Book Three-Chapter 3- Forensic Investigations Using EnCase Flashcards
What is an EnCase evidence file, and what is it used for?
Evidence Files
An evidence file is the core component of EnCase. It is a proprietary file created by EnCase to compress and preserve bitstream images of acquired media. The EnCase evidence file is widely known throughout the law enforcement and computer security industries. Courts in the United States, including at the federal appellate level, and in the international community have accepted EnCase evidence files in both civil and criminal cases.
EnCase evidence files are used to preserve evidence and continue the examination without having to restore the image to separate media. The bitstream image in an EnCase evidence file can be mounted as a read-only file or virtual drive, from which EnCase reconstructs the file structure using the logical data in the bitstream image. This allows the investigator to search and examine the contents of the acquired drive within the EnCase Enterprise Examiner environment. The EnCase evidence file contains an exact copy of the data from the original media, including time stamps, deleted files, unallocated space, and file-system attributes. An investigator can easily transfer an EnCase evidence file to different types of media and archive it for future reference. If necessary, an investigator can also use the evidence file to restore the exact image to another hard drive. An evidence file consists of the following:
Header: The header contains the date and time of evidence acquisition, the examiner’s name, notes on the acquisition, an optional password, and its own cyclic redundancy check (CRC) checksum. CRC is a type of function that takes a quantity of data of any size and produces an output of a fixed length, usually a 32-bit integer that is generally used to verify the integrity of the original data. A checksum is a fixed-size integer resulting from the application of this algorithm. The header is always prefixed with Case Info.
Checksum: One of the main parts of an EnCase evidence file is CRC checksums. An evidence file saves checksums for every block of 64 sectors (~32 KB) of evidence.
Data blocks: Data blocks contain an exact replica of the original evidence. EnCase saves a bitstream image of evidence.
Footer: The footer contains an MD5 hash for the entire bitstream image.
Describe the main parts of an evidence file.
Header: The header contains the date and time of evidence acquisition, the examiner’s name, notes on the acquisition, an optional password, and its own cyclic redundancy check (CRC) checksum. CRC is a type of function that takes a quantity of data of any size and produces an output of a fixed length, usually a 32-bit integer that is generally used to verify the integrity of the original data. A checksum is a fixed-size integer resulting from the application of this algorithm. The header is always prefixed with Case Info.
Checksum: One of the main parts of an EnCase evidence file is CRC checksums. An evidence file saves checksums for every block of 64 sectors (~32 KB) of evidence.
Data blocks: Data blocks contain an exact replica of the original evidence. EnCase saves a bitstream image of evidence.
Footer: The footer contains an MD5 hash for the entire bitstream image.
Verifying Evidence Files
After burning the discs, an investigator can run Verify Evidence Files from the Tools menu on each disc to verify that the burn was thorough and that the evidence file segment is intact.
Evidence File Format
Each evidence file is an exact sector-by-sector copy of a floppy or hard disk. Every byte of the file is verified using a 32-bit CRC, and it is virtually impossible to tamper with the evidence once it has been acquired.
EnCase uses ASR Data’s Expert Witness Compression Format for storing images of evidence; this format can reduce file sizes by up to 50 percent.
EnCase can store media data in multiple evidence files called segment files. Each segment file consists of multiple sections. Each section consists of a section start definition. This definition contains a section type.
From version 4 onward, EnCase has had two header sections, header and header2. The header section is defined once, and the header2 section is defined twice within the file; both copies of header2 contain the same information.
Verifying File Integrity
Whenever an investigator adds an evidence file to a case, he or she can use EnCase to verify the integrity of the file.
Hashing
Hashing is a well-defined mathematical function that converts a large variable-sized amount of data into a small fixed-length integer that may serve as an index into an array, as a method obscuring and protecting passwords being transferred over a network, or to verify the integrity of stored data. EnCase calculates an MD5 hash when it acquires a physical drive or logical drive.
Describe the steps involved in acquiring an image of a storage device:
Acquiring an Image
An investigator can acquire an image by performing the following steps:
- Click File and then Add Device to acquire the image. The investigator can alternately click the Add Device button on the toolbar.
- Select the device type. If the device is a USB drive, it should not be connected to the forensic computer prior to the boot process.
What does the Device tab show?
Device Tab
The Device report shows information about the currently selected device. The information displayed includes the following:
Evidence number
File path
Examiner name
Actual date
Target date
Total size
Total sectors
File integrity
EnCase version
System version
Acquisition hash
Verify hash
Notes
What is the purpose of an EnCase boot disk?
An investigator can use an EnCase boot disk to create a bitstream image of a device.
An investigator can create a boot disk directly in EnCase. The investigator can use this boot disk to boot up in MS-DOS mode. By using this disk, he or she can create bitstream images. Figure 3-30 shows EnCase creating a boot disk.
What is the purpose of file-signature analysis?
Signature Analysis The ISO (International Organization for Standardization) and ITU (International Telecommunication Union) work to standardize types of electronic data. When a file type becomes standardized, a signature or header is stored along with the data. Applications use the header to correctly parse the data. An investigator can view the file signature to identify the file type, even if its extension has been changed.
To perform signature analysis, an investigator can select View and then File Signatures.
How does EnCase use MD5 hashing?
MD5 Hash
The MD5 hash is a 128-bit (16-byte) value that uniquely describes the contents of a file. It is a one-way hash function that converts a message into a fixed string of digits called message digests.
The purpose of the value within EnCase is to verify that the evidence file EnCase created is the same in byte structure as the original media. EnCase also uses MD5 hashing to create hash sets that are then added to the hash library. Hash sets are collections of hash files.
EnCase can create a hash value (digital fingerprint) for any file in the case.
The chance of two files having the same hash value is . The likelihood of duplication in MD5 is 340,282,366,920,938,463,463,374,607,431,768,211,456 to 1.
Describe the kinds of searches an investigator can perform using EnCase.
Searching
EnCase provides powerful searching capabilities. An investigator can perform keyword searches at the logical level (file level) or physical level (byte by byte). EnCase can locate information anywhere on physical or logical media by using its deep analysis features. EnCase has the following advanced search capabilities:
Concurrent search
Proximity search
Internet and e-mail search
E-mail address search
Global Regular Expressions Post (GREP) search: The GREP search utility enables the investigator to search for information with a known general format, such as any telephone numbers, credit card numbers, network IDs, logon records, or IP addresses, even when the specific number is not known.
File finder: This searches within the page file, unallocated clusters, selected files or entire cases, looking for specific file types and structured data.
EnCase provides the following search options:
Case sensitive: EnCase searches for keywords only in the exact case specified in the text box.
GREP: The keyword is a regular expression.
RTL reading: This is a keyword search in a right-to-left sequence for international language support.
Active code page: This option allows an investigator to enter keywords in many different languages.
Unicode: This enables investigators to search for keywords with international language characters.
Big-endian Unicode: This enables investigators to search for keywords with international language characters.
Keywords
A key component of any search is the keywords and their rules. Keywords are saved in the keywords.ini file. An investigator chooses keywords based on what he or she is investigating. For example, the investigator might want to add keywords such as the following:
kill
suicide
cheat
Swiss bank
San Francisco
Adding Keywords
To add keywords, an investigator needs to right-click Keyword and select New
Grouping Keywords
An investigator can group keywords to organize search terms. To do so, he or she right-clicks Keyword, selects New Folder, and types in a folder name.
Adding Multiple Keywords
To add multiple keywords, an investigator can right-click the keyword folder and choose Add Keyword List.
