ence v6 study guide

8/2/2019 EnCE v6 Study Guide

1/46

EnCE Study GuideVersion 6


2/46

EnCE Study Guide

Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc. 1

Certification Background

The EnCase Certified Examiner program was created to meet the requests ofEnCase users as well as to provide a recognized level of competency for theexaminer. While many different certifications exist, the EnCE provides anadditional level of certification and offers a measure of professional advancement

and qualifications.

Certain qualifications must be met to enter the certification process. An applicationand a detailed explanation can be found at:

http://www.guidancesoftware.com/computer-forensics-training-ence-certification.htm

The cost is USD 200.00 US and Canada, and USD 225.00 International payableby credit card, check, or purchase order. The certification program does notgenerate profits for Guidance Software; the testing fee covers the cost of thewritten test provided by ExamBuilder. Once payment has been received andprocessed, the certification coordinator will email testing instructions to you.

The certification process addresses both EnCase software (EnCase) and generalareas of computer forensics. It involves a written test consisting of 180 questions(174 for international candidates; no legal questions). Two hours are provided tocomplete the written exam, which is true/false and multiple choice.

Once the Phase I results are received, the certification coordinator will ship thePhase II exam to you at the address you provided on your application. You will benotified via email when your package has been shipped. If you fail the Phase I test,you will be required to wait two (2) months from the date the test was taken to beissued a new voucher and re-test.

In your Phase II package you will receive a compact disc that has a certificationversion of EnCase Forensic, evidence files, and objectives or issues you mustaddress. You must work the case, compile your report, and then send the reportto Guidance Software for review and grading within 60 days. If you do not finishthe Phase II in the time allotted, you will be required to wait two (2) months fromthe date that the test was due and restart from the beginning.


3/46

EnCE Study Guide


Those who fail the EnCE Phase II exam must wait two (2) months prior toretesting. We will not provide feedback on what was missed on the exam. If afterresubmitting Phase II you fail again, you must begin the retesting process fromPhase I.

Beginning the Certification Process

The first step toward certification is to review the qualifications and complete theapplication available at:

http://www.guidancesoftware.com/computer-forensics-training-ence-certification.htm

Submit the completed application to the EnCE certification coordinator at theaddress provided. Once your application has been received and accepted, youwill be provided with a voucher to enroll in Phase I of the testing process.

Phase I Testing Options

ExamBuilder

o ExamBuilder provides online testing services available at all times.

o Once you receive email instructions from the certification coordinator,visit the ExamBuilder website at https://testing.exambuilder.com/ toenroll in the Phase I testing process. Follow the instructions for log inand complete the enrollment form.

o If you have questions about the enrollment process, contact the

Guidance Software certification coordinator at (626) 229-9191, ext. [email protected]

EnCEPrep Course

o This course is designed for EnCaseusers preparing for certification. Thecertification is based upon the skills and knowledge presented inGuidance Softwares EnCase

Computer Forensic I and EnCase

Computer Forensic II courses. The EnCE Prep course is notintended tobe a replacement for these two classes; instead it is a thorough butaccelerated review of the covered subjects. Students cannot waive orsubstitute the prerequisite attendance of Guidance Softwares EnCaseComputer Forensics II course when applying to attend the EnCEPreparation course.

o The Phase I written examination will be administered on the finalafternoon of the course in a monitored, timed environment.


4/46

EnCE Study Guide


o The examination will be administered onlyat Guidance-owned sites inLos Angeles, Chicago, Houston, Washington DC, and London;

Authorized Training Partners cannot conduct the test as part of thiscourse.

o Complete details for this course can be found at:

http://www.guidancesoftware.com/computer-forensics-training-encase-ence.htm

CEIC

o Registered attendees at our annual CEIC conference may elect to takethe Phase I test at no additional charge during the conference.

o All requirements must be met prior to attending CEIC. Anyone interestedin taking the Phase I test at CEIC must fill out an application and return itto the certification coordinator via fax, email, or mail one (1) month priorto the conference. Only those who have preregistered and beenapproved will be admitted to take the Phase I test at CEIC.

o Please visit www.ceicconference.com for more information.

Maintaining Your Certification

As of November 1, 2008 EnCase Certified Examiners are required to achieve oneof the following items prior to their expiration date in order to renew. For thosewho have been certified prior to November 1, 2008, the current expiration date willremain the same, but the new requirements listed below will now apply. Oncerenewed, the expiration date will be changed to a three-year cycle (for example ifrenewing in 2009, the next renewal date will not be until 2012, and then every 3

years from then on).

Attend a minimum of thirty-two (32) credit hours of documented continuingeducation in computer forensics or incident response to maintain thecertification: *

o The training should either be from Guidance, your agency, or anaccredited source. Training should be either in a classroom lab setting oronline. Proof of attendance should be provided via a certificate,transcript, or official letter.

o Earn one (1) credit hour for each classroom hour of training and 1/2

credit hour for each one hour of instruction as a computer forensics orincident response curriculum instructor.

