Professional Documents
Culture Documents
Certification Background
The EnCase Certified Examiner program was created to meet the requests of EnCase users as well as to provide a recognized level of competency for the examiner. While many different certifications exist, the EnCE provides an additional level of certification and offers a measure of professional advancement and qualifications. Certain qualifications must be met to enter the certification process. An application and a detailed explanation can be found at:
http://www.guidancesoftware.com/computer-forensics-training-ence-certification.htm
The cost is USD 200.00 US and Canada, and USD 225.00 International payable by credit card, check, or purchase order. The certification program does not generate profits for Guidance Software; the testing fee covers the cost of the written test provided by ExamBuilder. Once payment has been received and processed, the certification coordinator will email testing instructions to you. The certification process addresses both EnCase software (EnCase) and general areas of computer forensics. It involves a written test consisting of 180 questions (174 for international candidates; no legal questions). Two hours are provided to complete the written exam, which is true/false and multiple choice. Once the Phase I results are received, the certification coordinator will ship the Phase II exam to you at the address you provided on your application. You will be notified via email when your package has been shipped. If you fail the Phase I test, you will be required to wait two (2) months from the date the test was taken to be issued a new voucher and re-test. In your Phase II package you will receive a compact disc that has a certification version of EnCase Forensic, evidence files, and objectives or issues you must address. You must work the case, compile your report, and then send the report to Guidance Software for review and grading within 60 days. If you do not finish the Phase II in the time allotted, you will be required to wait two (2) months from the date that the test was due and restart from the beginning.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Submit the completed application to the EnCE certification coordinator at the address provided. Once your application has been received and accepted, you will be provided with a voucher to enroll in Phase I of the testing process.
ExamBuilder
o o
ExamBuilder provides online testing services available at all times. Once you receive email instructions from the certification coordinator, visit the ExamBuilder website at https://testing.exambuilder.com/ to enroll in the Phase I testing process. Follow the instructions for log in and complete the enrollment form. If you have questions about the enrollment process, contact the Guidance Software certification coordinator at (626) 229-9191, ext. 513 or certification@guidancesoftware.com
This course is designed for EnCase users preparing for certification. The certification is based upon the skills and knowledge presented in Guidance Softwares EnCase Computer Forensic I and EnCase Computer Forensic II courses. The EnCE Prep course is not intended to be a replacement for these two classes; instead it is a thorough but accelerated review of the covered subjects. Students cannot waive or substitute the prerequisite attendance of Guidance Softwares EnCase Computer Forensics II course when applying to attend the EnCE Preparation course. The Phase I written examination will be administered on the final afternoon of the course in a monitored, timed environment.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
The examination will be administered only at Guidance-owned sites in Los Angeles, Chicago, Houston, Washington DC, and London; Authorized Training Partners cannot conduct the test as part of this course. Complete details for this course can be found at:
http://www.guidancesoftware.com/computer-forensics-training-encase-ence.htm
CEIC
o o
Registered attendees at our annual CEIC conference may elect to take the Phase I test at no additional charge during the conference. All requirements must be met prior to attending CEIC. Anyone interested in taking the Phase I test at CEIC must fill out an application and return it to the certification coordinator via fax, email, or mail one (1) month prior to the conference. Only those who have preregistered and been approved will be admitted to take the Phase I test at CEIC. Please visit www.ceicconference.com for more information.
Attend a minimum of thirty-two (32) credit hours of documented continuing education in computer forensics or incident response to maintain the certification: *
o
The training should either be from Guidance, your agency, or an accredited source. Training should be either in a classroom lab setting or online. Proof of attendance should be provided via a certificate, transcript, or official letter. Earn one (1) credit hour for each classroom hour of training and 1/2 credit hour for each one hour of instruction as a computer forensics or incident response curriculum instructor.
Achieve a computer forensics or incident response related certification within the renewal period. A certificate of completion must be submitted as documentation.
Training and teaching hours may be combined to reach the total 32 hours required. Documentation may be a certificate of completion, official letter from the provider, or transcript.
