmarksthem.
FileFindersearchesforandbookmarksselectedfiletypes.
FileReportgathersfileinformationonallorselectedfolders.
FindProtectedFilessearchesafilesystemforfilesthatareencryptedorrequireapasswordto
openthem.
HTMLCarversearchesallorselectedfilesforkeywordsinHTMLdocumentsandbookmarks
them.
IMArchiveParsersearchesInstantMessengerlogfiles.
KazaaLogParsersearchesacaseforKazaaDBBandDATfiles.
LinkFileParserparsesallorselectedLCKfilesandretrievesselectedinformation.
LinuxInitializeCaselocatesLinuxartifactsandbookmarksthem.
LinuxSyslogParserparsesLinuxsyslogentriesandexportsthedatatoalocaldriveasExcelor
HTML.
EnScriptAnalysis
495
MacInitializeCaselocatesOSXartifactsandbookmarksthem.
PartitionFindersearchesunusedspacetofinddeletedvolumepartitions.
RecycleBinInfoRecordFinderfindsandparsesFATINFOandNTFSINFO2files.
ScanRegistryscanstheWindowsregistryandbookmarksartifacts.
TimeWindowAnalysisModuleanalysesselectedeventsbetweenspecifieddates.
WindowsEventLogParserparsesselectedWindowseventlogs.
WindowsInitializeCaselocatesWindowsartifactsandbookmarksthem.
WTMPUTMPLogFileParserparsesWTMP,UTMP,WTMPXandUTMPXfilesonUnix
systems.
File Mounter
FileMounterisanEnScriptusedtosearchforandmountcompoundfiles,including:
DBX
GZip
PST
TAR
Thumbs.db
Zip
Searchescanbebyextensionorsignature,orboth.
Note: Mounting a number of large files simultaneously can cause your system to run out of memory.
Note: Password protected files are not mounted.
496
1. DoubleclickFileMounter.
2. Selectthemethodtofindthefiles.
3. SelectthedesiredfiletypesandclickOK.
4. Toviewprogress,clicktheConsoletabintheViewpanel.
EnScriptAnalysis
497
Compound Files
TheFileMounterEnScriptprogramletsyoumountallselectedcompoundfiletypes,leaving
themmountedattheconclusionoftheEnScriptprograminvestigation.
Itsmainpurposeistoletyoucatalogthecontentsoftargetedcompoundfiles.Thisisalistingof
itemswithinthecompoundfile,nottheactualcontentsthemselves.
TheEnScriptprogramfindstargetedfilesbasedontheFindFilesByandSelectedFilesoptions.
ItthencatalogsthefilecontentsintoaLogRecordClassbookmarkandaddsthemtotheLEFif
youselectthatoption.
Theprogramthenperformsapreliminarykeywordsearchthatstopsafterasinglehit.Aftera
hit,thefileisplacedintoalistoffilesthatarethenmountedandcompletelysearched.
ResultsappearintheSearchHitstabdisplay.
Mounting Compound Files

1. Selectthecompoundfilestobemounted.
2. Selectanydesiredadditionaloptions,suchas:
MakeLEF
MountPersistent
Search,and
FindFiles
3. ClickOK.
Index Case
Fileindexingispartoftheimprovedsearchengine.Theindexisalistofwordsintheevidence
filewithpointerstotheiroccurrenceinevidence.Becausetheindexissmallerthantheoriginal
evidencefileitisoptimizedforquicksearching.
Tolearnmoreaboutcaseindexing,seetheAnalyzingandSearching(seeAnalyzingand
SearchingFilesonpage327)sections.
498
Scan Local Machine

ScanLocalMachineisanEnScriptprogramusedtorunmodulesagainstalocalmachine.
1. DoubleclickScanLocalMachine.
ItusesmanyofthesamemodulesavailableinCaseProcessor.
2. CompletetheoptionsasdesiredandclickFinish.Dependingonthemoduleschosen,
additionaldialogsmayappearopen.Completethemasnecessary.
Note: Scan local machine searches the local examiner machine and does not search the evidence within
the case. If you want to search the evidence in the case, use Case Processor.
Webmail Parser
UsetheWebmailParsertosearchthecaseforremnantsofWebbasedemail.
EnScriptAnalysis
499
EnScript Example Code

IntheEnScripttreeintheFilterpane,theExamplesfoldercontainsexamplecode.These
programscanserveasabaseforadditionalprogramming.
TheCOMfoldercontainssampleEnScriptprogramsthatuseCOMtoprovideintegrationwith
MSWindowsandMSOfficeapplications.SeetheEnScriptProgramUserManualformore
information.
TheEnScriptexampleprogramsinclude:
CompoundFileViewer
CreateIndexDirectory
EnterpriseUsingEntryData
EnterpriseRegistryOperations
EnterpriseUsingSnapshotData
FindValidIPs
IndexBufferReader
CompoundFileViewerparsescompoundfilesintotheirconstituentpartsforviewing.
CreateIndexDirectorygeneratesaplaintextfilecontainingallwordsinanINDXfile.
FindValidIPsfindsIPaddresses.
IndexBufferReaderparsesinformationfromanindexbufferINDXfile.
COM Folder EnScript Code

TheCOMfoldercontainssampleEnScriptcodethatusestheCOMAPIasanintegrationpoint
intovariousotherapplicationslikeMSOfficeortheWindowsFileSystem.Programmersuse
theseincludestocreatenewEnScriptprograms.
TheCOMfoldercontainstheseprograms:
CreateWordDocument
FileSystem
ReadWordDocument
ExcelCreateWorkbook
OutlookRead
500
EnScript Debugger
TheEnScriptdebuggerallowsEnScriptprogrammerstoconductruntimedebuggingoftheir
programs.
AfteryoucreateaprojectforthetargetEnScriptprogram,theStartDebuggingfunctionalityis
enabled:
Debuggingdisabled(noprojectforthecurrentlyselectedEnScriptprogram):
Debuggingenabled(thereisaprojectforthecurrentlyselectedEnScriptprogram).
WhenyouclickStartDebugging,thedebuggerstartsandopensfournewtabsintheView
Pane.
Thesetabskeeptrackof:
currentlyrunningthreads
localvariables(Locals)atthecurrentbreakpoint
librarydependencies
breakpointlocationsassociatedwiththeEnScriptprogram
Youcansetbreakpointswithinyourcode.EnScriptstopswhenitreachesabreakpointduring
runtime.Usetherightclickmenutosetabreakpoint.
EnScriptAnalysis
501
Ifyouprefer,youcansetbreakpointsbyleftclickingonthelinenumberofthecode.
OnceyousetaBreakpoint,theStartDebuggingbuttonrunstheEnScriptprogram,whichwill
stopattheBreakpoint.Whilestopped,youcananalyzetheruntimeinformationinthenewtabs
intheViewPane.
502
Help for EnScript Modules

TheCaseProcessor,SweepEnterprise,andScanLocalMachinescreenscontainaHelpbuttonor
Helpsectionforeachavailablemodule.
EnScriptAnalysis
503
EnScript File Mounter