Achieve a computer forensics or incident response related certificationwithin the renewal period. A certificate of completion must be submitted asdocumentation.

*Training and teaching hours may be combined to reach the total 32 hours required.Documentation may be a certificate of completion, official letter from the provider, or transcript.


5/46

EnCE Study Guide


Attend one CEIC conference within the renewal period. Your certificationmust be current at the time of the conference and you must attend at least10 sessions to fulfill the requirement to renew your EnCE. Register online athttp://www.ceicconference.com/Default.aspx . Renewal forms will be

available at the registration desk during the conference. Please check thebox on the renewal form, and registration will be on file with GuidanceSoftware, Inc.

Guidelines for submitting renewal credit for attendance at any othercomputer forensic conference other than CEIC are:

o Only labs count (seminars or product demos are not considered)

o Calculate one (1) CPE for every hour in a lab

o To submit credits please send a copy the conference agenda andindicate the labs attended and how many CPE each one is worth

Please do not submit your renewal documents separately. Keep allcertificates together and only send them when you have the requirementfulfilled. When you are ready, send the attached form and anycertificates/letters/documents via fax, email, or regular mail.

The requirements need to have been met within the renewal period. (i.e., ifthe renewal date is June 1, 2009, the requirements must have beenachieved between June 1, 2007 and June 1, 2009.)

Should your certification expire, you will be required to restart the EnCE processfrom Phase I. Extensions will not be granted. If you are unsure of your expiration

date, please email: [email protected]

Complete renewal details are available at:

http://www.guidancesoftware.com/computer-forensics-training-encep-program-application.htm


6/46

EnCE Study Guide


Other Study Material

This Study Guide highlights the topics contained in the EnCE test, including goodforensic practices, legal issues, computer knowledge, knowledge of EnCase,evidence discovery techniques, and understanding file system artifacts. If youneed reference materials to prepare for a specific topic or portion of the exam,some recommended study materials are listed below:

EnCaseComputer Forensics Imanual by Guidance Software

EnCaseComputer Forensics IImanual by Guidance Software

EnCaseLegal Journalby John Patzakis

EnCaseUser's Manualby Guidance Software

Handbook of Computer Crime by Eoghan Casey

How Computers Workby Ron White

EnCaseComputer Forensics: The Official EnCE: EnCase Certified ExaminerStudy Guide by Steve Bunting, Second Edition


7/46

EnCE Study Guide


EnCaseEnvironment

All lab media should maintain a unique volume label and a unique directoryto receive the evidence file(s).

All lab media should be forensically sterile wiped of all data, verified to beabsent of any data, freshly partitioned, and formatted.

Upon starting a new case, default Export and Temp directories should bedefined.

These folders will provide a default location for exported data as well as aspecific folder to contain files that are created through the use of externalviewers.

Both of these folders are case specific and can be modified as to location at

any time.

When an examiner double-clicks on a file, the data is copied to the definedTemp directory, and the associated viewer is then called to display the filedata.

When EnCase is properly shut down, EnCase will delete the files from theTemp folder.

E01 File

Bit-stream image of the source media written to a file(s).

Contains case information as first block.

Header is always compressed and is verified through the use of thecompression algorithm used.

No alteration to case information block can be made.

There is no limit to the EnCase evidence file segment size.

Content of the evidence file cannot be changed data cannot be added toan existing evidence file.


8/46

EnCE Study Guide


Case File

Contains your work search results, bookmarks, and report.

It is simply a text file containing information specific to a singlecase/investigation.

There is no limit to the number of evidence files that can be added to asingle case 8 hdds, 200 diskettes, 24 CDRs as example.

Case file is updated by utilizing the SAVE button or selecting SAVE from the menu. This only affects the .case file.

Evidence file verification results are stored within the .case file.

Backup File (.CBAK)

Is created at preset intervals if auto save is enabled and not set to 0

Captures current state of the case

EnCaseConfiguration Files

Contain global changes to the EnCase environment external viewers,hash sets/libraries, signature table.

This global environment dictates information/tools available for all cases not case specific.

Example EnCase configuration .ini files:

o FileSignatures.ini File Signature Table

o FileTypes.ini organizes files into groups by extension; determineswhich viewer to use

o Keywords.ini global keywords list

o Filters available filters

o Viewers.ini installed external viewers

File Types table dictates the action that will occur if a user double-clicks ona specific file.

External viewers are associated with file extensions through the File Types.


9/46

EnCE Study Guide


Verification of E01

A CRC (32 bit) is computed for every 64 sectors of an uncompressedevidence file.

The decompression algorithm is used to verify the evidence file when theevidence file is compressed.

MD5 (128 bit) computed during acquisition and placed at the end of theevidence file.

SHA1 hashing verification option.

To fully verify an uncompressed evidence file, all CRCs as well as the hashvalue(s) must validate and verify.

For a compressed evidence file the decompression algorithm as well as thehash value(s) must validate and verify.

If any changes occur to an evidence file, the CRC for the affected block(s)will no longer verify, and EnCase will display an error when any data withinthe block is accessed.

