EnCase ® Computer Forensics

The Official EnCE ® : EnCase Certified Examiner

Study Guide Third Edition

EnCase ® Computer Forensics

The Official EnCE ® : EnCase Certified Examiner

Study Guide Third Edition

Steve Bunting

Senior Acquisitions Editor: Jeff Kellum Development Editor: David Clark Technical Editors: Jessica M. Bair and Lisa Stewart Production Editor: Eric Charbonneau Copy Editor: Kim Wimpsett Editorial Manager: Pete Gaughan Production Manager: Tim Tate Vice President and Executive Group Publisher: Richard Swadley Vice President and Publisher: Neil Edde Media Project Manager 1: Laura Moss Hollister Media Associate Producer: Doug Kuhn Media Quality Assurance: Marilyn Hummel Book Designer: Judy Fung Compositor: Craig Johnson, Happenstance Type-O-Rama Proofreaders: Jen Larsen and James Saturnio, Word One New York Indexer: Ted Laux Project Coordinator, Cover: Katherine Crocker Cover Designer: Ryan Sneed

Copyright © 2012 by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-0-470-90106-9

ISBN: 978-1-118-21940-9 (ebk.)

ISBN: 978-1-118-05898-5 (ebk.)

ISBN: 978-1-118-21942-3 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permit-ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions .

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or war-ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com . For more information about Wiley products, visit www.wiley.com .

Library of Congress Control Number: 2012941757

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. EnCase and EnCE are registered trademarks of Guidance Software, Inc. for all such names used in the manual. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

Dear Reader,

Thank you for choosing EnCase Computer Forensics—The Offi cial EnCE : EnCase Certifi ed Examiner Study Guide, Third Edition. This book is part of a family of premium-quality Sybex books, all of which are written by outstanding authors who combine practi-cal experience with a gift for teaching.

Sybex was founded in 1976. More than 30 years later, we’re still committed to producing consistently exceptional books. With each of our titles, we’re working hard to set a new standard for the industry. From the paper we print on to the authors we work with, our goal is to bring you the best books available.

I hope you see all that refl ected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at nedde@wiley.com . If you think you’ve found a technical error in this book, please visit http://sybex .custhelp.com . Customer feedback is critical to our efforts at Sybex.

Best regards,

Neil Edde Vice President and Publisher Sybex, an Imprint of Wiley

To Donna, my loving wife and partner for life, for your unwavering love,

encouragement, and support.

Acknowledgments Any work of this magnitude requires the hard work of many dedicated people, all doing what they enjoy and what they do best. In addition, many others have contributed indirectly, and without their efforts and support, this book would not have come to fruition. That said, many are people deserving of my gratitude, and my intent here is to acknowledge them all.

I would like to fi rst thank Maureen Adams, former Sybex acquisitions editor, who brought me on board with this project with the fi rst edition and tutored me on the fi ne nuances of the publishing process. I would also like to thank Jeff Kellum, another Sybex acquisitions editor, for his work on the second edition and most recently the third edition. Jeff guided me through the third edition, trying to keep me on schedule and helping in many ways. I would also like to thank David Clark, developmental editor. David allowed me to concentrate on content while he handled the rest. In addition to many varied skills that you’d normally fi nd with an editor, David has a strong understanding of topic material and has himself written in the technical fi eld, which helped in so many ways. In addition, with several hundred screen shots in this book to mold and shape, I know there is a graphics department at Sybex deserving of my thanks. To those folks, I say thank you.

A special thanks goes to Jessica M. Bair of Guidance Software, Inc. In addition to being a friend and mentor of many years, Jessica was the technical editor for the fi rst edition and again for the third addition. She worked diligently, making sure the technical aspects of both editions are as accurate and as complete as possible.

I would also thank Lisa Stewart, also of Guidance Software, Inc. Lisa is also a friend and colleague of many years. She reviewed the fi nal material for technical accuracy and, as usual, did a superb job of catching those fi nal details and keeping things as accurate as humanly possible.