TheFileMounterprogramcatalogsthecontentsofselectedcompoundfiles(forexample,.zip
files).Thisproducesalistingoftheitemsinthecompoundfile,nottheactualfilecontents.The
programduplicatesthestructureofcompoundfilesintoLogRecordbookmarks.
Youdefinethetypesoffilestoprocessandthecriteria.Youcanselectfiletypesbyfileextension
orsignature.
Youcanchoosetomountthempersistently(leavingthemmountedaftertheconclusionofthe
EnScriptprogram)ornonpersistently.Thenonpersistentoptionreturnsthemtotheir
unmountedstatewhentheEnScriptFileMounterprogramcompletes.Otheroptionsinclude:
TheabilitytocreateaLogicalEvidenceFile(LEF)thatincludesthecontentsofall
mountedfiles
Creatingakeywordsearchofthetargetedfiles
Allfileshavingatleastonekeywordhitwillbemountedpersistentlyandtheircorresponding
searchhitsdisplayintheSearchHitstab.
CertainMicrosoftOfficedocumentsareconsideredcompoundfiles.Youcanparsetheir
metadataandsearchit.Forexample,youcanlocateandbookmarkMicrosoftWorddocument
metadata(edittimes,pagenumbers,wordcounts,etc.).FileMounterbookmarksAuthorsastext
andEditTimesasdates.
504
Include EnScript
TheIncludefoldercontainscommonprogramcodesharedbyotherhigherlevelEnScript
components.Thesescriptsarenotexecutedindependently.Theyaremeanttobeusedor
includedinotherscripts.
Rightnow,therearenearly100includefilesinthissoftware.Theyarestoredbydefaultin
C:\Program Files\EnCase\EnCase\EnScript\Include.Theycan,however,bestoredin
anotherfolderwithin...\EnScript\.AnEnScriptdevelopercreatingnewincludefilesto
workwithnewEnScriptcomponentcancreateanewfolderandplacethenewincludeprograms
there.
Oncethenewfolderiscreated,EnCaseapplicationsmustknowofitslocation.
1. ClickTools>Options>EnScripttoseetheOptionsdialog.
2. ChangetheIncludePathfieldentrytoreflectthenewincludefolderlocation.
Note: Add only the folder name, not the complete path.
EnScriptAnalysis
505
EnScript Help
TherearecurrentlytwosourcesofinformationaboutEnScriptprograms.
Help>EnScriptHelp
View>EnScriptTypes
EnScript Types
EnScripttypesreferenceresourcescontainingtheEnScriptlanguageclasses.Perusingthese
typesprovidesinformationaboutEnCaseclassesandfunctions.
ClickView>EnScriptTypes
TheTreepanecontainsalistoftheclasses.SelectingtheReportpaneloftheTablepanedisplays
areadonlydescriptionoftheselectedclass.
Packages
PackagesareawaytodistributeEnScriptprogramswithoutallowingotherstoviewormodify
thecode.Thisallowsforcentralizedsourcecontrol,andavoidsunwantedcodesharing.
Packagesarebuiltwiththe.enpackfileextensionandfunctiontoendusersexactlyasEnScript
programs.Inadditiontoblockingthecodefromendusers,youcanalsocreatelicensefiles
specifictolicensekeys,protectingyoufromunwantedduplication.Thelicensefilesextensionis
.EnLicense.
Package Features
Featuresthatsupportthepackagesinclude:
NewPackagedialog
CreateLicensedialog
UsetheNewPackagedialogtocreate,buildandeditpackages.Whenbuildingorediting
packagesthenameofthisdialogchanges,butthepanelsandsettingremainthesame.
UsetheCreateLicensedialogtocreatelicensesforapackage.ThelicenseisassignedtheLicense
Namevalueon:
ThePackagepaneloftheNewPackagedialog
Edit<packagename>dialog
TheBuilddialog.
506
New Package Dialog

TheNewPackagedialogcontains:
Apackagepanel
Apropertiespanel
UsetheNewPackagedialogtocreate,build,edit,andrunpackages.
Package Panel
ThePackagepaneloftheNewPackagedialogcapturesattributesrelatedtothepackage.Usethis
paneltocreate,build,andeditthepackage.
EnScriptAnalysis
507
Nameisthefilenameofthepackage,asseenintheinterface.
SourcePathcontainsthepathtoandfilenameoftheEnScriptsourcecodetobepackaged.
OutputPathcontainsthetoandfilenameofthepackageorpackagetobecreated.
UseLicensedetermineswhetherotherlicenserelatedcontrolsappearonthedialog.Usethis
settingifyouwanttolicensethepackage.
LicenseNamecontainsthefilenameofthelicensewithoutitsfileextension.Thissettingonly
displayswhenUseLicenseisselected.
SecretKeyisakeyusedinconjunctionwiththelicensefiletosecurethecodewithinthe
package.Thistextisnotexposedtoendusersandshouldnotbegiventoendusers.
Properties Panel
ThePropertiespaneloftheNewPackagedialogcapturesattributesrelatedtotheproductbeing
packaged.Thispanelisusedtocreate,build,andeditthepackage.
508
ProductNameisthenameoftheEnScriptsourcecode.
MajorVersionisthemajorversionnumberoftheEnScriptsourcecode.
MinorVersionistheminorversionnumberoftheEnScriptsourcecode.
SubVersioncontainsidentifiersforbugfixversions,patches,orbuildnumbersoftheEnScript
sourcecode.
Descriptionisselfexplanatory.
Companyisthenameofthecompanyassociatedwiththepackage.
BusinessPhoneisthephonenumberofthecompanyassociatedwiththepackage.
WebPageistheURLofthecompanyWebpageassociatedwiththepackage.
Create License Dialog

UsetheCreateLicensedialogtocreatealicenseassociatedwithapackage.Theassociationis
madebyenteringthefilenamecontainedinLicenseFilewithoutitsextension.
EnScriptAnalysis
509
LicenseFilecontainsthepathtoandthefilenameofthelicensefile.
DongleListcontainsthedonglenumbersthatenablethelicense.Ifthelicenseisnotrestricted,
leavethissettingblank.
MajorVersioncontainsthemajorversionnumberofthesoftwarerelease.
Expirescontainsthedatewhenthelicensewillexpire.
#definecontainsnamesusedinthecode,definedusingthe#definedirective,whichassociatethe
licensewithspecificfunctionality.Asubsetoffunctionalityisassociatedwithagivenlicense.
Using a Package
Apackageis
Created
Edited
Built
Run
Inaddition,oneormorelicensesarecreatedandassociatedwithapackage.
Creating a Package
Tocreateapackage
ClickthePackagestab,adjacenttotheCasestabontheroottoolbaroftheTreepane.
ClickView>Packages
2. RightclickonthePackagestreeintheTreepane,andthenclickNew.
TheNewPackagedialogappearsdisplayingthePackagepanel.
3. OnthePackagepanel,completethesettings,andthenclickProperties.
ThePropertiespanelappears.
4. OnthePropertiespanel,completethesettings,andthenclickOK.
510
Oncecreated,thepackageappearsinthePackagesTableintheTablepane.Thecolumnsinthis
tablecontainthedetailsenteredintheNewPackagedialog.
Note: Creating a package does not produce the package file. To produce the package file, see Building a
Package
Editing a Package
1. InthePackagetableontheTablepane,doubleclickonthedesiredpackage.
TheEdit<packagename>dialogappears.
2. Modifythesettingsasdesired,andclickOK.
Note: If you want to change the code, you will need to first modify the EnScript code source file, and then
generate a new package file. You may want to alter the version numbers to reflect this.
Building a Package
1. InthePackagetableontheTablepane,doubleclickonthedesiredpackage.
TheEdit<packagename>dialogappears.
2. Modifythesettingsasdesired,andthenclickOK.
Thepackageisnowcreatedintheoutputpathspecified.
Creating a License
Youcancreatealicensecanbecreatedindependentlyofitsassociatedpackage.Theassociation
withapackageismadewhenyoudefinethepackage.
To create a license for a package:
1. InthePackageTableintheTablepane,rightclickthepackageandclickCreateLicense.
TheCreateLicensedialogappears.
2. InLicenseFile,enterorbrowsetothepathandfilename.
3. IntheDongleList,enterthelicensekeys.
4. InMajorVersion,selecttheappropriateversionnumber.
5. InExpires,entertheexpirationdateofthepackage.
EnScriptAnalysis
511
6. Ifyouwanttocontrolthefeaturesetusedviathislicense,in#define,enterthe#defined
namesassociatedwiththefeatureset.
7. ClickOK,andthenclickOKagaininthestatusmessagebox.
Running a Package
Createandbuildapackage.Alicensemaybeassociatedwiththepackageaswell.
To run a package
1. CopythecreatedlicensefiletoC:\Program Files\EnCase6\Licenses.
ChangerootfolderofyourEnScriptfoldertoreflectthelocationofthepackage
created.
CopythecreatedpackagetoafolderinyourcurrentEnScriptrootfolder,normally
C:\Program Files\EnCase6\EnScript.
3. Ifalicenseisassociatedwiththepackage,ensurethattheinstalledsecuritykeymatches
thekey(s)enteredwhencreatingthelicense.
TheEnScriptprogramisnowreadytorun.
4. IntheEnScripttreeintheEnScriptpaneloftheFilterpane,doubleclickthepackageto
runit.
Send To HBGary Responder EnScript

ThisEnScriptpassesamemoryobjectgatheredbyEnCasetoHBGarysRespondersoftware.
1. Selectthephysicalmemorytosend:
512
2. ClickToolsSendToResponder:
3. EnScriptdropsthephysicalevidencedeviceinformation,byteforbyte,intoaflatfileand
sendsittoResponder.HereisanexampleofthefileviewedinWindowsExplorer:
EnScriptAnalysis
513
Ifyouspecifyadeviceorfileotherthanaphysicalmemorydrive,anerrormessagedisplays:
HBGary Responder does not support analyzing Windows Vista memory dump.
CHAPTER 14
Using EnCase Tools

