Presented at theHTCIA meeting,

New Yorkby:

Bill Siebert

The Top EnCase Tech Support Questions &

What’s new at Guidance Software?

The Top EnCase Tech Support Questions &The Top EnCase Tech Support Questions &

What’s new at Guidance Software?What’s new at Guidance Software?

1. Make sure the Windows version of EnCase and the DOS version of EnCase are the same; i.e., if you have EnCase 3.19 on your Windows side, you MUST have EnCase for DOS 3.19 on your EnCase boot floppy disk.

2. Make sure the parallel-port settings in the BIOS are the same for both the Subject PC and the Storage PC. The recommended BIOS settings are:

• Bi-Directional• EPP• ECP + EPP• ECP

1. Make sure the Windows version of EnCase and the DOS version of EnCase are the same; i.e., if you have EnCase 3.19 on your Windows side, you MUST have EnCase for DOS 3.19 on your EnCase boot floppy disk.

2. Make sure the parallel-port settings in the BIOS are the same for both the Subject PC and the Storage PC. The recommended BIOS settings are:

• Bi-Directional• EPP• ECP + EPP• ECP

Parallel port preview/acquire not connectingParallel port preview/acquire not connectingParallel port preview/acquire not connecting

How to acquire using a NICHow to acquire using a NICHow to acquire using a NIC

1.1. Boot the suspect machine into DOS with one of the Boot the suspect machine into DOS with one of the newnew automated EnCase automated EnCase Network boot disksNetwork boot disks

2.2. Type “EN” at the dos prompt. Type “EN” at the dos prompt. 3.3. Select sever and then network.Select sever and then network.4.4. Boot the forensic machine into Windows.Boot the forensic machine into Windows.5.5. Make sure the network settings are correct in the windows machinMake sure the network settings are correct in the windows machine:e:

•• TCP/IP protocol must be installedTCP/IP protocol must be installed•• IP address should be set at 10.0.0.50IP address should be set at 10.0.0.50•• Subnet mask should be 255.255.255.0Subnet mask should be 255.255.255.0•• You You mustmust remove your WINS and DNS settingsremove your WINS and DNS settings

Open EnCase, choose preview/acquireOpen EnCase, choose preview/acquireSelect network for sourceSelect network for source

What file systems does EnCase support?What file systems does EnCase support?What file systems does EnCase support?

EnCase can interpret the following file systems:

• FAT12 • FAT16• FAT32 • NTFS• EXT2 (Linux) • HFS• HFS+ (Mac and PowerMac) • UFS (Unix)•CDFS (CD-ROM) • UDFS *

Note: If EnCase does not recognize the file system on the drive (HPFS for example), it will show the unrecognized file system as an "unallocated cluster" file. You can still search for keywords and file headers, and make bookmarks, but you will not see file names or folder structure. You can still perform EScript searches against these file systems as well.

How to mass copy/unerase bookmarksHow to mass copy/How to mass copy/uneraseunerase bookmarksbookmarks

1. Check the check box of the top-most bookmark.

2. <Shift> click on check box of bottom-most bookmark. All bookmarks will be checked.

3. Right-click anywhere in the Table view. Select the "Tag Selected Files" command.

4. Switch to the case tab and you will notice that the files corresponding to the bookmarks you checked are now also all checked.

5. In the Table view, right-click on any one selected file and choose "Copy/Unerase".

6. Specify that you want to copy/unerase "all selected files".

7. Click Next, Next, and then Finish.

1. Check the check box of the top-most bookmark.

2. <Shift> click on check box of bottom-most bookmark. All bookmarks will be checked.

3. Right-click anywhere in the Table view. Select the "Tag Selected Files" command.

4. Switch to the case tab and you will notice that the files corresponding to the bookmarks you checked are now also all checked.