The study of computer forensics can’t exist within a vacuum. To that extent, any indi-vidual examiner is a refl ection and product of their instructors, mentors, and colleagues. Through them you learn, share ideas, troubleshoot, conduct research, grow, and develop. Over my career, I’ve had the fortune of interacting with many computer forensics pro-fessionals and have learned much through those relationships. In no particular order, I would like to thank the following people for sharing their knowledge over the years: Keith Lockhart, Ben Lewis, Chris Stippich, Grant Wade, Ed Van Every, Raemarie Schmidt, Mark Johnson, Bob Weitershausen, John Colbert, Bruce Pixley, Lance Mueller, Howie Williamson, Lisa Highsmith, Dan Purcell, Ben Cotton, Patrick Paige, John D’Andrea, Mike Feldman, Mike Nelson, Steve Mahoney, Joel Horne, Mark Stringer, Dustin Hurlbut, Fred Cotton, Ross Mayfi eld, Bill Spernow, Arnie “A. J.” Jackson, Ed Novreske, Steve Anson, Warren Kruse, Bob Moses, Kevin Perna, Dan Willey, Scott Garland, and Steve Whalen. I’d also like to thank my fellow ATA Cyber instructors who have shared their knowledge and friendship over the past few years while we trained law enforcement offi cers together around the world. They are Scott Pearson, Steve Williams, Lance Mueller, Art Ehuan, Nate Tiegland, Gerard Myers, Tom Bureau, and Scot Bradeen. Those who teach, learn.

Every effort has been made to present all material accurately and completely. To achieve this, I verifi ed as much information as possible with multiple sources. In a few instances,

viii Acknowledgments

published or generally accepted information was in confl ict or error. When this occurred, the information was researched and tested, and the most accurate information available was published in this book. I would like to thank the authors of the following publications because I relied on their vast wealth of knowledge and expertise for research and informa-tion verifi cation:

Carrier, Brian. File System Forensic Analysis . Boston: Addison-Wesley, 2005.

Carvey, Harlan. Windows Forensics and Incident Recovery . Boston: Addison-Wesley, 2005.

Carvery, Harlan. Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry . Burlington: Syngress, 2011.

Carvey, Harlan. Windows Forensic Analysis Including DVD Toolkit . Burlington: Syngress Publishing, 2007.

Carvey, Harlan. Windows Forensic Analysis Toolkit , Third Edition: Advanced Analysis Techniques for Windows 7 . Burlington: Syngress Publishing, 2012.

Hipson, Peter. Mastering Windows XP Registry . San Francisco: Sybex, 2002.

Honeycutt, Jerry. Microsoft Windows XP Registry Guide . Redmond, WA: Microsoft Press, 2003.

Kruse, Warren G. II, and Jay G. Heiser. Computer Forensics: Incident Response Essentials . Boston: Addison-Wesley, 2002.

Mueller, Scott. Upgrading and Repairing PCs , 17th Edition. Indianapolis, IN: Que Publications, 2006.

These books are valuable resources and should be in every examiner’s library. In addition to these publications, I relied heavily on the wealth of information contained in the many train-ing, product, and lab manuals produced by Guidance Software. To the many staff members of Guidance Software who have contributed over the years to these publications, I extend my most grateful appreciation.

Last, but by no means least, I would like to acknowledge the contributions by my parents and my loving wife. My parents instilled in me, at a very young age, an insatiable quest for knowledge that has persisted throughout my life, and I thank them for it along with a lifetime of love and support. My best friend and loving wife, Donna, encouraged and motivated me long ago to pursue computer forensics. Although the pursuit of computer forensics never ends, without her support, sacrifi ces, motivation, sense of humor, and love, this book would never have been completed.

Thank you, everyone.

About the Author Steve Bunting is a senior forensic examiner for Forward Discovery, Inc. In that capacity, he conducts digital examinations on a wide variety of devices and operating systems. He responds to client sites and carries out incident response on compromised systems. He con-sults with clients of a wide variety of digital forensics and security, as well as electronic dis-covery matters. He develops and delivers training programs both domestically and abroad.

Prior to becoming a senior forensic examiner with Forward Discovery, Steve Bunting served as a captain with the University of Delaware Police Department, where he was respon-sible for computer forensics, video forensics, and investigations involving computers. He has more than 35 years’ experience in law enforcement, and his background in computer foren-sics is extensive.

While with the University Police Department’s computer forensics unit, Bunting con-ducted hundreds of examinations for the University Police Department and for many local, state, and federal law enforcement agencies on an wide variety of cases, includ-ing extortion, homicide, embezzlement, child exploitation, intellectual property theft, and unlawful intrusions into computer systems. He has also testifi ed in court on several occasions as a computer forensics expert.

As an instructor, Bunting has taught several courses for Guidance Software, makers of EnCase, serving as a lead instructor at all course levels, including the Expert Series (Internet and Email Examinations). Also, he has instructed computer forensics students for the University of Delaware and is also an adjunct faculty member of Goldey-Beacom College. Bunting has taught various forensics courses internationally as well as developing and teaching courses for the Anti-Terrorism Assistance Program Cyber Division.