In This Chapter
Toolbar
516
Tools Menu
517
516
Toolbar
ThetoolbarcontainsiconsforthemostfrequentlyusedEnCasefunctions.
WhenyouopenEnCaseinacquisitionmode,onlytheNew,Open,Print,andRefreshicons
displayinthetoolbar.Whenyouopenacase,theAddDeviceicondisplays.
Thereisacorrespondingmenucommandforeachtoolbaricon.
Whenthetoolbariswiderthanthemainwindow,thetoolbarwrapstoanotherline.
Someoftheiconsareenabledonlywhentheyareuseful,suchasPrintandRefresh.
Thepanesandthetabsinthetoolbarsalsodisplaycontextdependenticons,accessedfromright
clickmenus.
NewopenstheCaseOptionswizardfordefininganewcase.
Opendisplaysadialogforopeninganexistingcase.
PrintopensthePrintdialog.
Refreshupdatesalistortabletoreflectchangesinthefilesystem.
SaveopenstheSavedialog.
AddDeviceopenstheAddDevicewizard.
SearchopenstheSearchdialog,soyoucansearchevidenceassociatedwiththecase.
Othericonsdisplaydependingontheircontext.Thereisalwaysacorrespondingmenu
command.
UsingEnCaseTools
517
Tools Menu
TheToolsmenu,atthetopofthedisplaycontainscommandsforvariousutilityprograms.
518
EnScript Programs Shortcut Submenu

TheshortcutsubmenucontainsshortcutstoEnScriptprogramsthataredesignatedintheTools
MenuPlugin.TheToolsMenuprogramisintheEnScriptpaneloftheFilterpane.Youcan
modifyittoincludeadditionalshortcutsfromthetoolsmenu.
TheEnScriptProgramShortcutsandtheEnScriptProgramthatProvidetheRelatedCommand
Functionality
Wipe Drive
Warning!Thisprocedurecompletelyerasesmediaandoverwritesitscontentswitha
hexadecimalcharacter.InvokeWipeDrivewithextremecare.
Note: Execute the Wipe Drive utility to remove all traces of any evidence files from a storage drive.
To wipe a drive:
1. ClicktheWipeDriveoptionontheToolsmenu.
Thedriveselectordisplays.
UsingEnCaseTools
519
2. MakeinitialselectionsandclickNext.
TheChooseDevicesscreendisplays.
3. ChoosethedevicetargetedforerasureandclickNext.
520
Anoptionsdialogdisplays.TheVerifywipedsectorsboxischeckedbydefaultandthe
Wipecharacterishex00.Iftheboxischecked,theWipeDriveprogramreadseachsector
andverifiesthatthewipecharacteriswrittenthroughout.Youcanenteranyhexvaluein
theWipecharacterfield.
4. ClickFinish.
TheDrivesdialogopens:
5. EnterYesintheContinueboxandclickOK.
UsingEnCaseTools
521
Thedriveiscompletelyerasedandoverwrittenwiththespecifiedhexstring.WipeDrive
displaysinformationaboutthediskandtheoperation.
Youmustreformatthisdriveinordertouseitagain.
Verifying Evidence Files

VerifyEvidenceFileschecksCRCvaluesofselectedfiles.Itisawaytoensurethatevidenceis
nottamperedwith.VerifiedCRCinformationiswrittenouttoalogfile.IfaCRCverfication
fails,anotificationappearsandyoucanlogtheerrortotheconsole,bookmarktab,orlogfile.
Acquiretheevidencefiles.
1. ClickTools>VerifyEvidenceFiles.
TheVerifyEvidenceFilesfilebrowserappears.
2. SelectoneormoreevidencefilesandclickOpen.
522
Whenfilesareverified,astatusreportappears.

YouhaveacopyofaLinuxdistribution.
SeeCreatingaLinEnBootDisc(onpage47)formoreinformation.
UsingEnCaseTools
Options
UsetheOptionsdialogtocustomizethesoftware.
SeethechapterTheOptionsDialog(onpage155)forcompleteinformationonthistopic.
1. ClickTools>Options.
TheOptionsdialogopens.
2. Clickonatabtomakechangestosettings.
3. Whenyouarefinishedmakingthechangestotabs,clickOK.
523
CHAPTER 15
Glossary of Terms
527
Glossary of Terms
A
ASCII
ASCII(AmericanStandardCodefor
InformationInterchange)isacharacter
encodingbasedontheEnglishalphabet.
ASCIIcodesrepresenttextincomputers,
communicationsequipment,andother
devicesthatworkwithtext.Mostmodern
charactercodeshaveahistoricalbasisin
ASCII.ASCIIwasfirstpublishedasa
standardin1967andwaslastupdatedin
1986.Itcurrentlydefinescodesfor33non
printing,mostlyobsoletecontrolcharacters
thataffecthowtextisprocessed,plus95
printablecharacters.
Checksum
Aformofredundancycheckforprotecting
theintegrityofdatabydetectingerrors.It
worksbyaddingthebasiccomponentsofa
message(typicallytheassertedbits)and
storingtheresultingvalue.Later,anyone
canperformthesameoperationonthedata,
comparetheresulttotheauthentic
checksum,and,ifthesumsmatch,conclude
thatthedatawasnotcorrupted.Amajor
drawbacktochecksumisthat1234
generatesthesamecheckas4321.
Cluster
Aclusteristhesmallestamountofdisk
spacethatcanbeallocatedtoholdafile.
Code Page
Bookmark
Acodepageinterpretsaseriesofbitsasa
character.
Bookmarksletyouannotateevidenceand
analyticalartifacts.Files,folders,address
rangeswithinfiles,collectionsoffilesor
data,andevenbookmarksthemselvescan
bebookmarked.
Compound File
Afilecontainingotherfiletypeswithinit.
Forexample,aMicrosoftWordfilecan
containtext,graphics,andspreadsheetfiles.
Computer Forensics
Burn
Theapplicationofscientificmethodto
digitalmediatoestablishfactual
informationforjudicialreview.Thisprocess
ofteninvolvesinvestigatingcomputer
systemstodeterminewhethertheywere
usedforillegalorunauthorizedactivities.
Theprocessofrecordingdatatoanoptical
disc,suchasaCDorDVD.
C
Case File
Atextfilecontaininginformationspecificto
onecase.Thefileincludespointerstooneor
moreevidencefiles,devices,bookmarks,
searchresults,sorts,hashanalysisresults,
andsignatureanalysis.
Connection
Thecommunicationsbetweentheservlet
andtheclientoccuracrossaconnection.
Thisconnectionmayinvolve
communicatingthroughtheSAFE.
528
Cyclical Redundancy Check (CRC)
EnScript Language
TheCRCisavariationofthechecksum.Its
advantageisthatitisordersensitive.The
string1234and4321producesthesame
checksum,butnotthesameCRC.
AprogramminglanguageandApplication
ProgramInterface(API)thathasbeen
designedtooperatewithintheEnCase
environment.
Evidence File
Device Configuration Overlay (DCO)
ThecentralcomponentoftheEnCase
methodologyistheevidencefile.Thisfile
containsthreebasiccomponents(header,
checksum,anddatablocks)thatwork
togethertoprovideasecureandself
checkingdescriptionofthestateofa
computerdiskatthetimeofanalysis.
TheDeviceConfigurationOverlay
(sometimescalledDiskConfiguration
Overlay)issimilartotheHostProtected
Area.Itisanoptionalfeaturewithinthe
ATA6standardandissupportedbymost
harddisks.LiketheHPA,itcanalsobeused
tosegmentaportionoftheharddiskdrive
capacityfromviewbytheOSorfilesystem,
usuallyfordiagnosticorrestoration
purposes.
Examiner
Ageneraldestinationfoldertoplacedata
copiedfromtheevidencefolder.
Disk Slack
Export Folder
Thisistheareabetweentheendofthe
volumeandtheendofthedevice.
Ageneraldestinationfoldertoplacedata
copiedfromtheevidencefile.
EnCase Forensic
FastBloc
EnCaseForensicisrecognizedasthe
standardcomputerforensicsoftwareused
bymorethan15,000investigatorsand40of
theFortunetop50companies.EnCase
Forensicprovideslawenforcement,
governmentandcorporateinvestigators
reliable,courtvalidatedtechnologytrusted
byleadingagenciesworldwidesince1997.
FastBlocisacollectionofhardwarewrite
blockersandonesoftwarewriteblocker.
Encryption
Theprocessofencodinginformationto
makeitunreadablewithoutakeytodecode
it.
File Allocation Table (FAT)