EnCase will also indicate an error if the evidence file is verified again.

Three (3) aspects of an existent evidence file can be changed/altered:

o

Password +/-, compression, and evidence file segment sizeo The applied filename of the evidence file can be changed, and/or the

evidence file(s) can be moved to another location; however EnCasewill prompt you to locate the renamed evidence file if it is changedafter it is added to a case

o Individual segments of an evidence file can be verified(ToolsVerify Single Evidence File)

Compression does not have an impact on the verification of an evidencefile; hash value will remain constant.


10/46

EnCE Study Guide


Searches

General Information

Searches within the Windows environment are both physical and logical.

Within the EnCase

Windows environment, keywords that spannoncontiguous clusters will still be located within logical files. No searchingtool will find keywords spanning noncontiguous clusters in unallocatedspace.

Searches in unallocated space are physical only as no logical definitionsexist in this area.

GREP Most Commonly Used Symbols

[ ] Square brackets form a set, and the included values within the set haveto match a single character [1-9] will match any single numeric valuefrom 1 to 9.

- Denotes a range such as above.

^ States not [^a-z] = no alpha characters from a to z.

+ States to repeat the preceding character or set any number of times, butat least once.

* States to repeat the preceding character or set any number of times,including zero times.

\x Indicates that the following value is to be treated as a hexadecimal value- \xFF\xD8\xFF

? Means or not joh?n will yield both JOHN and JON

You must indicate via the check box that the created expression is a GREPterm.

Unicode

Selecting Unicode will cause EnCase to search for the keyword in bothASCII and Unicode. Unicode uses two bytes for each character allowing therepresentation of 65,536 characters.


11/46

EnCE Study Guide


File Signatures

Simply compares the displayed extension with the files header/signature. Fourpossible results will be obtained:

!Bad Signature - The extension is in the File Signature table but the headeris incorrect, and the header is not in the File Signature table.

* [Alias] - The header is in the table and the extension is incorrect. Thisindicates a file with a renamed extension.

MATCH - The header matches the extension. If the extension has noheader in the File Signature table, then EnCase will return a Match as longas the header of the file does not match any header in the File Signaturetable.

UNKNOWN - Indicates that neither the header/signature nor the extensionis listed in the table. If either the header/signature or the extension is listedin the table, you will notobtain a value of UNKNOWN.

To examine the results of the File Signature effort, sort on the File Signaturecolumn.

Remember that the Gallery view will not display supported image files thatmaintain extensions inconsistent with image files until and unless theSignature Analysis has been run.

The Signature Table can be edited and/or added to by accessing the tableand choosing right-click New.


12/46

EnCE Study Guide


Hash Analysis

Hash sets can be created from selected files, and the set(s) can then beadded to the library.

The hash value computed for a given file is based upon the logical filecontent only not the slack area of the file.

File names are maintained within the folder/directory and have no bearingon the computed hash value of a given file.

EnCase will compute a hash value of each file in the case and thencompare these computed values to the values present in the library.

Hash analysis allows the examiner to identify files that are known either

as innocuous files that can be ignored or as files that are evidentiary incontent.

Hash sets contain only the computed hash values of the files not the filecontent. A file cannot be created from the computed hash value.

ASCII and Binary

ASCII table is a 7-bit table, and the acronym stands for the AmericanStandard Code for Information Interchange.

The resultant 128 values represent alpha/numeric values, commonpunctuation, and other values.

Hexadecimal notation employs two characters to represent one byte.

A single byte (8 bits) can represent one of 256 possible values; a nibble (4bits) can represent one of 16 possible values.

The LE indicator within EnCase indicates the number of bytes that havebeen selected/swept/highlighted.

Nibble = 4 bits

Byte = 8 bits

Word = 2 bytes = 16 Bits

Dword = 4 bytes = 32 Bits


13/46

EnCE Study Guide


File Systems

FAT file systems (FAT12, 16, 32) group one or more sectors in powers of 2into clusters.

The number of clusters that the file system can manage is determined bythe available bits employed by the FAT.

FAT16 (2/16) allows 65,536 clusters.

FAT32 (2/28) allows 268,435,456 clusters.

The FAT maintains information regarding the status of all the clusters on thevolume (available -0, in use), indicated cluster number, containing the endof a file (EOF), and containing one or more defective sectors (BAD).

The FAT also tracks file fragmentation.

Directory entries maintain the file name, logical file size, and starting cluster.

FAT is read to begin locating the files data.

Each FAT volume maintains two copies of the FAT FAT1 and FAT2.

Each sector contains 512 data bytes, and this size is consistent acrossdifferent media types. (ZIP disks, floppies, HDD, etc.)

Logical file size is the actual number of bytes that the file contains.

Physical file size is the amount of actual media space allocated to the file.

Only one file can occupy a cluster at one time no two files can occupy thesame cluster.

Slack

Displayed in EnCase as red text. It is the data from the end of the logical fileto the end of the physical file.