Bunting is a speaker and an author. Besides the previous editions of this book, he also coauthored the fi rst and second editions of Mastering Windows Network Forensics and Investigation .

Some of Bunting’s industry credentials include EnCase Certifi ed Examiner (EnCE), Certifi ed Computer Forensics Technician (CCFT), and Access Data Certifi ed Examiner (ACE). He was also the recipient of the 2002 Guidance Software Certifi ed Examiner Award of Excellence and has a bachelor’s degree in Applied Professions/Business Management from Wilmington University and a Computer Applications Certifi cate in Network Environments from the University of Delaware.

Contents at a Glance

Introduction xxi

Assessment Test xxvii

Chapter 1 Computer Hardware 1

Chapter 2 File Systems 33

Chapter 3 First Response 89

Chapter 4 Acquiring Digital Evidence 119

Chapter 5 EnCase Concepts 199

Chapter 6 EnCase Environment 241

Chapter 7 Understanding, Searching For, and Bookmarking Data 325

Chapter 8 File Signature Analysis and Hash Analysis 435

Chapter 9 Windows Operating System Artifacts 473

Chapter 10 Advanced EnCase 571

Appendix A Answers to Review Questions 653

Appendix B Creating Paperless Reports 667

Appendix C About the Additional Study Tools 681

Index 685

ContentsIntroduction xxi

Assessment Test xxvii

Chapter 1 Computer Hardware 1

Computer Hardware Components 2The Boot Process 14

Partitions 20File Systems 25Summary 27Exam Essentials 27Review Questions 28

Chapter 2 File Systems 33

FAT Basics 34The Physical Layout of FAT 36Viewing Directory Entries Using EnCase 52The Function of FAT 58

NTFS Basics 73CD File Systems 77exFAT 79Summary 83Exam Essentials 84Review Questions 85

Chapter 3 First Response 89

Planning and Preparation 90The Physical Location 91Personnel 91Computer Systems 92What to Take with You Before You Leave 94Search Authority 97

Handling Evidence at the Scene 98Securing the Scene 98Recording and Photographing the Scene 99Seizing Computer Evidence 99Bagging and Tagging 110

Summary 113Exam Essentials 113Review Questions 115

xiv Contents

Chapter 4 Acquiring Digital Evidence 119

Creating EnCase Forensic Boot Disks 121Booting a Computer Using the EnCase Boot Disk 124

Seeing Invisible HPA and DCO Data 125Other Reasons for Using a DOS Boot 126Steps for Using a DOS Boot 126

Drive-to-Drive DOS Acquisition 128Steps for Drive-to-Drive DOS Acquisition 128Supplemental Information About Drive-to-Drive

DOS Acquisition 132Network Acquisitions 135

Reasons to Use Network Acquisitions 135Understanding Network Cables 136Preparing an EnCase Network Boot Disk 137Preparing an EnCase Network Boot CD 138Steps for Network Acquisition 138

FastBloc/Tableau Acquisitions 151Available FastBloc Models 151FastBloc 2 Features 152Steps for Tableau (FastBloc) Acquisition 154

FastBloc SE Acquisitions 163About FastBloc SE 163Steps for FastBloc SE Acquisitions 164

LinEn Acquisitions 168Mounting a File System as Read-Only 168Updating a Linux Boot CD with the Latest Version

of LinEn 169Running LinEn 171Steps for LinEn Acquisition 173

Enterprise and FIM Acquisitions 176EnCase Portable 180Helpful Hints 188Summary 189Exam Essentials 192Review Questions 194

Chapter 5 EnCase Concepts 199

EnCase Evidence File Format 200CRC, MD5, and SHA-1 201Evidence File Components and Function 202New Evidence File Format 206Evidence File Verification 207Hashing Disks and Volumes 215

Contents xv

EnCase Case Files 217EnCase Backup Utility 220EnCase Configuration Files 227Evidence Cache Folder 231Summary 233Exam Essentials 235Review Questions 236

Chapter 6 EnCase Environment 241

Home Screen 242EnCase Layout 246Creating a Case 249Tree Pane Navigation 255Table Pane Navigation 266