3
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Attend one CEIC conference within the renewal period. Your certification must be current at the time of the conference and you must attend at least 10 sessions to fulfill the requirement to renew your EnCE. Register online at http://www.ceicconference.com/Default.aspx. Renewal forms will be available at the registration desk during the conference. Please check the box on the renewal form, and registration will be on file with Guidance Software, Inc. Guidelines for submitting renewal credit for attendance at any other computer forensic conference other than CEIC are:
o o o
Only labs count (seminars or product demos are not considered) Calculate one (1) CPE for every hour in a lab To submit credits please send a copy the conference agenda and indicate the labs attended and how many CPE each one is worth
Please do not submit your renewal documents separately. Keep all certificates together and only send them when you have the requirement fulfilled. When you are ready, send the attached form and any certificates/letters/documents via fax, email, or regular mail. The requirements need to have been met within the renewal period. (i.e., if the renewal date is June 1, 2009, the requirements must have been achieved between June 1, 2007 and June 1, 2009.)
Should your certification expire, you will be required to restart the EnCE process from Phase I. Extensions will not be granted. If you are unsure of your expiration date, please email: certification@guidancesoftware.com Complete renewal details are available at:
http://www.guidancesoftware.com/computer-forensics-training-encep-programapplication.htm
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E01 File Bit-stream image of the source media written to a file(s). Contains case information as first block. Header is always compressed and is verified through the use of the compression algorithm used. No alteration to case information block can be made. There is no limit to the EnCase evidence file segment size. Content of the evidence file cannot be changed data cannot be added to an existing evidence file.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Backup File (.CBAK) Is created at preset intervals if auto save is enabled and not set to 0 Captures current state of the case
EnCase Configuration Files Contain global changes to the EnCase environment external viewers, hash sets/libraries, signature table. This global environment dictates information/tools available for all cases not case specific. Example EnCase configuration .ini files: o FileSignatures.ini File Signature Table o FileTypes.ini organizes files into groups by extension; determines which viewer to use o Keywords.ini global keywords list o Filters available filters o Viewers.ini installed external viewers File Types table dictates the action that will occur if a user double-clicks on a specific file. External viewers are associated with file extensions through the File Types.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Password +/-, compression, and evidence file segment size The applied filename of the evidence file can be changed, and/or the evidence file(s) can be moved to another location; however EnCase will prompt you to locate the renamed evidence file if it is changed after it is added to a case Individual segments of an evidence file can be verified (Tools Verify Single Evidence File)
Compression does not have an impact on the verification of an evidence file; hash value will remain constant.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
GREP Most Commonly Used Symbols [ ] Square brackets form a set, and the included values within the set have to match a single character [1-9] will match any single numeric value from 1 to 9. Denotes a range such as above.
^ States not [^a-z] = no alpha characters from a to z. + States to repeat the preceding character or set any number of times, but at least once. * States to repeat the preceding character or set any number of times, including zero times.
\x Indicates that the following value is to be treated as a hexadecimal value - \xFF\xD8\xFF ? Means or not joh?n will yield both JOHN and JON You must indicate via the check box that the created expression is a GREP term.
Unicode Selecting Unicode will cause EnCase to search for the keyword in both ASCII and Unicode. Unicode uses two bytes for each character allowing the representation of 65,536 characters.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
10
ASCII and Binary ASCII table is a 7-bit table, and the acronym stands for the American Standard Code for Information Interchange. The resultant 128 values represent alpha/numeric values, common punctuation, and other values. Hexadecimal notation employs two characters to represent one byte. A single byte (8 bits) can represent one of 256 possible values; a nibble (4 bits) can represent one of 16 possible values. The LE indicator within EnCase indicates the number of bytes that have been selected/swept/highlighted. Nibble = 4 bits Byte = 8 bits Word = 2 bytes = 16 Bits Dword = 4 bytes = 32 Bits
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
11
Slack Displayed in EnCase as red text. It is the data from the end of the logical file to the end of the physical file. EnCase also displays FAT directory entries in red text because neither slack nor FAT directories have any logical file size
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
12