EnCase also displays FAT directory entries in red text because neitherslack nor FAT directories have any logical file size


14/46

EnCE Study Guide


Deleted Files

Two actions occur when a file is deleted from a FAT system the firstcharacter of the directory entry(s) pertaining to the file is/are changed to

E5h, and the values within the FAT that pertain to this file are reset to 0(available).

Deleting a file has no effect on the actual data in FAT or NTFS.

EnCase reads the directory entry for a deleted file and will obtain thestarting extent. It then will determine the number of clusters the file requiresby dividing the logical file size by the bytes per cluster.

EnCase reads the FAT to determine if the indicated starting extent (cluster)is in use by any other file.

If the indicated starting extent (cluster) is in use by another file, EnCasedeems this file to be overwritten.

Computer Hardware and Systems

BIOS Basic Input Output System

The BIOS is responsible for the initial checking of the system componentsand initial configuration of the system once power is turned on.

Examiners should access the BIOS and determine the boot sequence aswell as the indicated date/time.

Depending on the settings, the computer system may or may not attempt toboot from a diskette drive.

The BIOS is typically contained within a chip located on the systemmotherboard, which is the main circuit board within a computer system.

Add-in cards video controller, SCSI controller, NIC, etc.

SCSI host adapters manage SCSI devices and make them accessible to

the OS.

RAM Random Access Memory stores data temporarily and is accessibleimmediately to the OS.


15/46

EnCE Study Guide


ROM Read Only Memory

CPU the actual processor chip notthe whole computer.

POST Power On Self Test first activity following the application of powerto the computer system.

The POST activity includes the testing of identified attached devices on thesystem bus, including the HDD(s), diskette drives, installed memory, etc.

Drive letters are assigned by the OS during the boot process, but are notrecorded to the media involved.

Bootable media must maintain a bootable partition/volume, which in thecase of HDDs, must be set as active.

HDDs

IDE drives are set for Master/Slave/Cable. Select through jumper pinning onthe physical drive.

SCSI drives do notmaintain Master/Slave settings; rather they areassigned ID numbers, again usually through jumper settings.

When employing CHS geometry, the formula for determining the HDDcapacity is CxHxSx512.

The first sector on every HDD contains the Master Boot Record, and thepartition table for the drive is located within this sector for Windows andLinux offset 446-509.

The partition table within the MBR can maintain 4 entries, each 16 bytes inlength.

Each defined partition on a physical HDD will contain a Volume BootRecord as the first sector within the partition.

Selecting the Volume Boot sector, right-clicking and choosing Add Partition

can recover deleted partitions.


16/46

EnCE Study Guide


First Response

Systems will either be on or off if they are on, they must be shut down.Review recommendations regarding the different file systems and shut-

down options.

Preview options FastBloc, network cable

Boot Disks must have the OS system files, and these system files must bealtered to prevent access to the fixed disk drive(s).

EnCase will create the forensic boot disk, make the proper alterations toIO.SYS and Command.COM, and delete DRVSPACE.BIN.

This must be done to prevent writes to any attached HDDs and prevent the

mounting of a compressed volume file.

A forensically sound bootable CD that includes the LinEn utility may beused.

Procedures

o Photograph, external inspection, label connections, internalinspection, disconnect power/data cables from HDD(s), boot withEnCase boot disk or a forensically sound CD with the LinEn utility,and access the BIOS note boot sequence and date/time. Allowboot to continue to confirm drive and diskette function. Power down,

attach target and destination (lab) HDDs, and reboot with boot disk.o Using an EnCase boot disk will start the computer to the DOS OS.

Logical partitions under NT, Linux (EXT2/3), UNIX, and Mac HFS willnot be seen as DOS does not understand those file systems. Obtaina physical disk evidence file, and EnCase will resolve the filestructure once the E01 file is added to the case.


17/46

EnCE Study Guide


Restoring E01 Files

Evidence files can be restored to media of equal or greater size.

The hash value of a properly restored evidence file will match the valuemaintained within the evidence file, which is the value computed against theoriginal source media.

Restoring evidence files of physical media must be made to a physicaldrive, logical evidence files to a defined logical partition.

Logical restores must be made to a created partition equal to or larger thanthe evidence file partition, and must be of the same file system FAT16/32.

Restored drives are validated by the MD5 value.

OS Artifacts

Review Recycle Bin functions DC0.TXT, DC1.JPG, etc.

On Windows XP/2003 and below, the date/time deleted stems from theINFO record within the Recycle Bin.

FAT directory entries in DOS/Windows are 32 bytes in length.

Review directory structure parent/child relationships.

Review Windows XP/2000 artifact locations: C\Windows\Recent, Desktop,Send To, and Temporary Internet Files.

Review LNK files linking a diskette to the computer that wrote to it embedded date/time as well as full path and file name of the target file.

Review EMF files, SPL, and SHD files definition and content.

BASE64 encoding common to email attachments.

Windows 2000 and XP have user personal folders stored under

C:\Documents and Settings.