Table View 266Gallery View 275Timeline View 277Disk View 280

View Pane Navigation 284Text View 284Hex View 287Picture View 288Report View 289Doc View 289Transcript View 290File Extents View 291Permissions View 291Decode View 292Field View 294Lock Option 294Dixon Box 294Navigation Data (GPS) 295Find Feature 297Other Views and Tools 298Conditions and Filters 298EnScript 299Text Styles 299Adjusting Panes 300Other Views 306Global Views and Settings 306EnCase Options 310

Summary 318Exam Essentials 320Review Questions 321

xvi Contents

Chapter 7 Understanding, Searching For, and Bookmarking Data 325

Understanding Data 327Binary Numbers 327Hexadecimal 333Characters 336ASCII 337Unicode 338

EnCase Evidence Processor 340Searching for Data 352

Creating Keywords 353GREP Keywords 364Starting a Search 373Viewing Search Hits and Bookmarking Your Findings 376Bookmarking 377

Summary 426Exam Essentials 428Review Questions 430

Chapter 8 File Signature Analysis and Hash Analysis 435

File Signature Analysis 436Understanding Application Binding 437Creating a New File Signature 438Conducting a File Signature Analysis 442

Hash Analysis 449MD5 Hash 449Hash Sets and Hash Libraries 449Hash Analysis 462

Summary 466Exam Essentials 468Review Questions 469

Chapter 9 Windows Operating System Artifacts 473

Dates and Times 475Time Zones 475Windows 64-Bit Time Stamp 476Adjusting for Time Zone Offsets 481

Recycle Bin 487Details of Recycle Bin Operation 488The INFO2 File 488Determining the Owner of Files in the Recycle Bin 493Files Restored or Deleted from the Recycle Bin 494Using an EnCase Evidence Processor to Determine

the Status of Recycle Bin Files 496Recycle Bin Bypass 498Windows Vista/Windows 7 Recycle Bin 500

Contents xvii

Link Files 504Changing the Properties of a Shortcut 504Forensic Importance of Link Files 505Using the Link File Parser 509

Windows Folders 511Recent Folder 515Desktop Folder 516My Documents/Documents 518Send To Folder 518Temp Folder 519Favorites Folder 520Windows Vista Low Folders 521Cookies Folder 523History Folder 526Temporary Internet Files 532Swap File 535Hibernation File 536Print Spooling 537Legacy Operating System Artifacts 543Windows Volume Shadow Copy 544Windows Event Logs 549

Kinds of Information Available in Event Logs 549Determining Levels of Auditing 552Windows Vista/7 Event Logs 554Using the Windows Event Log Parser 555For More Information 558

Summary 559Exam Essentials 564Review Questions 566

Chapter 10 Advanced EnCase 571

Locating and Mounting Partitions 573Mounting Files 588Registry 595

Registry History 595Registry Organization and Terminology 596Using EnCase to Mount and View the Registry 601Registry Research Techniques 605

EnScript and Filters 608Running EnScripts 609Filters and Conditions 611

Email 614Base64 Encoding 619EnCase Decryption Suite 622Virtual File System (VFS) 629Restoration 633

xviii Contents

Physical Disk Emulator (PDE) 636Putting It All Together 641Summary 645Exam Essentials 648Review Questions 649

Appendix A Answers to Review Questions 653

Chapter 1: Computer Hardware 654Chapter 2: File Systems 655Chapter 3: First Response 657Chapter 4: Acquiring Digital Evidence 658Chapter 5: EnCase Concepts 659Chapter 6: EnCase Environment 661Chapter 7: Understanding, Searching For, and

Bookmarking Data 662Chapter 8: File Signature Analysis and Hash Analysis 663Chapter 9: Windows Operating System Artifacts 664Chapter 10: Advanced EnCase 665

Appendix B Creating Paperless Reports 667

Exporting the Web Page Report 669Creating Your Container Report 671

Bookmarks and Hyperlinks 675Burning the Report to CD or DVD 678

Appendix C About the Additional Study Tools 681

Additional Study Tools 682Sybex Test Engine 682Electronic Flashcards 682PDF of Glossary of Terms 682Adobe Reader 682Additional Author Files 683

System Requirements 683Using the Study Tools 683Troubleshooting 683

Customer Care 684

Index 685

Table of ExercisesExercise 1.1 Examining the Partition Table . . . . . . . . . . . . . . . . . . . . . . . . .23

Exercise 2.1 Viewing FAT Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

Exercise 3.1 First Response to a Computer Incident . . . . . . . . . . . . . . . . . . 112

Exercise 4.1 Previewing Your Own Hard Drive . . . . . . . . . . . . . . . . . . . . . . 162