Computer Hardware and Systems BIOS Basic Input Output System The BIOS is responsible for the initial checking of the system components and initial configuration of the system once power is turned on. Examiners should access the BIOS and determine the boot sequence as well as the indicated date/time. Depending on the settings, the computer system may or may not attempt to boot from a diskette drive. The BIOS is typically contained within a chip located on the system motherboard, which is the main circuit board within a computer system. Add-in cards video controller, SCSI controller, NIC, etc. SCSI host adapters manage SCSI devices and make them accessible to the OS. RAM Random Access Memory stores data temporarily and is accessible immediately to the OS.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
13
HDDs IDE drives are set for Master/Slave/Cable. Select through jumper pinning on the physical drive. SCSI drives do not maintain Master/Slave settings; rather they are assigned ID numbers, again usually through jumper settings. When employing CHS geometry, the formula for determining the HDD capacity is CxHxSx512. The first sector on every HDD contains the Master Boot Record, and the partition table for the drive is located within this sector for Windows and Linux offset 446-509. The partition table within the MBR can maintain 4 entries, each 16 bytes in length. Each defined partition on a physical HDD will contain a Volume Boot Record as the first sector within the partition. Selecting the Volume Boot sector, right-clicking and choosing Add Partition can recover deleted partitions.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
14
Photograph, external inspection, label connections, internal inspection, disconnect power/data cables from HDD(s), boot with EnCase boot disk or a forensically sound CD with the LinEn utility, and access the BIOS note boot sequence and date/time. Allow boot to continue to confirm drive and diskette function. Power down, attach target and destination (lab) HDDs, and reboot with boot disk. Using an EnCase boot disk will start the computer to the DOS OS. Logical partitions under NT, Linux (EXT2/3), UNIX, and Mac HFS will not be seen as DOS does not understand those file systems. Obtain a physical disk evidence file, and EnCase will resolve the file structure once the E01 file is added to the case.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
15
OS Artifacts Review Recycle Bin functions DC0.TXT, DC1.JPG, etc. On Windows XP/2003 and below, the date/time deleted stems from the INFO record within the Recycle Bin. FAT directory entries in DOS/Windows are 32 bytes in length. Review directory structure parent/child relationships. Review Windows XP/2000 artifact locations: C\Windows\Recent, Desktop, Send To, and Temporary Internet Files. Review LNK files linking a diskette to the computer that wrote to it embedded date/time as well as full path and file name of the target file. Review EMF files, SPL, and SHD files definition and content. BASE64 encoding common to email attachments. Windows 2000 and XP have user personal folders stored under C:\Documents and Settings.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
16
Has the process been tested and subjected to peer review? Does the process/application maintain general acceptance within the related community? Can the findings be duplicated/repeated?
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
17
Examining computer-based evidence with EnCase software (EnCase) Computer Knowledge Good Forensic Practices Legal
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
18
The EnCase Evidence File EnCase Concepts The EnCase Environment Searching File Signature and Hash Analysis
Bit stream image of evidence written to a file Header Case information CRCs (Cyclical Redundancy Check) Data Blocks
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
19
Header Case Information Header is always compressed and is verified through the use of the compression algorithm used Can not be changed after evidence file is created Contains: Case number Examiner name Evidence number Unique description Date/time of computer system clock Acquisition notes Serial number of physical hard drive
Cyclical Redundancy Check 32-bit CRC for (by default) 64 sectors (32 KB) of data If no compression is used Calculated when evidence file is added to case and rechecked every time the data block is accessed Message Digest 5 Hash 128-bit digital signature of all data in evidence file Optional
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
20
Logical file that can be renamed and moved Can be broken into multiple segments with a maximum segment size dependent on the file system to which the evidence file is written Can be compressed during acquisition and/or reacquired with compression for archival without changing the hash value Can be password protected and can be reacquired to remove or change password Individual segments can be verified by the CRCs when compression is not used. If compression is used the decompression algorithm is used
2011 Guidance Software, Inc. All Rights Reserved.
Block size can be adjusted to range from 64 to 32768 sectors Error granularity is often used to adjust the writing of data to an evidence file when a read error of the subject media occurs Quick reacquisition is used on an existing evidence file to quickly change file segment size, password +/-, and/or the applied name of the evidence file.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
21
Evidence File Verification Data in the entire evidence file is verified by Verification hash compared to the Acquisition hash value of the original evidence Data in each data block is verified by a CRC when no compression is used Both the MD5 hash and CRCs must match for the evidence file to be verified If any compression is used, the compression algorithm is used to