18/46

EnCE Study Guide


Legal

Every printed document from a computer is considered an original.

Any printout or other output readable by sight shown to accurately reflectthe data stored in a computer system is considered an original.

Compression of the evidence file has no bearing on the validity oradmissibility of the data. Courts have ruled that the manner in which data ismaintained while in storage is not relevant, as long as the data is accuratelyportrayed when accessed and presented in a printout or other output,readable by sight.

The EnCase evidence file may be considered the best evidence,depending on the events and circumstances of the case.

Daubert legal test employed by US courts to determine if a scientific ortechnical process is acceptable.

o Has the process been tested and subjected to peer review?

o Does the process/application maintain general acceptance within therelated community?

o Can the findings be duplicated/repeated?


19/46

EnCE Study Guide


2011 Guidance Software, Inc. All Rights Reserved.

EnCase Certified Examiner

Preparation Training

[email protected]


P A G E 1

EnCE Preparation Training

Examining computer-based evidence with EnCase software

(EnCase)

Computer Knowledge

Good Forensic Practices

Legal


20/46

EnCE Study Guide



P A G E 2

Examining computer-based evidence

The EnCase Evidence File

EnCase Concepts

The EnCase Environment

Searching

File Signature and Hash Analysis


P A G E 3


Bit stream image of evidence written to a file

Header Case information

CRCs (Cyclical Redundancy Check)

Data Blocks


21/46

EnCE Study Guide



P A G E 4


Header Case Information

Header is always compressed and is verified through the use of

the compression algorithm used

Can not be changed after evidence file is created

Contains:

Case number

Examiner name

Evidence number

Unique description

Date/time of computer system clock

Acquisition notes

Serial number of physical hard drive


P A G E 5


Cyclical Redundancy Check

32-bit CRC for (by default) 64 sectors (32 KB) of data

If no compression is used

Calculated when evidence file is added to case and rechecked

every time the data block is accessed

Message Digest 5 Hash

128-bit digital signature of all data in evidence file

Optional


22/46

EnCE Study Guide



P A G E 6


Logical file that can be renamed and moved

Can be broken into multiple segments with a maximum segment size

dependent on the file system to which the evidence file is written

Can be compressed during acquisition and/or reacquired with

compression for archival without changing the hash value

Can be password protected and can be reacquired to remove or

change password

Individual segments can be verified by the CRCs when compression is

not used. If compression is used the decompression algorithm is used


P A G E 7


Block size can be adjusted to range from 64 to

32768 sectors

Error granularity is often used to adjust the writing of data to an

evidence file when a read error of the subject media occurs

Quick reacquisition is used on an existing evidence file to quickly

change file segment size, password +/-, and/or the applied name of

the evidence file.


23/46

EnCE Study Guide



P A G E 8


Evidence File Verification

Data in the entire evidence file is verified by Verification hash

compared to the Acquisition hash value of the original evidence

Data in each data block is verified by a CRC when no

compression is used

Both the MD5 hash and CRCs must match for the evidence file to

be verified

If any compression is used, the compression algorithm is used toverify data blocks


P A G E 9

EnCase Concepts

The Case File - .case

Text file containing:

Pointers to evidence files locations on forensic workstation

Results of searches and analysis (file signature and hash)

Bookmarks

Investigators notes

A case file can contain any number of hard drives or removablemedia

A backup file (.cbak) is updated by default every 10 minutes

Save the case file regularly during an examination

The case file should be archived with the evidence files as itcontains all of the investigators notes


24/46

EnCE Study Guide


2011 Guidance Software, Inc . A ll Rights Reserved.

P A G E 10

EnCase Concepts

The Configuration .ini Files

Contain Global Options used for all cases

Some configuration .ini files:

FileSignatures.ini File Signature Table

FileTypes.ini organizes files into groups by extension; determines

which viewer to use

Keywords.ini global keywords list

Filters.ini available filters

Viewers.ini installed external viewers


P A G E 11


The EnCase Methodology

Case Management

Separate folders for each case is recommended; use uniquedirectory names

Use large capacity, high RPM (revolutions per minute) hard driveswith single partition for evidence files

Wipe the drive to eliminate any claims or arguments of cross-

contamination Give the hard drive a unique label prior to acquisitions to

differentiate your drives from the suspects

Create default Evidence, Export, and Temp folders for each case


25/46

EnCE Study Guide


2011 Guidance Software, I nc. All Rights Reserved.

P A G E 12


The EnCase Methodology

Export Folder

Create a separate Export folder for each case

The name and location of the Export folder can be changed at anytime

Used by many EnScript programs for exporting files

Selected by EnCase as starting folder when using Copy/Unerase

Temporary Folder

Used to receive files sent to an external viewer

Redirect files away from the examiners operating system drive

Files in the Temporary folder are deleted when EnCase is shut downproperly

2011 Guidance Software, I nc. All Rights Reserved.

P A G E 13

Searching

EnCase for Windows

Physical searching is conducted on logical f iles and the

unallocated areas of the physical disk.