Exercise 5.1 Understanding How EnCase Maintains Data Integrity . . . . . . . . . 213

Exercise 6.1 Navigating EnCase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Exercise 7.1 Searching for Data and Bookmarking the Results . . . . . . . . . . . 414

Exercise 8.1 Performing a File Signature Analysis. . . . . . . . . . . . . . . . . . . . 445

Exercise 9.1 Windows Artifacts Recovery . . . . . . . . . . . . . . . . . . . . . . . . . 558

Exercise 10.1 Partition Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

Exercise 10.2 Conducting Email Examinations . . . . . . . . . . . . . . . . . . . . 617

Introduction This book was designed for several audiences. First and foremost, it was designed for any-one seeking the EnCase Certifi ed Examiner (EnCE) credential. This certifi cation has rap-idly grown in popularity and demand in all areas of the computer forensics industry. More and more employers are recognizing the importance of this certifi cation and are seeking this credential in potential job candidates. Equally important, courts are placing increasing emphasis on certifi cations that are specifi c to computer forensics. The EnCE certifi cation meets or exceeds the needs of the computer forensics industry. Moreover, it has become the global gold standard in computer forensics certifi cation.

This book was also designed for computer forensics students working either in a structured educational setting or in a self-study program. The chapters include exercises, as well as evi-dence fi les on the publisher’s website, making it the ideal learning tool for either setting.

Finally, this book was written for those with knowledge of EnCase or forensics who simply want to learn more about either or both. Every topic goes well beyond what’s needed for certifi cation with the specifi c intent of overpreparing the certifi cation candi-date. In some cases, the material goes beyond that covered in many of the formal training classes you may have attended. In either case, that added depth of knowledge provides comprehensive learning opportunities for the intermediate or advanced user.

The EnCE certifi cation program is geared toward those who have attended the EnCase Intermediate Computer Forensics training or its equivalent. To that extent, this book assumes the reader has a general knowledge of computer forensics and some basic knowledge of EnCase. For those who may need a refresher in either, you’ll fi nd plenty of resources. Many users may have used earlier versions of EnCase and have not yet transi-tioned to EnCase 7. Those users may benefi t by starting with Chapter 6, which discusses the EnCase environment, which has radically changed with the release of EnCase 7.

The chapters are organized into related concepts to facilitate the learning process, with basic concepts in the beginning and advanced material at the end. At the end of each chapter, you will fi nd the “Summary,” “Exam Essentials,” and “Review Questions” sec-tions. The “Summary” section is a brief outline of the essential points contained in the chapter; the “Exam Essentials” section explains the concepts you’ll need to understand for the examination.

I strongly urge you to make full use of the “Review Questions” section. A good way to use the questions is as a pretest before reading each chapter and then again as a posttest when you’re done. Although answering correctly is always important, it’s more important to understand the concepts covered in the question. Make sure you are comfortable with all the material before moving to the next chapter. Just as knowledge is cumulative, a lack thereof impedes that accumulation. As you prepare for your certifi cation examinations (written and practical), take the time to thoroughly understand those items that you may have never understood. The journey along the road to certifi cation is just as important as the destination.

xxii Introduction

What Is the EnCE Certification?

Guidance Software, Inc., developed the EnCE in late 2001 to meet the needs of its customer base, who requested a solid certifi cation program covering both the use of the EnCase soft-ware and computer forensics concepts in general. Since its inception, the EnCE certifi cation has become one of the most recognized and coveted certifi cations in the global computer forensics industry. You might ask why, but the answer is simple. The process is demanding and challenging. You must have certain knowledge, skills, and abilities to be able to pass both a written and a practical examination. For certain, it is not a “giveaway” program. You will work hard, and you will earn your certifi cation. When you are certifi ed, you’ll be proud of your accomplishment. What’s more, you will have joined the ranks of the elite in the industry who have chosen to adhere to high standards and to excel in their fi eld. Remember, in the fi eld of computer forensics, excellence is not an option; it is an operational necessity.

Why Become EnCE Certified?

The following benefi ts are associated with becoming EnCE certifi ed:

■ EnCE certification demonstrates professional achievement.

■ EnCE certification increases your marketability and provides opportunity for advancement.

■ EnCE certification enhances your professional credibility and standing when testifying before courts, hearing boards, and other fact-finding bodies.

■ EnCE certification provides peer recognition.