Referstoafilesystemusedprimarilyin
DOSandWindowsoperatingsystems.
Thereareseverallevelsdesignedtocope
withlargerdevices.FAT12isusuallyused
forremovablemedia,whereasFAT16was
initiallyusedonharddrives.FAT16hasa
2GBsizelimit,soFAT32wasintroducedfor
largerharddrives.FAT32hasbeen
supersededbytheNewTechnologyFile
System(seeNTFS)andistherecommended
filesystemforWindows2000andlater.
GlossaryofTerms
529
File Signature
GREP
Uniqueidentifierspublishedbythe
InternationalStandardsOrganizationand
theInternationalTelecommunications
Union,TelecommunicationStandardization
Sector(amongothers)toidentifyspecificfile
types.
AnacronymforsearchGloballyforlines
matchingtheRegularExpression,andPrint
them.
Theareabetweentheendofafileandthe
endofthelastclusterorsectorusedbythat
file.Thisareaiswastedstorage,sofile
systemsusingsmallerclustersutilizedisk
spacemoreefficiently.
GREPisacommandlineutilityoriginally
writtenforusewiththeUnixoperating
system.ThedefaultbehaviorofGREPtakes
aregularexpressiononthecommandline,
readsstandardinputoralistoffiles,and
outputsthelinescontainingmatchesforthe
regularexpression.TheGREP
implementationinEnCasehasasmaller
subsetofoperatorsthanGREPusedinUnix.
Filter Pane
GUID
TheFilterpaneistypicallylocatedinthe
lowerrightquadrantofthefourpane
display.ItprovidesaccesstoEnScript
programs,filters,conditions,andqueries.
(AlsoseeTreePane,ViewPane,andTable
Pane.)
SeeGloballyUniqueIdentifier.
File Slack
H
Hash
Acoordinatedsetofglyphsdesignedwith
stylisticunity.Afontusuallycomprisesan
alphabetofletters,numerals,and
punctuationmarks.
Amethodusedtogenerateaunique
identifierforthedatathehashvalue
represents.Thereareseveralstandardized
hashingalgorithms.EnCaseusesthe128bit
MD5hashingalgorithmwhichhas2^128
uniquevalues.Thisensuresthatthechance
offindinganidenticalhashvalueusinga
differentdatasetisexceptionallysmall.
Hash Sets
Globally Unique Identifier (GUID)
Collectionsofhashvaluesforgroupsof
files.
Font
AGUIDisapseudorandomnumberused
insoftwareapplications.Whileeach
generatedGUIDisnotguaranteedtobe
unique,thetotalnumberofuniquekeys(2128
or3.4x1038)issolargethattheprobabilityof
thesamenumberbeinggeneratedtwiceis
exceptionallysmall.
Hexadecimal
Anumeralsystemwitharadixorbaseof16
usuallywrittenusingthesymbols09and
AForaf.Forexample,thedecimal
numeral79whosebinaryrepresentationis
01001111canbewrittenas4Fin
hexadecimal(4=0100,F=1111).
530
Host Protected Area (HPA)
Anareaofadiskdesignedtoallowvendors
tostoredatasafefromuseraccess,
diagnostics,orbackuptools.Ifpresent,data
storedinthisareaisinaccessiblebythe
operatingsystem,BIOSorthediskitself.
Keyword
LinEn Utility
Index
TheLinuxEnCaseclientusedfordiskto
diskorcableacquisitions.
AnEnCaseindexisafeaturethatallows
quickaccesstothedatainanevidencefile.
Logical Evidence File
Internet Protocol Address (IP)

Auniquenumberthatdevicesuseto
identifyandcommunicatewitheachother
onacomputernetworkutilizingtheInternet
Protocolstandard.Anyparticipating
networkdevice,including:
routers
computers
timeservers
printers
Internetfaxmachines
sometelephonesmusthaveitsown
uniqueaddress.
AnIPaddresscanalsobethoughtofasthe
equivalentofastreetaddressoraphone
number.
IPv4specifiesaddressesinfoureightbit
decimalnumbersseparatedbyadot.IPv4
specifiesaportnumberwithacolon.
IPv6addressesthelimitationsthatIPv4has
withthetotalnumberofaddresses.IPv6is
typicallywrittenineight16bithexadecimal
numbers,whichareseparatedbyacolon.
IPv6specifiesaportnumberwithaspace.
Akeywordisastringorexpressionusedin
searchingyourevidence.
Aspecializedformofanevidencefilefilled
withuserselectablefiles,asopposedtoa
traditionalevidencefilewhichcontainsthe
entirecontentsofthedevice.Logical
Evidencefileshavetheextension.L01.
M
Malware
Softwaredesignedtoinfiltrateordamagea
computersystemwithouttheowners
informedconsent.
Mount, Mounting
Theprocessofmakingafilesystemready
forusebytheoperatingsystem,typicallyby
readingcertainindexdatastructuresfrom
storageintomemoryaheadoftime.The
termrecallsaperiodinthehistoryof
computingwhenanoperatorhadtomount
amagnetictapeorharddiskonaspindle
beforeusingit.
N
Network Tree
Thenetworktreerepresentsthehierarchical
organizationoftheunderlyingnetworkand
filestructure.
GlossaryofTerms
531
New Technology File System (NTFS)
Port
ThestandardfilesystemofWindowsNT
anditsdescendants:
Avirtualdataconnectionthatcanbeused
byprogramstoexchangedatadirectly,
insteadofgoingthroughafileorother
temporarystoragelocation.Themost
commonoftheseareTCPandUDPports
usedtoexchangedatabetweencomputers
ontheInternet
Windows2000
WindowsXP
WindowsServer2003
WindowsVista
Node
Anodeisthemachinewheretheservletis
installed.
Redundant Array of Independent Disks (RAID)
Notable File Bookmarks