5. In the Table view, right-click on any one selected file and choose "Copy/Unerase".

6. Specify that you want to copy/unerase "all selected files".

7. Click Next, Next, and then Finish.

How to bookmark multiple recovered graphic images

To move recovered graphics files from the recovered graphics files folder into one of the Final Report folders, typically the Pictures folder, do this:

1. Go to the bookmark tab on the left

2. Highlight Recovered Graphics Files folder

3. Go to the Table view on the right

4. Drag and drop the desired images, by the number next to the file, into the folder of choice.

Note: At this time, you cannot multiple-select the images. You have to drag and drop them one at a time.

How to bookmark multiple recovered graphic imagesHow to bookmark multiple recovered graphic images

To move recovered graphics files from the recovered graphics files folder into one of the Final Report folders, typically the Pictures folder, do this:

1. Go to the bookmark tab on the left

2. Highlight Recovered Graphics Files folder

3. Go to the Table view on the right

4. Drag and drop the desired images, by the number next to the file, into the folder of choice.

Note: At this time, you cannot multiple-select the images. You have to drag and drop them one at a time.

Time/Date stamp issuesTime/Date stamp issues

Last Accessed:

The Last Accessed column gives a date of the last access date of the file. A file does not have to be altered for the Last Accessed date to change—only accessed (opened).

Last Written:

The Last Written column indicates the last date and time that a file was actually opened, edited, then saved. If a file is merely opened then closed (but not altered), or opened, edited, and closed with no save, then this column will not update.

File Created:

This tells us when that particular file was created at that location. So, if a file was edited and changed on January 3rd, and then copied to a floppy diskette on January 15th, and you acquired that floppy diskette on January 28th, you would notice that the file (on the floppy) was created after it was last written or even accessed!

Entry Modified:

This is only pertinent to NTFS (Windows NT, Windows 2000) and Linux file system files. It refers to the pointer for the file entry and the information that that pointer contains, such as the size of the file. So, if you were to change a file, but

How to add an external file viewerHow to add an external file viewerHow to add an external file viewer

1. Navigate to Tools!File Signatures and Viewers!Viewers Tab

2. Right click and select New File Viewer.

3. After you add the file viewer, go back to the file signatures page and associate the new viewer with whatever type of file you wish.

How to acquire a laptop hard driveHow to acquire a laptop hard drive

There are 4 ways to acquire a laptop hard drive. In order, from fastest to slowest:

1. Remove hard drive from Laptop and acquire using FastBloc (You will need to buy a 40-pin standard IDE connector to laptop HDD connector which runs about $10 at any computer store)

2. Remove hard drive from Laptop and acquire using DOS. Again, you will need to buy that adapter.

3. Using the EnCase Network Boot disk and a compatible Network Card in both the laptop and your forensic machine, use the 10bT crossover cable and acquire through that.

4. Using the parallel port cable. This method is extremely slow, however on some laptops, it is the only way to acquire them.

Note: Many laptop hard drives are "married to the motherboard" so that they will not work correctly if you try to acquire them outside of the laptop. For that reason, many people only consider using methods 3 & 4. Method 3 is definitely faster than number 4.

How to find a deleted partitionHow to find a deleted partition

1. Run a hex search for the characters '55' and 'AA' and see if you can find the end of a partition. If you do, count 63 sectors to the right of that. If there is a "MSWIN4.1" or "NTFS" text in that sector, then that sector (with the text) is the beginning of a new partition.

2. Right-click that sector and click “Add Partition."

Note: You can find more information regarding recovering partitions inChapter 19 of the EnCase 3.18 User Manual.

How to acquire a PDA How to acquire a PDA

The only Palms supported, at this time, are the following:

• III series

• V series

• VII series

• M105

• M100

Note: You can acquire other PDAs that use the Palm OS 3.0, such as certain models of the Handspring Visor.

How to acquire a PDA How to acquire a PDA

1. Put the PDA in its cradle

Attach the cradle cable to an available serial port on your compute

Boot up the computer into Window

Launch EnCase for windows.

Turn Palm PDA on. Put in Console mode.

Lower-case cursive l on left-side of "graffiti" area

Double-dot on left-side of "graffiti" area

Number '2' on right side of "graffiti" area

Putting a Palm in Console mode...