verify data blocks
2011 Guidance Software, Inc. All Rights Reserved.
EnCase Concepts
P A G E 9
Pointers to evidence files locations on forensic workstation Results of searches and analysis (file signature and hash) Bookmarks Investigators notes
A case file can contain any number of hard drives or removable media A backup file (.cbak) is updated by default every 10 minutes
The case file should be archived with the evidence files as it contains all of the investigators notes
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
22
EnCase Concepts
P A G E 10
The Configuration .ini Files Contain Global Options used for all cases Some configuration .ini files:
FileSignatures.ini File Signature Table FileTypes.ini organizes files into groups by extension; determines which viewer to use Keywords.ini global keywords list Filters.ini available filters Viewers.ini installed external viewers
Separate folders for each case is recommended; use unique directory names Use large capacity, high RPM (revolutions per minute) hard drives with single partition for evidence files Wipe the drive to eliminate any claims or arguments of crosscontamination Give the hard drive a unique label prior to acquisitions to differentiate your drives from the suspects Create default Evidence, Export, and Temp folders for each case
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
23
Temporary Folder
Used to receive files sent to an external viewer Redirect files away from the examiners operating system drive Files in the Temporary folder are deleted when EnCase is shut down properly
Searching
P A G E 13
EnCase for Windows Physical searching is conducted on logical files and the unallocated areas of the physical disk. Logical search will find a word fragmented between two noncontiguous clusters, whereas a physical search will miss the fragmented word.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
24
Searching
P A G E 14
Not set by default. Selecting will limit hits to exact case of words entered. Can be used with GREP and Unicode. Box must be selected for EnCase to use GREP expression, otherwise EnCase will search for the literal entered characters. Can be used with Case Sensitive and Unicode. Selecting this box will enable EnCase to search for keywords in both ANSI and Unicode. Recommended to be selected for most searches. Can be used with GREP and Case Sensitive. Unicode uses two bytes for each character allowing the representation of 65,536 characters.
2011 Guidance Software, Inc. All Rights Reserved.
GREP
Unicode
Searching
P A G E 15
.
\xFFA
A period matches any single character Character represented by its ASCII value in hex. \x09 is a tab. \x0A is a line feed. Both hex digits should be present even if they are 0.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
25
Searching
P A G E 16
GREP
* An asterisk after a character matches any number of occurrences of that character, including zero. For example, john,*smith would match john,smith, john,,smith, and johnsmith. + A plus sign after a character matches any number of occurrences of that character except zero. For example john,+smith would match john,smith or john,,smith, but would NOT match johnsmith. A pound / hash sign matches any numeric character [0-9]. For example ###-#### matches any phone number in the form 327-4323.
(ab) The parentheses allows the examiner to group individual characters together as an AND statement. {m,4} The curly braces state number of times to repeat, i.e. m four times | The pipe is an OR statement and can be used with the parentheses, i.e., (com)|(net)|(org) for the end of an email address.
Searching
P A G E 17
GREP
[]
Characters in brackets match any one character that appears in the brackets. For example smit[hy] would match smith and smity. A circumflex at the start of the string in brackets means NOT. Hence [^hy] matches any characters except h and y.
[^]
[-] A dash within the brackets signifies a range of characters. For example, [a-e] matches any character from a through e, inclusive. \ A backslash before a character indicates that the character is to be treated literally and not as a GREP character.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
26
File Signature Table Stored in the EnCase configuration file, FileSignatures.ini File signatures can be added manually The terms file signature and file header mean the same thing, the standard hex characters at the beginning of a certain file type
File Signature Table Viewers EnCase uses the Viewers.ini file to store external viewer information and the FileTypes.ini file to associate file extensions with external viewers. When the examiner double-clicks on a file, EnCase will copy the file to the Temporary folder and launch the Windows-associated viewer or user-defined external viewer to read the file. The examiner can also right-click on a file and use the Send To feature to send the file to an external viewer.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
27
Extension
LISTED NOT LISTED LISTED LISTED
Comparison
CORRECT N/A INCORRECT INCORRECT
Results Displayed
MATCH UNKNOWN ! BAD SIGNATURE * FILE ALIAS
Hash Sets and Hash Library Hash sets can be built with one file or any number of selected files. The sets contain the hash values of the file(s) in the set. The hash value of a file is computed only from the logical file independent of the file name, time/date stamps, and the slack space of the physical file. The Hash Library is built from selected hash sets. The examiner can exclude specific hash sets to remain within the scope of the examination.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
28
Signature and Hash Analysis File extensions are compared to the file signature (header) according to the File Signature Table. The hash value of each logical file is computed and compared with the Hash Library composed of the selected hash sets. Both analyses can be used to help identify suspect files and/or exclude known or benign files. The results of both analyses are viewed in the Table view.