Bookmarksusedtoidentifyindividualfiles
containingimportantinformationtoacase.
Adatastorageschemeusingmultiplehard
drivestoshareorreplicatedataamongthe
drives.Dependingontheconfigurationof
theRAID(typicallyreferredtoastheRAID
level),thebenefitsofRAIDare:
NTFS
increaseddataintegrity
SeeNewTechnologyFileSystem.
faulttolerance
throughputorcapacitycomparedto
singledrives
Pane
Panescomprisethefourquadrantstothe
interface:
Treepane
Tablepane
Viewpane
Filterpane
Panescontaintabs,whichalterthedisplay
ofthedatainsidethepane.Panesare
resizable.
Physical Disk Emulator (PDE)
TheEnCasePhysicalDiskEmulatorlets
examinersmountcomputerevidenceasa
localdriveforexaminationinWindows
Explorer.Thisfeatureallowsexaminers
manyoptionsintheirexaminations,
includingtheuseofthirdpartytoolswith
evidenceservedbyEnCase.
Regular Expression
Astringthatdescribesormatchesasetof
stringsaccordingtocertainsyntaxrules.
Manytexteditorsandutilitiesuseegular
expressionstosearchandmanipulatebodies
oftextbasedoncertainpatterns.Many
programminglanguagessupportregular
expressionsforstringmanipulation.Also
seeGREP.
Root
Thebaseofafilesystemsdirectory
structureortheparentdirectoryofagiven
directory.
532
Spyware
Sector
Referstoabroadcategoryofmalicious
softwaredesignedtointerceptortake
partialcontrolofacomputerwithoutthe
informedconsentofthatmachinesowneror
legitimateuser.Whilethetermtaken
literallysuggestssoftwarethat
surreptitiouslymonitorstheuser,ithas
cometorefermorebroadlytosoftwarethat
subvertsthecomputersoperationforthe
benefitofathirdparty.
Asubdivisionofatrackofamagnetichard
diskoropticaldisc.Asectorstoresafixed
amountofdata.Atypicalsectorcontains
512bytes.
Secure Authentication For EnCase (SAFE)
TheSAFE(SecureAuthenticationFor
EnCase)isaphysicallyandlogicallysecured
serverthatauthenticatesallusersand
controlsallaccesstothenetworkdevices.
Security Key
Auniquelyprogrammedhardwarekey,
sometimesreferredtoasadongle,that
identifiesausertoEnCasesoftwareand
enablesaccesstoitsfeatures.
Servlet
Steganography
Theartandscienceofwritinghidden
messagesinawaythatnooneexceptthe
intendedrecipientknowsoftheexistenceof
themessage;thisisincontrastto
cryptography,whichdoesnotdisguisethe
existenceofthemessagebutobscuresits
content.
ServletsareEnCaseservicesrunningon
networkworkstationsandserversthat
providebitlevelaccesstothemachine
wheretheyreside.
Subject
Signature
Swap File
SeeFileSignature.
Amemorymanagementtechniquewhere
noncontiguousmemoryispresentedtoa
softwareprocessascontiguousmemory.
Memorypagesstoredinprimarystorageare
writtentosecondarystorage,thusfreeing
fasterprimarystorageforotherprocessesin
use.Aswapfileisalsocalledapagefile.
Slack
SeeDiskSlackandFileSlack.
Snapshot
Arepresentationofaliverunningmachine,
includingvolatilecomputerdatasuchas
currentlyloggedonusers,registrysettings,
andopenfiles.
Thecomputerormediathattheinvestigator
actuallyexamines.
T
Table Pane
Partoftheprogramuserinterfacelocatedin
theupperrightquadrantofthefourpane
display.
GlossaryofTerms
533
Temp Folder
Virtual File System (VFS)
Afolderthatallowssegregationandcontrol
oftemporaryfilescreatedinthecourseofan
investigation.AlsoseeExportFolder.
Apartoftheprogramuserinterfacelocated
intheupperleftquadrantofthefourpane
display.
TheEnCaseVirtualFileSystem(VFS)lets
examinersmountcomputerevidenceasa
readonly,offlinenetworkdrivefor
examinationinWindowsExplorer.The
valueofthisfeatureisthatitallows
examinersmultipleexaminationoptions,
includingtheuseofthirdpartytoolswith
evidenceservedbyEnCase.
Virtual Machine
Unicode
Softwarethatcreatesavirtualenvironment
onacomputerplatformsotheusercanrun
software.Severaldiscreteexecution
environmentsresideonasinglecomputer,
eachrunninganOperatingSystem.This
allowsapplicationswrittenforoneOSto
runonamachinewithadifferentOS.
Tree Pane
Anindustrystandardthatenablestextand
symbolsfromalltheworldswriting
systemstobeconsistentlyrepresentedand
manipulatedbycomputers.Unicode
consistsof:
Acharacterrepertoire
Anencodingmethodologyandsetof
standardcharacterencoding
Asetofcodechartsforvisual
reference
Anenumerationofcharacter
propertiessuchasupperandlower
case
AwhollyownedsubsidiaryofEMC
Corporation,itsuppliesmuchofthe
virtualizationsoftwareavailableforx86
compatiblecomputers.VMWaresoftware
runsonWindowsandLinux.
Asetofreferencedatacomputerfiles
Write Blocker
Rulesfornormalization,
decomposition,collationand
rendering
Atool(softwareorhardware)thatprevents
writestoasubjectdevicewhileallowing
investigatorstosafelyreadfromthedevice.
V
View Pane
Apartoftheprogramuserinterfacelocated
inthelowerleftquadrantofthefourpane
display.
VMWare
CHAPTER 16
Guidance Software
In This Chapter
Legal Notification
Support
537
535
536
Legal Notification
CEIC,EnCaseeDiscoverySuite,EnCaseEnterprise,EnCaseEnterpriseAIRS,EnCaseForensic,
EnCE,EnScript,FastBloc,GuidanceSoftware,Neutrino,Snapshot,andWaveShieldare
registeredtrademarksortrademarksownedbyGuidanceSoftwareintheUnitedStatesand
otherjurisdictionsandmaynotbeusedwithoutpriorwrittenpermission.Allothermarksand
brandsmaybeclaimedasthepropertyoftheirrespectiveowners.Productsandcorporate
namesappearinginthismanualmayormaynotberegisteredtrademarksorcopyrightsoftheir
respectivecompanies,andareusedonlyforidentificationorexplanationintotheowners
benefit,withoutintenttoinfringe.
Anyuseandduplicationofthismaterialissubjecttothetermsofthelicenseagreementbetween
youandGuidanceSoftware.Exceptasstatedinthelicenseagreementorasotherwisepermitted
underSections107or108ofthe1976UnitedStatesCopyrightAct,nopartofthispublication
maybereproduced,storedinaretrievalsystemortransmittedinanyformorbyanymeans,
electronic,mechanical,photocopying,recording,scanningorotherwise.
ProductManualsandDocumentationarespecifictothesoftwareversionsforwhichtheyare
written.Forpreviousoroutdatedmanuals,productreleaseinformation,contactGuidance
Softwareathttp://www.guidancesoftware.com(http://www.guidancesoftware.com).
Specificationsandinformationcontainedinthismanualarefurnishedforinformationaluse
only,andaresubjecttochangeatanytimewithoutnotice.
ProtectedbyU.S.PatentNos.7,168,000and6,792,545.PatentsPendingintheU.S.andother
countries.
GuidanceSoftware
537
Support
GuidanceSoftwaredevelopssolutionsthatsearch,identify,recover,anddeliverdigital
informationinaforensicallysoundandcosteffectivemanner.Sinceourfoundingin1997,we
havemovedintonetworkenabledinvestigations,enterprisewideintegrationwithother
securitytechnologies.
Thissectionprovidesinformationonoursupportforyouthrough:
Referencemanualsandreleasenotes
SupportportalontheWeb,includingaccesstodownloads
TechnicalSupportDepartment
CustomerServiceDepartment
MessageBoards
Training
ProfessionalServices
Reference Manuals and Release Notes

GuidanceSoftwareprovidesprintedmanualsforallofourproductline,aswellasPDFversions
ofinterimupdatesandReleaseNotesdescribingthenewfeaturesandproblemsfixed.
Readthismanualtounderstandtheproductanditsuse.Beforeacquiringliveevidence,run
severaltestacquisitionsandtrydifferentprocessesforexaminingfiles.
538
Technical Support
GuidanceSoftwareprovidesavarietyofsupportoptions,includingphone,email,online
submissionforms,anuptodateknowledgebase,andamessageboard(technicalforum).
SupportisavailablefromSunday,7:00PMthroughFriday,6:00PMPacificTime(Monday,3:00
AMtoSaturday,1:00PMGMT).ThisexcludespublicholidaysintheUnitedStatesandthe
UnitedKingdomduringrespectivebusinesshours.
Phone/mail support
USContactInfo:
215NorthMarengoAvenue
Suite250
Pasadena,CA91101
Phone:16262299191,Option4
Fax:6262299199
UKContactInfo:
ThamesCentral,5thFloor
HatfieldRoad
Slough,BerkshireUKSL11QE
Phone:+44(0)1753552252,Option4
Fax:+44(0)1753552232
TollFreeNumbers:
Germany:08001814625
China:108001300976
Australia:1800750639
HongKong:800964635
NewZealand:0800450523
Japan:00531130890
Online support
GuidanceSoftwareoffersaSupportPortaltoourregisteredusers,providingtechnicalforums,a
knowledgebase,abugtrackingdatabase,andanOnlineRequestform.ThePortalgivesyou
accesstoallsupportrelatedissuesinonesite.Thisincludes:
User,product,BetaTesting,andforeignlanguageforums(messageboards)
KnowledgeBase
BugTracker
TechnicalServicesRequestForm
GuidanceSoftware
539
Downloadsofprevioussoftwareversions,drivers,etc.
OtherUsefulLinks
Althoughtechnicalsupportisavailablebyemail,youwillreceivemorethorough,quicker
servicewhenyouusetheonlineTechnicalSupportRequestForm
https://support.guidancesoftware.com/node/381.Notethatallfieldsaremandatory,andfilling
themoutcompletelyreducestheamountoftimeittakestoresolveanissue.
IfyoudonothaveaccesstotheSupportPortal,pleaseusetheSupportPortalregistrationform
https://support.guidancesoftware.com/forum/register.php?do=signup.
Registration
Registrationrequiresyoutochooseauniqueusernameandpassword.Pleaseprovideall
requestedinformation,includingdongleID,phone,emailaddress,organization,etc.Thishelps
usidentifyyouasaregisteredownerofEnCase.
Youwillreceiveanemailwithin24hours.Youmustfollowthelinkinthatemailbeforeyoucan
postontheforums.Untilyoudothat,youwillnothavepermissiontopost.Onceyouhave
verifiedyouremailaddress,youwillbeaddedtotheRegistrationList.Pleaseallow24business
hoursforyouraccounttobeapproved.
OnceyourregistrationisapprovedyoucanaccesstheSupportPortal
https://support.guidancesoftware.com/.YoucanusetheSupportPortalTutorialforabrief
overviewofthesite.
540
User, product, and foreign language forums