EnCE certifi cation is a rigorous process that documents and demonstrates your achieve-ments and competency in the fi eld of computer forensics. You must have experience as an investigator and examiner, and you must have received training at the EnCase Intermediate Computer Forensics level or other equivalent classroom instruction before you can apply for the program. Next, you will have to pass both a written and a practical examination before receiving your certifi cation. EnCE certifi cation assures customers, employers, courts, your peers, and others that your computer forensics knowledge, skills, and abilities meet the high-est professional standards.

How to Become EnCE Certified

Guidance Software publishes on its website the most current requirements and procedures for EnCE certifi cation, which is at www.guidancesoftware.com/computer-forensics-training-ence-certification.htm . Generally, the process, as it currently exists, is as follows, but it could change. Therefore, always check the website for the most accurate proce-dure. To become EnCE certifi ed, you must do the following:

■ Have attended 64 hours authorized computer forensic training (online or classroom) or have 12 months computer forensic experience. Register for the test and study guide, which includes completion of the application and payment of required fees.

Introduction xxiii

■ Have all application and supporting documents verified by Guidance Software prior to authorization for exam.

■ Pass the written test with a minimum score of 80 percent. The test is administered with ExamBuilder or during the Guidance Software EnCE Prep Course. You are given two hours to complete this test.

Complete the practical examination within 60 days with a minimum score of 85 percent. These requirements are quoted directly from Guidance Software’s website and are current as of the publication date of this book. You should check the website before you apply to make sure you are complying with the most current requirements. You can fi nd the requirements, the application form, and other important information relating to the EnCE certifi cation program here:

www.guidancesoftware.com/computer-forensics-training-ence-certification.htm

How to Use This Book and the Publisher’s Website

We’ve included several testing features, both in the book and on the publisher’s website, which can be accessed at: www.sybex.com/go/ence3e . Following this introduction is an assessment test that you can use to check your readiness for the actual exam. Take this test before you start reading the book. It will help you identify the areas you may need to brush up on. The answers to the assessment test appear after the last question of the test. Each answer includes an explanation and tells you in which chapter this material appears.

As mentioned, to test your knowledge as you progress through the book, each chapter includes review questions at the end. As you fi nish each chapter, answer the review questions and then check to see whether your answers are right—the correct answers appear in the Appendix A of this book. You can go back to reread the section that deals with each question you got wrong to ensure that you answer the question correctly the next time you are tested on the material. You’ll also fi nd 100 fl ashcard questions on the publisher’s website for on-the-go review. Download them onto your mobile device for quick and convenient reviewing.

In addition to the assessment test and the review questions, you’ll fi nd two bonus exams on the publisher’s website. Take these practice exams just as if you were actually taking the exam (that is, without any reference material). When you have fi nished the fi rst exam, move on to the next exam to solidify your test-taking skills. If you get more than 85 percent of the answers correct, you’re ready to take the real exam.

Also included on the publisher’s website are the following:

■ Evidence files for use with the EnCase forensic software

■ Guidance Software’s EnCase Legal Journal

■ Information on the Guidance Software Forensic and Enterprise products

Guidance Software’s EnCase Legal Journal

The most important aspect of any computer forensic examination is the legal admissibility of the evidence found. Guidance Software’s full-time legal staff provides case law research

xxiv Introduction

and litigation support for its EnCase Forensic and EnCase Enterprise customers. As part of its support, Guidance Software provides the EnCase Legal Journal .

The EnCase Legal Journal was updated in late 2011 with the most up-to-date case law, and it is provided on the publisher’s website in a PDF fi le. Updates to the EnCase Legal Journal are available for download from a link on the EnCE FAQ’s web page on the Guidance Software website: www.guidancesoftware.com/computer-forensics-training-ence-faqs.htm .

The EnCE written exam includes six legal questions, whose answers are found in the EnCase Legal Journal . Individuals preparing for the EnCE exam are strongly encouraged to review this document.

You can contact Guidance Software’s legal staff by email at customerservice@guidancesoftware.com .

Tips for Taking the EnCE Exam

When taking the EnCE written test, here are a few tips that have proven helpful:

■ Get a good night’s rest before your test.

■ Eat a healthy meal before your test, avoiding heavy fats and starches that can make you lethargic or drowsy.

■ Arrive at your class or testing site early so that you won’t feel rushed. Once there, stretch, relax, and put your mind at ease.

■ Read each question carefully. Some questions ask for one correct answer, while other questions ask you to select all answers that are correct. Make sure you understand what each question is asking, and don’t rush to a quick answer.