Logical search will find a word fragmented between two

noncontiguous clusters, whereas a physical search will miss the

fragmented word.


26/46

EnCE Study Guide



P A G E 14

Searching

Adding Keywords

Case Sensitive

Not set by default. Selecting willlimit hits to exact case of wordsentered. Can be used with GREP and Unicode.

GREP

Box must be selected for EnCase to use GREP expression,otherwise EnCase will search for the literal entered characters. Canbe used with Case Sensitive and Unicode.

Unicode

Selecting this box will enable EnCase to search for keywords in bothANSI and Unicode. Recommended to be selected for mostsearches. Can be used with GREP and Case Sensitive. Unicodeuses two bytes for each character allowing the representation of65,536 characters.


P A G E 15

Searching

Global Regular Expression and Print (GREP)

. A period matches any singlecharacter

\xFFA Character represented by its ASCIIvalue in hex. \x09 is a tab. \x0A is a

line feed. Both hex digits should be

present even if they are 0.

\wFFFF Unicode 16 bit character

? The question mark says repeat thepreceding character (or set) one or

zero times.


27/46

EnCE Study Guide



P A G E 16

Searching

GREP

* An asterisk after a character matches any number of occurrences ofthat character, including zero. For example, john,*smith wouldmatch john,smith, john,,smith, and johnsmith.

+ A plus sign after a character matches any number of occurrences ofthat character except zero. For example john,+smith would matchjohn,smith or john,,smith, but would NOT match johnsmith.

# A pound / hash sign matches any numeric character [0-9].For example ###-#### matches any phone number in the form327-4323.

(ab) The parentheses allows the examiner to group individual characterstogether as an AND statement.

{m,4} The curly braces state number of times to repeat, i.e. m four times

| The pipe is an OR statement and can be used with the parentheses,i.e., (com)|(net)|(org) for the end of an email address.


P A G E 17

Searching

GREP

[] Characters in brackets match any one character that appearsin the brackets. For example smit[hy] would match smithand smity.

[^] A circumflex at the start of the string in brackets means NOT.

Hence [^hy] matches any characters except h and y.

[-] A dash within the brackets signifies a range of characters. For

example, [a-e] matches any character from a through e,inclusive.

\ A backslash before a character indicates that the character is

to be treated literally and not as a GREP character.


28/46

EnCE Study Guide



P A G E 18


File Signature Table

Stored in the EnCase configuration file, FileSignatures.ini

File signatures can be added manually

The terms file signature and file header mean the same thing,

the standard hex characters at the beginning of a certain file type


P A G E 19


File Signature Table Viewers

EnCase uses the Viewers.ini file to store external viewer

information and the FileTypes.ini file to associate file extensions

with external viewers.

When the examiner double-clicks on a file, EnCase will copy the

file to the Temporary folder and launch the Windows-associatedviewer or user-defined external viewer to read the file.

The examiner can also right-click on a file and use the Send To

feature to send the file to an external viewer.


29/46

EnCE Study Guide



P A G E 20


File Signature Analysis

Signature Table Analysis Explained

Signature / Header Extension Comparison Results Displayed

LISTED LISTED CORRECT MATCH

NOT LISTED NOT LISTED N/A UNKNOWN

NOT LISTED LISTED INCORRECT ! BAD SIGNATURE

LISTED LISTED INCORRECT * FILE ALIAS


P A G E 21


Hash Sets and Hash Library

Hash sets can be built with one file or any number of selected

files. The sets contain the hash values of the file(s) in the set.

The hash value of a file is computed only from the logical file

independent of the file name, time/date stamps, and the slack

space of the physical file.

The Hash Library is built from selected hash sets. The examiner

can exclude specific hash sets to remain within the scope of the

examination.


30/46

EnCE Study Guide



P A G E 22


Signature and Hash Analysis

File extensions are compared to the file signature (header)

according to the File Signature Table.

The hash value of each logical file is computed and compared

with the Hash Library composed of the selected hash sets.

Both analyses can be used to help identify suspect files and/or

exclude known or benign files. The results of both analyses are

viewed in the Table view.


P A G E 23

Computer Knowledge

Understanding Data and Binary

The BIOS

Computer Boot Sequence

File Systems

Computer Hardware Concepts


31/46

EnCE Study Guide



P A G E 24


Bits and Bytes

Bit Name Binary

1 = Bit 1

4 = Nibble 0000

8 = Byte 0000-0000

16 = Word 0000-0000 0000-0000

32 = Dword 0000-0000 0000-0000

0000-0000 0000-0000

64 = Qword You get the idea


P A G E 25


ASCII and Unicode

The ASCII table (American Standard Code for Information Interchange)

is based on an 7-bit system. The first 128 characters make up the ASCII

table. The remaining 128 characters are called high-bit characters and

represent alpha/numeric values common punctuation and other values.

Together 256 characters can be addressed.

Selecting Unicode will cause EnCase to search for the keyword in both

ASCII and Unicode. Unicode uses two bytes for each character,

allowing the representation of 65,536 characters.