Toaccesstheforums,clickontheForumTabhttps://support.guidancesoftware.com/forum/in
theSupportPortal.
Theforumsallowregistereduserstopostquestions,exchangeinformation,andholddiscussions
withGuidanceSoftwareandotherusersintheEnCasecommunity.Differentdiscussiongroups
areavailableasfollows:
ForeignLanguageGroups
French
Arabic
German
Spanish
Japanese
Chinese
Korean
ForumGroups
UserGroup
ConsultantandPractitioners
ComputerForensicHardwareIssues
EnScriptForum
ProductSpecificGroups
(onlyavailabletocustomerswhohavepurchasedtherespectiveproducts)
Neutrino
Enterprise
FIM
eDiscovery
EnteraGroupbyclickingontheGroupname.
GuidanceSoftware
541
Posting to a Group
icon.
Tocreateanewpost,clickthe
Clickthe
post.
icontoreplytoapost,orusetheQuickReplyiconatthebottomofeach
Searching
Theforumscontainanaccumulationofovertenyearsofinformation.Usethe
buttontosearchforkeywords,orclickAdvancedSearchformorespecificsearchoptions.
Bug Tracker
UseBugTrackertosubmitandcheckthestatusandpriorityofsubmitteddefectand
enhancementrequests.Itisbrokendownbyproduct,showingthecurrentnumberof
bugs/enhancementsandpublicbugsforeachproduct.ToaccesstheBugTracker,clickonthe
BugTrackertabhttps://support.guidancesoftware.com/forum/project.phpintheSupportPortal.
Knowledge Base
YoucanfindanswerstoFrequentlyAskedQuestions(FAQs)andotherusefulproduct
documentationintheKnowledgeBase.Youcanalsosubmityourownarticlestohelpother
EnCaseusers.
ToaccesstheKnowledgeBase,clickontheKnowledgeBasetab
https://support.guidancesoftware.com/directoryintheSupportPortal.
542
Fromhere,youcanbrowse,search,andwriteKnowledgeBasearticles.
Online Technical Support Request Form
PleaseusetheTechnicalSupportRequestFormtorequestassistancefromaTechnicalServices
engineer.Toaccesstheform,clickontheTechnicalSupportRequestForm
https://support.guidancesoftware.com/node/381intheSupportPortal.
Other useful links
TheSupportPortalslandingpagecontainsasectionofusefullinks,including:
GuidanceSoftwareHomePage
DownloadCenter:downloadsoftware,hardware,manuals,bootdisks,supportarticles,
etc.
MyAccount:registeryourdongleidtoreceiveuptodatesoftwarebyemail
NVD(NationalVulnerabilityDatabase)InformationandResponses
GuidanceproductVersionMatrix:checkcompatibilityofdifferentproductversions
HardwareRecommendations:hardwarerecommendationsforEnCaseForensicand
EnCaseEnterprise
SubscribetoPublicBugs
GuidanceSoftware
543
Customer Service
TheGuidanceSoftwareCustomerServicesDepartmentisstaffedbyhighlytrained,friendlystaff
capableofresolvinganyproblemregardingyourorder.
Hoursandcontactinformationarelistedbelow.
Phone:626.229.9191
Fax:626.229.9199
Email:customerservice@guidancesoftware.com
Internet:http://www.guidancesoftware.com/support/cs_requestform.aspx
Hours:MondaythroughFriday6:00a.m.to5:00p.m.,PacificTime
Training
GuidanceSoftwareoffersavarietyofprofessionalcoursesforthebeginner,intermediateand
advanceduserofallitsapplications.Inadditiontoprovidingasolidgroundinginoursoftware,
wealsoprovideourstudentswithacceptedbestpracticesforinvestigation,reportgeneration
andevidencepreservation.
GuidanceSoftwareofferscoursesforlawenforcementagencies,organizationsconcernedwith
forensicsandincidentresponse,andadvancedtopicsforallusers.
544
Professional Services
TheGuidanceSoftwareProfessionalServicesDivision(PSD)combinesworldleadingcomputer
investigationsexpertswithworldleadingforensictechnologytodeliverturnkeysolutionsto
forensicinvestigations.
GuidanceSoftwarehascombineditsindustryleadingcomputerinvestigationtechnologywitha
teamofthemosthighlytrainedandcapableinvestigatorsintheworldtobringyoucomplete
turnkeysolutionsforyourbusiness.Whenyoufaceinvestigativeissuesthatgobeyondyour
internalcapabilities,ourprofessionalservicesgroupisabletorespondeitherremotelyorby
comingonsitetoprovidetherighttechnologyandcomputerinvestigationspersonnelforthe
job.
Internal Investigations
Theftofintellectualproperty
Intrusionreconstruction
Wrongfulterminationsuit
Compliance
SarbanesOxley
PIIriskassessment
CaliforniaSB1386
eDiscovery
Pendinglitigation
Responsiveproduction
Forensicpreservation
Information Security
Compromiseofsystemintegrity
Policyreview
Unauthorizeduse
Forensiclabimplementation
Index
6
64-Bit EnCase Servlet 19
A
Acquiring 193
53, 215
Acquiring a DriveSpace Volume 227
Acquiring a Local Drive 209
Acquiring a Palm Pilot 215
Acquiring Device Configuration Overlays
(DCO) and Host Protected Areas (HPA) 53,
210
Acquiring Disk Configurations 221
Acquiring Firefox Cache in Records 228
Acquiring in Windows Without a FastBloc Write
Blocker 213
Acquiring Non-local Drives 219
Acquiring SlySoft CloneCD Images 226
Acquiring Virtual PC Images 226
Acquisition Results Dialog 202
Acquisition Times 219
Acquisition Wizard 194, 366
Add Device 166
Add Device Wizard 182
Add Note Bookmark Dialog 404
Adding a Device 188, 189
Adding a File Viewer to Your EnCase
Application 288, 290
Adding a New File Signature 327
Adding Keywords 340, 343
Adding Partitions 247
Adding Raw Evidence Files 230
Additional WinEn Information 270
After Acquisition Page 195
Alternative Report Method 443
America Online .art Files 310
Analyzing and Searching Files 323, 490
AND/OR Filter Logic 135
App Descriptors 372
ASCII 519
Associating Code Pages 471
Associating the File Viewer's File Types with the
Viewer 288, 291
Authentication 381
Auto Fit 76
Auto Fit All Columns 125
B
Bookmark 519
Bookmark Content Data Types 400
Bookmark Data Dialog for Files 406
Bookmark Data Dialog for Highlighted Data
Bookmarks 400
Bookmark Editing Dialogs 417
Bookmark Features 399
Bookmark Folder Information/Structure Dialog
405
Bookmark Reports and Reporting 428
Bookmarking an Image 315
Bookmarking Items 358, 395
Bookmarking Non-English Language Text 469
Bookmarks Overview 395
Booting the Restored Hard Drive 254
Browse for Folder Dialog 159, 161
Building a Package 503
Burn 519
C
Canceling an Acquisition 209
Case Backup 154
Case File 519
Case File Format 153
Case File Time Zones 169
Case Management 151, 152
Case Options Page of the New Case Wizard
166
Case Options Tab 32
Case Processor 485
Case Processor Modules 487
Case Related Features 156
CD-DVD Inspector File Support 226
Changing Filter Order 135
Changing Report Size 440
Checksum 519
Choose Devices Page of the Add Device Wizard
187
Choosing Database Sources 257
Cleaning an EDB Database 300
Clearing the Invalid Image Cache 317
Close Case 175
Cluster 519
Code Page 519
Color Tab 35
COM Folder EnScript Code 492
Combining Filters 134
Command Line Options 267
545
Completing the After Acquisition Page of the

Acquisition Wizard 205
Completing the Choose Devices Page 192
Completing the Destination Page 286
Completing the File Selection Page 285
Completing the Options Page 286
Completing the Options Page of the Acquisition
Wizard 208
Completing the Preview Devices Page 192
Completing the Search Page of the Acquisition
Wizard 206
Completing the Sessions Sources Page 191
Completing the Sources Page 190
Compound File 519
Compound Files 489
Comprehensive Internet History Search 350
Computer Forensics 520
Concurrent Case Management 152
Conditions 138
Configuration File 269
Configuration File Notes 270
Configuring Interface Elements to Display NonEnglish Characters 460
Configuring Non-English Language Support
459
Configuring the Keyboard for a Specific NonEnglish Language 461
Configuring Your EnCase Application 30
Configuring Your Linux Distribution 47
Connection 520
Contract All 117
Copy 148
Copy and Unerase Features 275
Copy Folders Dialog 282, 288
Copy/UnErase 64
Copy/UnErase Wizard 276
Copying a Table Entry into a Folder 425, 426
Copying and Unerasing Bookmarks 286
Copying and Unerasing Files 284
Copying and Unerasing Files and Folders 275
Copying Folders 287
Create a Hash Set 336
Create an App Descriptor with an EnScript
Program 374
Create License Dialog 501
Create Logical Evidence File Wizard 239
Creating a Bookmark 407, 415
Creating a Datamark as a Bookmark 415
Creating a File Group Bookmark 412
Creating a Filter 130
546
GuidanceSoftware
Creating a Folder Information/Structure

Bookmark 410
Creating a Highlighted Data Bookmark 408
Creating a License 503
Creating a LinEn Boot Disc 46, 514
Creating a Log Record Bookmark 413
Creating a Logical Evidence File 242
Creating a Notable File Bookmark 411
Creating a Notes Bookmark 409, 415
Creating a Package 502
Creating a Report Using Case Processor 449
Creating a Report Using the Report Tab 437
Creating a Snapshot Bookmark 414
Creating a Webmail Report 442
Creating an Additional Fields Report 447
Creating and Defining a New Text Style 463
Creating Conditions 139
Creating Global Keywords 339
Creating International Keywords 342
Creating Non-English Keywords 465
CREDANT Encryption Support (File-Based
Encryption) 384
CREDANT Encryption Support (Offline
Scenario) 387
Customer Service 534
Customizing a Report 415, 428, 430
Cyclical Redundancy Check (CRC) 520
D
Datamarks 399
Dates 402
Decrypted Block 320
Deleting a Filter 137
Deleting Items 128, 357
Deleting Partitions 249
Destination Page of the Copy/UnErase Wizard
281
Determining Local Mailbox Encryption 318
Device Configuration Overlay (DCO) 520
Disabling Microsoft Windows Vista User
Account Control 41
Disk Configuration Set Acquired as One Drive
224
Disk Configurations Acquired as Separate Drives
225
Disk Encryption Support 378
Disk Slack 520
Displaying Expanded Tree Entry Information
119
Displaying Tree Entry Information for One