Computer Knowledge
P A G E 23
Understanding Data and Binary The BIOS Computer Boot Sequence File Systems Computer Hardware Concepts
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
29
Bits and Bytes Bit 1 4 8 16 32 64 = = = = = = Name Bit Nibble Byte Word Dword Qword Binary 1 0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 You get the idea
Selecting Unicode will cause EnCase to search for the keyword in both ASCII and Unicode. Unicode uses two bytes for each character, allowing the representation of 65,536 characters.
2011 Guidance Software, Inc. All Rights Reserved.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
30
The BIOS
P A G E 26
Basic Input/Output System The BIOS checks and configures the computer system after power is turned on. The BIOS chip is usually found on the motherboard. The BIOS should be checked during each examination of a computer to check the boot sequence and settings of the internal clock.
Power Button
Add-in cards such as SCSI drive controller cards can have a BIOS on the card that loads at this time. These BIOS normally detect devices and load information into the BIOS data area in RAM.
The BIOS immediately runs POST and then prepares the system for the first program to run.
BIOS
POST
POST (Power On Self Test) checks the system board, memory (RAM), keyboard, floppy disk, hard disk, etc., for presence and reliability.
A special RAM BIOS data area of 256 bytes contains the results of the system check identifying the location of attached devices.
Boot Sequence?
2011 Guidance Software, Inc. All Rights Reserved.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
31
A:
Boot Sequence?
C:
Master Boot Record
Present?
Yes
Boot Record
Boot Record?
No
Io.sys
Yes
Io.sys Msdos.sys Optional Config.sys Command.Com Autoexec.bat
Msdos.sys
Config.sys
Command.Com
Autoexec.bat
File Systems
P A G E 29
File Allocation Table FAT tracks File fragmentation All of the addressable clusters in the partition Clusters marked bad Directory records File name Date/time stamps (Created, Accessed, Written) Starting cluster File logical size A directory (or folder) is a file with a unique header and a logical size of zero
2011 Guidance Software, Inc. All Rights Reserved.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
32
File Systems
P A G E 30
Name
. ..
Directory Entry
File Systems
P A G E 31
Directory Entry
Name MyNote.TXT Picture1.GIF Picture2.JPG Job Search.DOC Report.DOC Personal Letter.DOC Cluster 1000 1002 1004 24888 79415 88212 Length 952 890 5000 11000 34212 10212
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
33
File Systems
P A G E 32
2 EOF
3 EOF
4 EOF
5 EOF
6 EOF
7 EOF
1000 EOF
1001 0
1002 EOF
1003 0
1004 1005
1005 EOF
FAT
P A G E 33
When a file is deleted from a FAT system 1st character of directory entry changed to E5h FAT entry values change from allocated to unallocated (0) No effect on the data within the clusters When EnCase virtually undeletes a file Directory entry read
Obtains starting extent, logical size Obtains number of clusters by dividing logical size by bytes
per cluster
FAT examined to determine if starting cluster/extent is in use If starting extent is in use, EnCase deems this file to be Deleted/Overwritten
2011 Guidance Software, Inc. All Rights Reserved.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
34
File Systems
P A G E 34
File Allocation Table FAT 16 2 ^ 16 = 65,536 total allocation units available (clusters) FAT 32 2 ^ 28 = 268,435,456 total allocation units 4 bits are reserved by Microsoft Two copies of the FAT are stored for backup purposes. A cluster is composed of multiple sectors. A sector contains 512 user addressable data bytes.
NTFS
P A G E 35
Master File Table (MFT) administratively documents all files/folders on NTFS volume MFT comprised of records 1024 bytes each MFT grows but doesnt shrink At least one MFT record is allocated to each file and folder on volume Bitmap file documents if clusters are allocated or unallocated Two types of files: Resident and Nonresident
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
35
NTFS
P A G E 36
Resident files Data resides within MFT record for file Data does not begin at the beginning of a sector/cluster Logical size = physical size Nonresident files Data not within MFT Record MFT record houses pointers to clusters storing file Pointers in the form of a data run Both types of files may be hashed as long as logical size is greater than 0
File Systems
P A G E 37
File Slack
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
36
Slack Space
P A G E 38
File slack is comprised of drive slack and RAM slack Drive Slack Data that is contained in the remaining sectors of a logical file that
are not a part of the current logical file. A logical file of 10 bytes stored in a 4-sector cluster will have 3 sectors of drive slack.