Decimal Hexadecimal Character Binary Code

0 00 NUL 0000-0000

1 01 SOH 0000-0001

2 02 STX [1] 0000-0010


32/46

EnCE Study Guide



P A G E 26

The BIOS

Basic Input/Output System

The BIOS checks and configures the computer system after

power is turned on.

The BIOS chip is usually found on the motherboard.

The BIOS should be checked during each examination of a

computer to check the boot sequence and settings of the internal

clock.


P A G E 27


Power Button

BIOS

POST

BIOS FROM

ADD-IN CARDS

The BIOS immediately

runs POST and then

prepares the system for

the first program to run.

LOAD RAM WITH

BIOS DATA

POST (Power On Self

Test) checks the system

board, memory (RAM),

keyboard, floppy disk,

hard disk, etc., for

presence and reliability.

Add-in cards such as SCSI

drive controller cards can

have a BIOS on the card

that loads at this time.

These BIOS normally detect

devices and load

information into the BIOS

data area in RAM.

A special RAM BIOSdata area of 256 bytes

contains the results of

the system check

identifying the location of

attached devices.

Boot

Sequence?


33/46

EnCE Study Guide



P A G E 28


Boot

Sequence?A: C:

Other Devices

Present? No

YesMay display error

or shift to boot

another device

Boot

Record?No

Yes

Command.Com

Config.sys

Msdos.sys

Io.sys

Autoexec.bat

Master Boot Record

Go to Boot Partition

Boot Record

Io.sys

Msdos.sys

Config.sys

Command.Com

Autoexec.bat

Optional


P A G E 29

File Systems

File Allocation Table

FAT tracks

File fragmentation

All of the addressable clusters in the partition

Clusters marked bad

Directory records

File name

Date/time stamps (Created, Accessed, Written)

Starting cluster

File logical size

A directory (or folder) is a f ile with a unique header and a

logical size of zero


34/46

EnCE Study Guide



P A G E 30

File Systems

Directory

Entry

Name Cluster Length Accessed Written Created

.

..MyNote .TXT 1000 952 8/25/00 8/22/00 8/22/00

Picture1.GIF 1002 890 8/25/00 6/15/98 6/15/98

Picture2.JPG 1004 5000 8/25/00 7/12/99 7/12/99

Job Search.DOC 24888 11000 8/25/00 8/25/00 8/1/00

Report.DOC 79415 34212 8/25/00 7/31/00 6/20/00

Personal Letter.DOC 88212 10212 8/25/00 8/25/00 8/25/00

File AllocationTable

Clusters

(Allocation Units)


P A G E 31

File Systems

Directory Entry

Name Cluster Length

MyNote.TXT 1000 952

Picture1.GIF 1002 890

Picture2.JPG 1004 5000

Job Search.DOC 24888 11000

Report.DOC 79415 34212

Personal Letter.DOC 88212 10212


35/46

EnCE Study Guide



P A G E 32

File Systems

1000

EOF

1001

0

1002

EOF

1003

0

1004

1005

2

EOF

3

EOF

4

EOF

5

EOF

6

EOF

7

EOF

1005

EOF

File Allocation

Table


P A G E 33

FAT

When a file is deleted from a FAT system

1st character of directory entry changed to E5h

FAT entry values change from allocated to unallocated (0)

No effect on the data within the clusters

When EnCase virtually undeletes a file

Directory entry read

Obtains starting extent, logical size

Obtains number of clusters by dividing logical size by bytesper cluster

FAT examined to determine if starting cluster/extent is in use

If starting extent is in use, EnCase deems this file to beDeleted/Overwritten


36/46

EnCE Study Guide



P A G E 34

File Systems

File Allocation Table

FAT 16

2 ^ 16 = 65,536 total allocation units available (clusters)

FAT 32

2 ^ 28 = 268,435,456 total allocation units

4 bits are reserved by Microsoft

Two copies of the FAT are stored for backup purposes.

A cluster is composed of multiple sectors. A sector contains 512

user addressable data bytes.


P A G E 35

NTFS

Master File Table (MFT) administratively documents all files/folders

on NTFS volume

MFT comprised of records 1024 bytes each

MFT grows but doesnt shrink

At least one MFT record is allocated to each file and folder on

volume

Bitmap file documents if clusters are allocated or unallocated

Two types of files: Resident and Nonresident


37/46

EnCE Study Guide



P A G E 36

NTFS

Resident files

Data resides within MFT record for file

Data does not begin at the beginning of a sector/cluster

Logical size = physical size

Nonresident files

Data not within MFT Record

MFT record houses pointers to clusters storing file

Pointers in the form of a data run

Both types of files may be hashed as long as logical size is greater

than 0


P A G E 37

File Systems

Logical and Physical File Size

My Pic.jpg

File Slack

Physical File bytes

(1 cluster)

Logical File

3045 Bytes


38/46

EnCE Study Guide



P A G E 38

Slack Space

File slack is comprised of drive slack and RAM slack

Drive Slack

Data that is contained in the remaining sectors of a logical file that

are not a part of the current logical file. A logical file of 10 bytes

stored in a 4-sector cluster will have 3 sectors of drive slack.