Note: You will be able to tell when a Palm is in "console mode" by a slightly longer "beep" sound than the normal "beep" sound. To get out of console mode, you must reset the Palm.

Note: If you do not hear a "beep" sound when putting the Palm into Console mode, check the system volume settings for System Sound, Alarm Sound, and Game Sound. They should all be set to "High".

How to acquire a PDA How to acquire a PDA

2. Back at your computer, click the Acquire (or Preview) button in EnCase.

Source: "Local Devices". Include: "Palm Pilot" only.

You will see all serial devices attached to your computer. Click Next.

Enter your information (Evidence number, case number, Investigator’s name etc…) on the acquisition screen. Click Next.

Choose to acquire only, or add and verify into the case. Click Next.

Choose compression and hashing options, and provide a file name. Click Finish.

You will see the Palm acquiring. It takes a while.

When finished, you will get a message telling you so.

Add the evidence file to a new (or existing) case.

You will see the Palm in the Case view.

Getting out of Console Mode:

1. You have to reset the Palm. To reset a Palm, look for a small circular whole on the back of the Palm with the word RESET by it. Insert a pen tip in there.

Note: You will not be able to HotSync a Palm until it is out of Console mode, so be sure to do that.

What’s new at Guidance Software?What’s new at Guidance Software?

" EnCase Enterprise Edition allows investigators, inside or outside a network, to examine a target node in a “forensic” process

" Security controls are at a domain level and allow for multiple/remote domains

" EnCase Enterprise Edition operates in the Guidance Software Secure Network Application Environment

" The components of EnCase Enterprise Edition are– S.A.F.E. - Secure Authentication for Forensic

Examinations – EnCase Node Servlet– EnCase V3 Enterprise Client

" EnCase Enterprise Edition allows investigators, inside or outside a network, to examine a target node in a “forensic” process

" Security controls are at a domain level and allow for multiple/remote domains

" EnCase Enterprise Edition operates in the Guidance Software Secure Network Application Environment

" The components of EnCase Enterprise Edition are– S.A.F.E. - Secure Authentication for Forensic

Examinations – EnCase Node Servlet– EnCase V3 Enterprise Client

EnCase Enterprise EditionEnCase Enterprise EditionEnCase Enterprise Edition

Based on a secure public key authentication, 128-bit encryption for transmissions and files

" Granular user permissions

" Vendor must authorize each SAFE setup

" Tamper resistant storage of SAFE private key on SAFE

" Secure backup of SAFE private key for disaster recovery

" Secure binding between SAFE hardware and SAFE private key

" All session keys generated on SAFE hardware

" Prevent replay attacks without relying on synchronized clocks

" Node can validate SAFE public key with vendor signature

Based on a secure public key authentication, 128Based on a secure public key authentication, 128--bit encryption for bit encryption for transmissions and filestransmissions and files

"" Granular user permissions Granular user permissions

"" Vendor must authorize each SAFE setupVendor must authorize each SAFE setup

"" Tamper resistant storage of SAFE private key on SAFETamper resistant storage of SAFE private key on SAFE

"" Secure backup of SAFE private key for disaster recoverySecure backup of SAFE private key for disaster recovery

"" Secure binding between SAFE hardware and SAFE private keySecure binding between SAFE hardware and SAFE private key

"" All session keys generated on SAFE hardwareAll session keys generated on SAFE hardware

"" Prevent replay attacks without relying on synchronized clocksPrevent replay attacks without relying on synchronized clocks

"" Node can validate SAFE public key with vendor signatureNode can validate SAFE public key with vendor signature