Branch 118
Document Incident 476
Doing a Crossover Cable Preview or Acquisition
55
Doing a Drive-to-Drive Acquisition Using LinEn
51
Doing a Typical Acquisition 194
Dynamic Disk 223
E
Edit Bookmark Folder Dialogs 422
Edit Datamarks Dialog 421
Edit Folder Dialog 423
Edit Folder Information/Structure Bookmarks
Dialog 419
Edit Highlighted Data Bookmarks Dialog 418
Edit Log Record Bookmarks Dialog 421
Edit Menu 63
Edit Notable File Bookmarks Dialog 420
Edit Note Bookmarks Dialog 419
Edit SAFE Dialog 162
Edit Snapshot Bookmarks Dialog 420
Editing a Bookmark 415, 416
Editing a Filter 131
Editing a Package 503
Editing a Signature 328
Editing Conditions 141
EFS Files and Logical Evidence (LO1) Files
393
Email Report 441
Enabling or Disabling Entries in the Report
438, 448
Enabling the Forensic Administrator Role on the
CREDANT Server 389
EnCase Evidence Files 178
19
EnCase Forensic 520
Encode Preview 358
Encrypted Block 319
Encryption 520
Encryption Support 375
EnScript Analysis 473, 474
EnScript Debugger 493
EnScript Example Code 492
EnScript File Mounter 496
EnScript Help 498
EnScript Programming Language 333
EnScript Programs Shortcut Submenu 510
EnScript Tab 38
GuidanceSoftware
EnScript Types 334, 498

EnScript Language 520
Entering Non-English Content without Using
Non-English Keyboard Mapping 462
Enterprise EnScript Programs 180, 475
Error Handling 270
Evidence File 520
Evidence File Time Zones 170
Examiner 520
Exchange Server Synchronization 299
Exclude File Bookmarks 431
Exclude Files 128, 355, 357
Exclude Folder 432
Excluding Bookmarks 431
Excluding Search Hits 127
Expand All 116
Export Folder 520
Export Keywords 345
Export to *.msg 370
Exporting a Machine Profile from the SafeBoot
Server 380
Exporting a Report 448
Exporting Conditions 144
Exporting Filters 137
Exporting to *.msg 370
Extracting Email 366
F
FastBloc 521
FAT, HFS and CDFS Time Zone Specifics 172
File Allocation Table (FAT) 521
File Group Bookmarks 397
File Hashing 335
File Menu 62
File Mounter 488
File Selection Page of the Copy/UnErase Wizard
277
File Signature 521
File Signatures 324
File Signatures with Suffixes 325
File Slack 521
File Viewer Features 288
File Viewers 288
Filter Pane 521
Filter Pane Menu 76
Filtering Effects in Table Pane 94
Filters 129
Filters Pane 93
Filters Pane Menu 105
Find 148
Fitting Columns to Data 125
547
Folder Information/Structure Bookmarks 397

Font 521
Fonts Tab of the Options Dialog 36
Forensic EnScript Code 484
G
Gallery Tab 146, 314
General Time Zone Notes 172
Generating an Index 362
Generating Reports on the Database 262
Getting Ready to Acquire the Content of a
Device 180
Global Tab 33
Globally Unique Identifier (GUID) 521
Glossary of Terms 517
Goto 148
GREP 521
GUID 521
Guidance Software 527
H
Hardware Disk Configuration 224
Hash 522
Hash a New Case 335
Hash Analysis 334
Hash Sets 336, 522
Hashing 236
Hashing the Subject Drive Once Previewed or
Acquired 237
Hashing the Subject Drive Using LinEn 57,
236
Help for EnScript Modules 495
Help Menu 78
Hexadecimal 522
Hiding Columns 124
Highlighted Data Bookmarks 396
Host Protected Area (HPA) 522
I
If the Restored Disk Does Not Boot 255
Import Keywords 345
Importing Conditions 143
Importing Filters 137
Include EnScript 497
Included Enscript Components 333
Increasing the Number of Images Per Row 316
Index 522
Index Case 490
Indexing 152, 360
Indexing a Case 152
548
GuidanceSoftware
Individual Panes 88
Initializing the Database 256
Installed Files 25
Installing EnCase Forensic 21
Installing Security Keys 29
Installing the Examiner 23
Integers 402
Internet History Searching 350
Internet Protocol Address (IP) 522
Internet Report 442
Internet Searching 351
Introduction 15, 45
K
Keyword 522
Keyword Searches 339
Keyword Tester 343
L
Leaving Console Mode 218
LEF EFS Encryption Enhancement 17
Legal Notification 527
LinEn Set Up Under Red Hat 48
LinEn Set Up Under SUSE 48
LinEn Utility 522
Live Device and FastBloc Indicators 181
Local Keywords 345
Locally Encrypted NSF Parsing Results 321
Log Record Bookmarks 398
Logical Evidence File 523
Logical Evidence Files 178, 238
Logical Restore 254
Logon Wizard 157
Logon Wizard Users Page 158
Lotus Notes Local Database Encryption 18
Lotus Notes Local Encryption Support 317
M
Machine Survey Servlet Deploy 478
Maintaining the Database 257
Malware 523
Manually Create App Descriptor 373
Minimum Requirements 22
Mode Selection 54
Modifying Case Related Settings 167
Modifying the Table Pane 122
Modifying the View Pane 148
Mount, Mounting 523
Mounting Compound Files 490
Moving a Table Entry into a Folder Using the

Right-Click Drag Method 425, 427
Moving a Table Entry or Folder into a Folder
Using the Drag Method 428
N
Navigating the EnCase Interface 59
Navigating the Tree Pane 115
Network Tree 523
New Case Wizard 164
New Features 17
New File Viewer Dialog 289
New Package Dialog 499
New Technology File System (NTFS) 523
New Text Styles Dialog 456
New Text Styles Dialog Attributes Tab 456
New Text Styles Dialog Code Page Tab 458
Node 523
Non-English Language Features 453
Notable File Bookmarks 397, 523
Notes Bookmarks 397
NSF Encryption Support 376
NTFS 523
NTFS Compressed Files 314
O
Obtaining a Linux Distribution 48
Obtaining Updates 30
Open a Case 173
Opening and Closing Folders with
Expand/Contract 116
Opening the Acquisition Wizard 203
Options 514
Options Page 200
Options Page of the Copy/UnErase Wizard 279
Organizing Bookmarks 425
Overview 177
Overview of Case Structure 151
P
Package Features 498
Package Panel 499
Packages 498
Pane 523
Pane Features 86
Pane Tab Bar and Pane Tab Bar Menu 87
Panes 82
Panes and their Specific Tabs 98
Panes as Separate Windows 84
Panes in the Analysis Cycle 83
GuidanceSoftware
Parsing a Locally Encrypted Mailbox 318

Performing a Crossover Cable Preview or
Acquisition 219
Performing a Drive-to-Drive Acquisition Using
LinEn 213
Performing a Search 352, 366
Performing a Signature Analysis 329
Performing Acquisitions with LinEn 49
Physical Disk Emulator (PDE) 523
Physical Restore 251
Physical vs. Logical Restoration 250
Picture 401
Port 523
Preparing the Target Media 250
Preview Devices Page of the Add Device Wizard
189
Previewing 181
Previewing the Content of a Device 182
Professional Services 535
Prompt for Value 270
Properties Panel 500
Q
Queries 145
Querying an Index Using a Condition 361
Querying the Index for Non-English Content
468
Quick Entry Report 446
Quick Snapshot 481
R
RAID-10 226
Raw Image Files 179
Reacquiring an Evidence File 229
Reacquiring Evidence 229
Rebuild a Hash Library 338
Recover Folders on FAT Volumes 244
Recovering a Database 301
Recovering Folders 243
Recovering Folders from a Formatted Drive
246
Recovering NSF Passwords 377
Recovering NTFS Folders 244
Recovering Partitions 246
Recovering UFS and EXT2/3 Partitions 246
Reducing the Number of Images Per Row 316
Redundant Array of Independent Disks (RAID)
524
Reference Manuals and Release Notes 528
Regular Expression 524
549
Reinstalling the Examiner 28