RAM Slack

Data from the end of the logical file to the end of that sector. The

10-byte file from above will have 502 bytes of RAM slack in the

same sector that contains the logical data.


P A G E 39

Slack Space

RAM slack is zeroed out prior to writing it to the drive in

Windows 95B and newer

In Windows 95A and older RAM slack will contain actual data from

RAM and it will be stored on the drive with the file


39/46

EnCE Study Guide



P A G E 40


The computer chassis or case is often incorrectly referred to as

the CPU

The CPU is the Central Processing Unit installed on the motherboard

Also installed on the motherboard are the Random Access Memory,

the Read Only Memory, and add-in cards such as video cards,

Network Interface Cards (NIC), Small Computer System Interface

(SCSI) cards

Integrated Drive Electronics (IDE) hard disk drives can be attached

directly to the motherboard with a ribbon cable

SCSI hard disk drives require a controller card on the motherboard


P A G E 41


Geometry of hard drives

Cylinder/Heads/Sectors (older drives)

C x H x S x 512 bytes per sector = total bytes

Logical Block Addressing

Total number of sectors available x 512 bytes = total bytes

Master Boot Record

Volume Boot Record

Partition Tables

Partition Recovery


40/46

EnCE Study Guide



P A G E 42

Good Forensic Practice

First Response

Acquisition of Digital Evidence

Operating System Artifacts


P A G E 43

First Response

At the Scene

Photograph, take notes, sketch

Take down the system whether pull plug or shut down depends

on circumstances

Shut Down if UNIX/Linux or Server

Pull Plug it depends on circumstances


41/46

EnCE Study Guide



P A G E 44

First Response

Forensic Boot Floppy/CD/Thumb Drive

Appropriate applications

Drivers for SCSI, NIC cards, etc.

Modified files

command.com

io.sys

drvspace.bin if not removed, will mount a compressed drive

space volume


P A G E 45

First Response

Onsite Triage

FastBloc Fastest

Gallery view, hash/file signature analysis, logical and physical

searches with GREP, copy/unerase, EnScript modules, etc.

Network Cable Preview Fast

Gallery view, hash/file signature analysis, logical and physical

searches with GREP, copy/unerase, EnScript programs, etc.


42/46

EnCE Study Guide



P A G E 46


Computer Forensic Examiner

Must be trained

Must use best forensic practices available

Must avoid damaging or altering evidence

Should test and validate computer forensic tools and techniques

prior to using them on original evidence


P A G E 47


File Systems Supported by EnCase

FAT 12, 16, 32

NTFS

EXT2/3 (Linux)

Reiser (Linux)

UFS (Solaris)

CDFS (Joliet, ISO9660, UDF)

DVD

Macintosh HFS/HFS+, Mac OS X (BSD)

HP-UX

Etc

NOTE: Only FAT partitions will be viewable if booted in DOS environment.


43/46

EnCE Study Guide



P A G E 48


File Systems Supported by EnCase

If the file system is not supported by EnCase, the examiner can

still conduct a physical text search, run EnScript programs for file

headers and footers, etc.

The examiner can also restore the physical drive to a drive of

equal or larger size. The restored drive is verified by the MD5

Hash.

A volume may also be restored to a partition containing the same

file system.

Restored image is verified by the MD5 hash value.


P A G E 49


Laboratory Procedures

Cross contamination

Wipe lab examination drives

Use EnCase case management methodology

Chain-of-Custody

Controlled access to lab area Evidence locker or depository

Storage

Clean, temperature-controlled environment

Portable electronic devices may lose battery power erasing all data


44/46

EnCE Study Guide



P A G E 50


Recycle Bin and Info2 file

FAT/NTFS Directory Entries and Structure

Windows Artifacts

Recent

Link Files

Desktop

Send To

Temp

Internet Explorer history, cache, favorites, cookies

Enhanced MetaFiles; Print Spooler

2000/XP C:\Documents and Settings


P A G E 51


Windows Artifacts (continued)

Registry files global and user account specific

Swap file

Hibernation/Standby file

Thumbs.DB

Restore Point


45/46

EnCE Study Guide



P A G E 52

Legal Issues

Best Evidence Rule

A printout of data stored in a computer can be considered as an

original under the Federal Rules of Evidence if it is readable by

sight and accurately reflects the stored data

Compression of acquired data does not affect admissibility under

the Best Evidence Rule

If original evidence must be returned to the owner, the forensic

image could be considered the Best Evidence


P A G E 53

Legal Issues

Daubert/Frye

Legal test to determine if a scientific or technical process

Elements of Daubert

Has the process been tested and subject to peer review?

Does the process enjoy general acceptance in the related

community?

Can the findings be duplicated or repeated?

Commercially available software has a greater opportunity for peer

review, testing, and validation


46/46

EnCE Study Guide