Design FeaturesDesign FeaturesDesign Features

" Defines EnCase Examiner Access Permissions

" Maintains EnCase Authentication Keys

" Authenticates Examiners

" Controls Examiners’ Privileges

" Controls Access to Target Node via Servlet# Enables/Disables Examiner Sessions

" Monitors and Logs Sessions

" Defines EnCase Examiner Access Permissions

" Maintains EnCase Authentication Keys

" Authenticates Examiners

" Controls Examiners’ Privileges

" Controls Access to Target Node via Servlet# Enables/Disables Examiner Sessions

" Monitors and Logs Sessions

S.A.F.E. ServerS.A.F.E. ServerS.A.F.E. Server

SAFE1Node 1

Keymaster 1

Consultant

SAFE2

Node 2

Keymaster 2

Examiner

Multi-SAFE EnvironmentMulti-SAFE Environment

" Designed for EnCase Enterprise Edition" Enhanced user interface for network node

definition" Encrypted evidence files" Contains all Features of EnCase v3" Used “standalone” for viewing Enterprise

Edition encrypted evidence files

" Designed for EnCase Enterprise Edition" Enhanced user interface for network node

definition" Encrypted evidence files" Contains all Features of EnCase v3" Used “standalone” for viewing Enterprise

Edition encrypted evidence files

EnCase v3 Enterprise ClientEnCase v3 Enterprise Client

$$ Best Practice “Incident Response”Best Practice “Incident Response”$$ SituationSituation: Employee deletes files and company data or : Employee deletes files and company data or

informationinformation$$ ActionAction: Use EnCase to search for deleted files: Use EnCase to search for deleted files

–– Secure sceneSecure scene–– Preview media or drivePreview media or drive–– Use undelete to recover filesUse undelete to recover files–– Recover deleted folders and file fragmentsRecover deleted folders and file fragments–– Document findings in reportDocument findings in report

$$ OutcomeOutcome: Files recovered, evidence is secured and available : Files recovered, evidence is secured and available for judgment on the act. Without a forensic copy, litigation forfor judgment on the act. Without a forensic copy, litigation forpossible malicious intent would be compromised.possible malicious intent would be compromised.

Corporate AdvantageCorporate Advantage

Corporate AdvantageCorporate Advantage

Best Practice “Incident Response”Best Practice “Incident Response”$$ SituationSituation: Unusual activity of an employee’s computer use : Unusual activity of an employee’s computer use

after work, possible inappropriate graphics or content.after work, possible inappropriate graphics or content.$$ ActionAction: Use EnCase to determine misuse.: Use EnCase to determine misuse.

–– Gallery view for visual review Gallery view for visual review –– Recover deleted filesRecover deleted files–– Review files with after hours activity in the Timeline Review files with after hours activity in the Timeline

viewview–– Document findings in reportDocument findings in report

$$ OutcomeOutcome: Verified use, you have court approved evidence : Verified use, you have court approved evidence in support your HR policies toward computer use. HR takes in support your HR policies toward computer use. HR takes action if necessary.action if necessary.

Corporate AdvantageCorporate Advantage

Best Practice “Exit Interview”Best Practice “Exit Interview”$$ SituationSituation: Employee leaves the company, involved in projects : Employee leaves the company, involved in projects

and programs or not, on good terms or not.and programs or not, on good terms or not.$$ ActionAction: Use EnCase to search for intellectual property, deleted : Use EnCase to search for intellectual property, deleted

files, programs, databases and communications.files, programs, databases and communications.–– Secure sceneSecure scene–– Image PC Image PC drive(sdrive(s))–– Recover deleted folders and file fragmentsRecover deleted folders and file fragments–– Search using key words or code namesSearch using key words or code names–– Document findings in reportDocument findings in report

$$ OutcomeOutcome: Understand exposure to intellectual property on the : Understand exposure to intellectual property on the subject drive and now able to pursue recourse up to litigation isubject drive and now able to pursue recourse up to litigation if f necessary. Imaging the drive of all exits (good or bad) helps necessary. Imaging the drive of all exits (good or bad) helps reduce HR issues resulting from employees feeling singled out.reduce HR issues resulting from employees feeling singled out.

Bill SiebertDirector of Computer Investigative Services

Guidance Software

CIS@GuidanceSoftware.comwww.GuidanceSoftware.com

Bill SiebertDirector of Computer Investigative Services

Guidance Software

CIS@GuidanceSoftware.comwww.GuidanceSoftware.com