■ If you don’t answer a question, it will be scored as a wrong answer. Given that, it’s better to guess than leave an answer blank.

■ When you aren’t sure of an answer, eliminate the obviously incorrect answers. Consider the remaining choices in the context of the question. Sometimes a keyword can lead you to the correct answer.

■ You’ll be provided with scratch paper at your examination station. As soon as you sit down and you can start, write down formulas, memory aids, or other facts you may need before starting the exam. Once you do that, you can relax, knowing you have committed those memory items to paper, freeing your memory to work on the questions. You might think of it as being somewhat analogous to the process by which RAM frees up memory space by writing it to the swap file.

Important: Hardware Requirements

and Configuring EnCase 7

In past editions, I have not addressed the ideal hardware confi guration for running EnCase. However, with EnCase 7 I feel I must address this matter, as it is critical to using EnCase 7. EnCase 7 changed, and with it our hardware and confi gurations also must change. To be blunt, if you don’t change and provide an adequate hardware environment, you won’t have

Introduction xxv

a good experience using EnCase 7. Conversely, if you provide EnCase 7 with the proper computing resources and confi gure them properly, you will be delighted with the features and performance of EnCase 7.

Guidance Software has published a recommended set of hardware specifi ca-tions upon which I will expound and speak much more forcefully. Those specifi ca-tions (summarized in Table 1) are found at: http://download.guidancesoftware.com/ADlkyEKTv9Dwc77R5rnLOCbRPyH0sC/47tjQ24rmxcbIDESZsIpBlaict49llscMs00VTjszsVQw862ZZ

dCajXnSXeLBk9KXCsBTyxXA7kg%3D or http://tiny.cc/sjmzgw .

TA B LE 1 : Guidance Software Hardware Recommendations

Component Recommended Specifications

Memory 16 GB

Storage Drives Drive 1: Operating System and page file

Drive 2: Evidence

Drive 3: Primary Evidence Cache—this drive should be as fast as possible

CPU Quad-core i7

Operating System Windows 7 (64-bit) or Windows Server 2008 (64-bit)

TA B LE 2 : Author’s Hardware Recommendations

Component Recommended Specifications

Memory 16 GB (more is better, though!)

Storage Drives Drive 1: Operating System and page file (use SSD)

Drive 2: Evidence (RAID 5 delivers high throughput for reads)

Drive 3: Primary Evidence Cache—(use SSD in RAID 0 configuration)

CPU Quad-core i7

Operating System Windows 7 (64-bit) or Windows Server 2008 (64-bit)

EnCase 7 throughout its range of functions relies upon a high volume of reads and writes to the evidence cache. Some data that used to reside in RAM in previous versions of EnCase (mounted compound fi les for example) is now stored in evidence cache. It only makes logical sense to have the fastest possible throughput for both reads and writes to the evidence cache, which with today’s technology would be SSDs (solid state drives)

xxvi Introduction

confi gured in a RAID 0 confi guration. For those concerned about data loss in a RAID 0, rest assured that EnCase 7.04 has resolved that issue with a backup feature that backs up your evidence cache and your case fi les every 30 minutes.

Along the same lines, the Encase Evidence Processor will make a very large number of reads and writes to cache fi les and temporary fi les on the operating system drive. Aside from that, the O/S drive is a very busy drive on any platform and especially on a forensics plat-form. It only makes sense, then, to use an SSD for your operating system. Considering all the cost that goes into a computer forensics platform, this added cost is insignifi cant. When you see the performance increase you get by having your O/S on an SSD, you’ll never question the decision to have done so!

Finally, you want to have your evidence fi les available on the local system bus and available for fast reads. A hardware-based RAID 5 offers fast throughput for read activity and provides the added benefi t of redundancy in the event of a single drive failure in the RAID 5. If you get near twice the speed when EnCase reads your evidence fi les, that cuts processing time in half for that portion of the task.

For those of you contemplating storing evidence cache on network-attached storage, don’t do it. Performance will be miserable. If you attempt to process evidence fi les over network resources, you can expect lowered performance. You would do well to reserve net-work storage for backup purposes, which would be for EnCase’s backup feature and redun-dant copies of evidence fi les. Even a fi ber-connected SAN is a shared resource and that bandwidth is shared. EnCase 7 is at its best when throughput to all data is optimized.

If you are running anti-virus software, you will do well to disable it while running EEP and various other resource-intensive processing routines in EnCase. Further, you should disable Windows indexing and searching as this consumes resources and isn’t usually a feature an examiner uses on a forensic platform.