RAM Slack Data from the end of the logical file to the end of that sector. The
10-byte file from above will have 502 bytes of RAM slack in the same sector that contains the logical data.
Slack Space
P A G E 39
RAM slack is zeroed out prior to writing it to the drive in Windows 95B and newer
In Windows 95A and older RAM slack will contain actual data from RAM and it will be stored on the drive with the file
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
37
The computer chassis or case is often incorrectly referred to as the CPU The CPU is the Central Processing Unit installed on the motherboard Also installed on the motherboard are the Random Access Memory, the Read Only Memory, and add-in cards such as video cards, Network Interface Cards (NIC), Small Computer System Interface (SCSI) cards Integrated Drive Electronics (IDE) hard disk drives can be attached directly to the motherboard with a ribbon cable SCSI hard disk drives require a controller card on the motherboard
Geometry of hard drives Cylinder/Heads/Sectors (older drives) C x H x S x 512 bytes per sector = total bytes Logical Block Addressing Total number of sectors available x 512 bytes = total bytes Master Boot Record Volume Boot Record Partition Tables Partition Recovery
2011 Guidance Software, Inc. All Rights Reserved.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
38
First Response
P A G E 43
Take down the system whether pull plug or shut down depends on circumstances Shut Down if UNIX/Linux or Server Pull Plug it depends on circumstances
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
39
First Response
P A G E 44
Forensic Boot Floppy/CD/Thumb Drive Appropriate applications Drivers for SCSI, NIC cards, etc. Modified files command.com io.sys drvspace.bin if not removed, will mount a compressed drive
space volume
First Response
P A G E 45
Onsite Triage FastBloc Fastest Gallery view, hash/file signature analysis, logical and physical
searches with GREP, copy/unerase, EnScript modules, etc.
Network Cable Preview Fast Gallery view, hash/file signature analysis, logical and physical
searches with GREP, copy/unerase, EnScript programs, etc.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
40
Computer Forensic Examiner Must be trained Must use best forensic practices available Must avoid damaging or altering evidence Should test and validate computer forensic tools and techniques prior to using them on original evidence
File Systems Supported by EnCase FAT 12, 16, 32 NTFS EXT2/3 (Linux) Reiser (Linux) UFS (Solaris) CDFS (Joliet, ISO9660, UDF) DVD Macintosh HFS/HFS+, Mac OS X (BSD) HP-UX Etc
NOTE: Only FAT partitions will be viewable if booted in DOS environment.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
41
File Systems Supported by EnCase If the file system is not supported by EnCase, the examiner can still conduct a physical text search, run EnScript programs for file headers and footers, etc. The examiner can also restore the physical drive to a drive of equal or larger size. The restored drive is verified by the MD5 Hash. A volume may also be restored to a partition containing the same file system. Restored image is verified by the MD5 hash value.
Laboratory Procedures Cross contamination Wipe lab examination drives Use EnCase case management methodology Chain-of-Custody Controlled access to lab area Evidence locker or depository Storage Clean, temperature-controlled environment Portable electronic devices may lose battery power erasing all data
2011 Guidance Software, Inc. All Rights Reserved.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
42
Recycle Bin and Info2 file FAT/NTFS Directory Entries and Structure Windows Artifacts
Recent Link Files Desktop Send To Temp Internet Explorer history, cache, favorites, cookies Enhanced MetaFiles; Print Spooler 2000/XP C:\Documents and Settings
Windows Artifacts (continued) Registry files global and user account specific Swap file Hibernation/Standby file Thumbs.DB Restore Point
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
43
Legal Issues
P A G E 52
Best Evidence Rule A printout of data stored in a computer can be considered as an original under the Federal Rules of Evidence if it is readable by sight and accurately reflects the stored data Compression of acquired data does not affect admissibility under the Best Evidence Rule If original evidence must be returned to the owner, the forensic image could be considered the Best Evidence
Legal Issues
P A G E 53
Daubert/Frye Legal test to determine if a scientific or technical process Elements of Daubert Has the process been tested and subject to peer review? Does the process enjoy general acceptance in the related community? Can the findings be duplicated or repeated? Commercially available software has a greater opportunity for peer review, testing, and validation
2011 Guidance Software, Inc. All Rights Reserved.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
44
Copyright 2010 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
45