Remote Acquisition 231
Remote Acquisition Monitor 233, 481
Repairing a Database 302
Report Multiple Files 439
Report Single Files 438
Reporting 437
Resetting Columns 125
Restoring Evidence 250
Role Page of the New Case Wizard 165
Root 524
Running a 32-bit Application on a 64-bit
Platform 43
Running a Filter 132
Running a Package 504
Running Conditions 142
Running WinEn 267
S
S/MIME Encryption Support 389
SAFE Page of the Logon Wizard 160
SAFE Right-Click Menu 160
SafeBoot Encryption Support (Disk Encryption)
381
SafeBoot Setup 379, 380
Saving a Case 174
Saving a Case and the Global Application Files
174
Saving a Case With a New Name or New
Location 174
Scan Local Machine 490
Search Hits Report 444
Search Options 352
Search Page 197
Searching Email 366, 368
Searching Entries for Email and Internet
Artifacts 347
Searching for Email 364, 366
Searching Selected Items 368
Sector 524
Secure Authentication For EnCase (SAFE) 524
Security Key 524
Selecting Tree Entries for Operations 120
Send to HBGary Responder EnScript 19
Send To HBGary Responder EnScript 504
Servlet 524
Sessions Sources Page of the Add Device
Wizard 185
Setting a Lock on Columns 126
550
GuidanceSoftware
Setting Time Zone Options for Evidence Files

171
Setting Time Zones Settings for Case Files 170
Setting Up the Storage Machine 234
Setup for a Drive-to-Drive Acquisition 50
Sharing Configuration Files 40
Show Deleted Files 358
Show Excluded 434
Show Excluded Files 356
Showing Columns 123
Signature 524
Signature Analysis 146, 314, 324
Signature Analysis Legend 332
Single Files 179
Slack 524
Snapshot 524
Snapshot Bookmarks 398
Snapshot Differential Report 482
Snapshot to DB Module Set 18, 255
Software RAID 221
Sorting a Table 92
Sources Page 240
Sources Page of the Add Device Wizard 183
Specifying and Running an Acquisition 204
Specifying Database Content 261
Spyware 524
Status Line 96
Steganography 525
Storage Paths Tab 39
Styles 403
Subject 525
Support 528
Supported Encryption Algorithms 387
179
Supported SafeBoot Encryption Algorithms
384
Swap File 525
Sweep Enterprise 483
System Menu 61
T
Tab Right-Click Menu 88
Table Pane 91, 525
Table Pane Menu 72
Table Pane Tabs 99
Table Tab Columns 102, 123
Technical Support 529
Temp Folder 525
Testing a Non-English Keyword 467
Testing an EDB File 301

Text 401
Text Styles 455
The Console Tab 114
The Details Tab 114
The Doc Tab 111
The EnCase Installer 21
The Filter Pane and its Tab Bar and View Menu
75
The Hex Tab 110
The Main Window 60
The Options Dialog 154, 514
The Options Dialog Font Tab 454
The Output Tab 115
The Outputs Page of the Create Logical
Evidence File 241
The Picture Tab 112
The Report Tab 113
The Table Pane and its Tab Bar and View Menu
71
The Text Tab 109
The Transcript Tab 112
The Tree Pane and its Tab and Sub-Tab Menus
70
The View Pane and its Tab Bar and View Menu
73
Time Zone Example 173
Time Zone Settings 168
Timeline Tab 147
Toolbar 80, 508
Tools Menu 77, 509
Training 534
Tree Pane 89, 525
Tree Pane Tabs 99
Troubleshooting Security Keys 29
Turning Filters Off 136
Turning On Encode Preview 358
Types of Acquisitions 193
Types of Entries 178
U
Unicode 525
Unicode Fonts 455
Uninstalling the Examiner 26
Updating the Database 258
Users Right-Click Menu 158
Using a Case 167
Using a Folder to Organize a Bookmarks Report
415, 424, 425
Using a Package 502
Using a Write Blocker 210
GuidanceSoftware
Using Bookmarks 415

Using EnCase Tools 507
Using LinEn 45
Using Snapshots 180
Using the Dixon Box 121
Using the Snapshot DB Reports Dialog 264
V
Validating Parity on a RAID-5 226
Verifying Evidence Files 513
View Menu 66
View Pane 96, 292, 525
View Pane Menu 74
View Pane Tabs 106
Viewer File Type Dialog 289
Viewing a Bookmark on the Table Report Tab
415, 428, 429
Viewing a Bookmark Report 440
Viewing Attachments 367, 368
Viewing Base64 and UUE Encoded Files 312
Viewing Compound Files 293
Viewing Compressed Files 298
Viewing Fewer Columns 146
Viewing Fewer Rows 147
Viewing File Content 273
Viewing File Structure 293
Viewing Files 274
Viewing Hash Search Results 338
Viewing Lotus Notes Files 299
Viewing Macintosh .pax Files 307
Viewing More Columns 146
Viewing More Rows 147
Viewing MS Exchange Files 299
Viewing MS Outlook Email 306
Viewing Non-Unicode Files 471
Viewing Office 2007 Documents 310
Viewing OLE Files 297
Viewing Outlook Express Email 303
Viewing Record Search Hits 354
Viewing Registry Files 295
Viewing Search Hits 355
330
331
Viewing the File Signature Directory 325
Viewing the License for LinEn 46
Viewing Unicode Files 470
Viewing Windows Thumbs.db 309
Virtual File System (VFS) 525
Virtual Machine 526
551
Vista Examiner Support 40

VMWare 526
W
Web Mail Parser 365
Webmail Parser 491
When to use a Crossover Cable 219
Windows 403
Windows NT - Software Disk Configurations
222
Windows-based Acquisitions with a nonFastBloc Write Blocker 213
Windows-based Acquisitions with FastBloc
Write Blockers 211
WinEn 18, 266
Wipe Drive 510
Working with Evidence 177
Working with Non-English Languages 403,
451, 452
Write Blocker 526
552
GuidanceSoftware

EnCase Forensic Version 6.11 User&#39;s Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EnCase Forensic Version 6.11 User&#39;s Guide

Uploaded by

Copyright:

Available Formats

EnCase Forensic Version 6.

CHAPTER 2 New Features

CHAPTER 3 Installing EnCase Forensic

CHAPTER 4 Using LinEn

CHAPTER 5 Navigating the EnCase Interface

ViewingMoreColumns ....................................................................................................................... 146

CHAPTER 6 Case Management

CHAPTER 7 Working with Evidence

CHAPTER 8 Viewing File Content

ViewingFiles ............................................................................................................................................... 278

CHAPTER 9 Analyzing and Searching Files

SignatureAnalysis ...................................................................................................................................... 328

EnablingtheForensicAdministratorRoleontheCREDANTServer ........................................... 395

CHAPTER 10 Bookmarking Items

Reporting ..................................................................................................................................................... 444

CHAPTER 12 Working with Non-English Languages

WorkingwithNonEnglishLanguages ................................................................................................... 458

CHAPTER 13 EnScript Analysis

CHAPTER 14 Using EnCase Tools

Toolbar ......................................................................................................................................................... 516

CHAPTER 15 Glossary of Terms

CHAPTER 16 Guidance Software

LegalNotification ....................................................................................................................................... 536

EnCase Examiner Support for Microsoft Vista

Send to HBGary Responder EnScript

LEF EFS Encryption Enhancement

Snapshot to DB Module Set

Lotus Notes Local Database Encryption

EnCase Examiner Support for Microsoft Vista

64-Bit EnCase Servlet

Send to HBGary Responder EnScript

Troubleshooting Security Keys

Configuring Your EnCase Application

Vista Examiner Support

Running a 32-bit Application on a 64-bit Platform

The EnCase Installer

Installing the Examiner

Note: C:\Program Files\EnCase6 is the install path default.

Uninstalling the Examiner

Reinstalling the Examiner

Installing Security Keys

Troubleshooting Security Keys

Configuring Your EnCase Application

Case Options Tab

Fonts Tab of the Options Dialog

Storage Paths Tab

Sharing Configuration Files

Vista Examiner Support

Disabling Microsoft Windows Vista User Account Control

Running a 32-bit Application on a 64-bit Platform

Viewing the License for LinEn

Configuring Your Linux Distribution 48

Viewing the License for LinEn

Creating a LinEn Boot Disc

Configuring Your Linux Distribution

Obtaining a Linux Distribution

LinEn Set Up Under SUSE

LinEn Set Up Under Red Hat

Performing Acquisitions with LinEn

Setup for a Drive-to-Drive Acquisition

Doing a Drive-to-Drive Acquisition Using LinEn

Acquiring a Disk Running in Direct ATA Mode

Doing a Crossover Cable Preview or Acquisition

Hashing the Subject Drive Using LinEn

EnCase Forensic Version 6.11 User's Guide

EnCase Forensic Version 6.11 User's Guide