I recently tested two systems. They were nearly identical, except that one machine was using platter-based storage and the other was using SSD-based storage and RAID 5 with a SAS controller for evidence fi les. The latter processed the evidence using the EnCase Evidence Processor in less than a third of the time taken by the former. When you’re looking at days to process evidence, that effectively means one day instead of three days, two days instead of six days, and so forth. The advantages of confi guring EnCase 7 with SSDs can’t be overstated. You will see EnCase 7 shine if you provide it with the proper resources.

I have summarized my hardware recommendations in Table 2. They are more robust and specifi c than those recommended by Guidance Software, but you will have a much improved experience with EnCase 7 if you follow them.

SSDs do wear out and, with time, you may experience degraded perfor-mance as their memory cells are depleted. Just when that occurs will depend on brand, quality, usage, and so forth. On the other hand, platter-based drives also wear out and are much slower. Thus there is no perfect solution and much depends on your budget and your tolerance to slower performance, along with other factors.

Assessment Test

1. You are a computer forensic examiner tasked with determining what evidence is on a seized computer. On what part of the computer system will you find data of evidentiary value?

A. Microprocessor or CPU

B. USB controller

C. Hard drive

D. PCI expansion slots

2. You are a computer forensic examiner explaining how computers store and access the data you recovered as evidence during your examination. The evidence is a log file and was recovered as an artifact of user activity on the ____________, which was stored on the _____________, contained within a ____________ on the media.

A. partition, operating system, file system

B. operating system, file system, partition

C. file system, operating system, hard drive

D. operating system, partition, file system

3. You are a computer forensic examiner investigating a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is File Allocation Table (FAT). What information about the docu-ment file can be found in the FAT on the media? (Choose all that apply.)

A. Name of the file

B. Date and time stamps of the file

C. Starting cluster of the file

D. Fragmentation of the file

E. Ownership of the file

4. You are a computer forensic examiner investigating media on a seized computer. You recovered a document containing potential evidence. EnCase reports the file system on the forensic image of the hard drive is New Technology File System (NTFS). What information about the docu-ment file can be found in the NTFS master file table on the media? (Choose all that apply.)

A. Name of the file

B. Date and time stamps of the file

C. Starting cluster of the file

D. Fragmentation of the file

E. Ownership of the file

xxviii Assessment Test

5. You are preparing to lead a team to serve a search warrant on a business suspected of committing large-scale consumer fraud. Ideally, you would assign which tasks to search team members? (Choose all that apply.)

A. Photographer

B. Search and seizure specialists

C. Recorder

D. Digital evidence search and seizure specialists

6. You are a computer forensic examiner at a scene and have determined you will seize a Linux server, which, according to your source of information, contains the database records for the company under investigation for fraud. What is the best practice for “taking down” the server for collection?

A. Photograph the screen and note any running programs or messages, capture volatile data, and so on, and use the normal shutdown procedure.

B. Photograph the screen and note any running programs or messages, capture volatile data, and so on, and pull the plug from the wall.

C. Photograph the screen and note any running programs or messages, capture volatile data, and so on, and pull the plug from the rear of the computer.

D. Photograph the screen and note any running programs or messages, capture volatile data, and so on, and ask the user at the scene to shut down the server.

7. You are a computer forensic examiner at a scene and are authorized to seize only media that can be determined to have evidence related to the investigation. What options do you have to determine whether evidence is present before seizure and a full forensic examination? (Choose all that apply.)

A. Use a DOS boot floppy or CD to boot the machine, and browse through the directory for evidence.

B. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to preview the hard drive through a crossover cable with EnCase for Windows.

C. Remove the subject hard drive from the machine, and preview the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc/Tableau.

D. Boot the computer into Windows and use Explorer search utility to find the finds being sought.

8. You are a computer forensic examiner at a scene and have determined you will need to image a hard drive in a workstation while on-site. What are your options for creating a forensically sound image of the hard drive? (Choose all that apply.)

A. Use a regular DOS boot floppy or CD to boot the machine, and use EnCase for DOS to image the subject hard drive to a second hard drive attached to the machine.

B. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to image the subject hard drive to a second hard drive attached to the machine.

C. Remove the subject hard drive from the machine, and image the hard drive in EnCase for Windows with a hardware write blocker such as FastBloc/Tableau.

D. Use a forensically sound Linux boot CD to boot the machine into Linux, and use LinEn to image the hard drive through a crossover cable with EnCase for Windows.