Upload
buihuong
View
231
Download
0
Embed Size (px)
Citation preview
Sherif Eldeebhttps://eldeeb.net
EnCase v7 Essential Training
ميحرلا نمحرلا هللا مسب
Sherif Eldeebhttps://eldeeb.net
What’s in this courseExplore the most notable features of thenew version.
Everything you need to know about EnCasev7 to conduct basic investigations.◦ Create Cases
◦ Acquire Mobile phones and Storage Devices
◦ Add existing evidence to cases
◦ Browse and explore evidence
◦ Process evidence and conduct analysis
◦ Export findings and Write reports.
ENCASE V7 ESSENTIAL TRAINING 2
Sherif Eldeebhttps://eldeeb.net
Acknowledgment The Computer Evidence sample we shall use is “TDurden evidence file”, which Guidance Software provides for free; get it from:◦ http://media.johnwiley.com.au/product_ancillary
/63/04709010/DOWNLOAD/tdurdenex01.html
◦ https://www.4shared.com/file/aa3BYubz/TDurden.htm
Few screenshots in this presentation are taken from “EnCase® Version 7.10 User 's Guide”
ENCASE V7 ESSENTIAL TRAINING 3
Sherif Eldeebhttps://eldeeb.net
EnCase v7 new UI
ENCASE V7 ESSENTIAL TRAINING 4
Sherif Eldeebhttps://eldeeb.net
Evidence Acquisition
ENCASE V7 ESSENTIAL TRAINING 5
Sherif Eldeebhttps://eldeeb.net
FastBloc SEFastBloc SE is the first commercial software write-blocking solution that allows EnCase to take full control of IDE, SATA and SCSI channels on particular PCI controller cards, as well as the FireWire and USB ports from Windows, permitting a forensically sound acquisition without the use of hardware write-blocking devices.
Tools -> `FastBloc SE`
ENCASE V7 ESSENTIAL TRAINING 6
Sherif Eldeebhttps://eldeeb.net
FastBloc SE modesAll modes protect the evidence from actualmodifications.
Write Protected: Operating system will notallow any modifications (copy to / delete /modify) and will throw an error. Use thismode for imaging!
ENCASE V7 ESSENTIAL TRAINING 7
Sherif Eldeebhttps://eldeeb.net
FastBloc SE modesWrite Blocked: OS will act as if the device isnot write blocked at all, and will allowchanging security permissions of files “usethis mode for casual `browsing` wheresometimes access is not permitted due tosecurity permissions. (if you unplugged andplugged device again, it will lose allmodifications).
ENCASE V7 ESSENTIAL TRAINING 8
Sherif Eldeebhttps://eldeeb.net
Pick a mode, plug a device
ENCASE V7 ESSENTIAL TRAINING 9
Sherif Eldeebhttps://eldeeb.net
Create a new caseWith the evidence write-blocked andattached, we have to create a case forevidence acquisition.
ENCASE V7 ESSENTIAL TRAINING 10
Sherif Eldeebhttps://eldeeb.net
Create a new case
ENCASE V7 ESSENTIAL TRAINING 11
Sherif Eldeebhttps://eldeeb.net
Add Evidence
ENCASE V7 ESSENTIAL TRAINING 12
Sherif Eldeebhttps://eldeeb.net
Since the evidence is attached as a USB device, we pick `Add local device`.
… we will explore the other options later, God willing.
Add Evidence
ENCASE V7 ESSENTIAL TRAINING 13
Sherif Eldeebhttps://eldeeb.net
Add local deviceUNSELECT “Detect Tableau HW” if you have none attached! “it might/will cause problems”
Next …
ENCASE V7 ESSENTIAL TRAINING 14
Sherif Eldeebhttps://eldeeb.net
Add local deviceDetected, write-blocked and good to go
ENCASE V7 ESSENTIAL TRAINING 15
Sherif Eldeebhttps://eldeeb.net
Selecting the evidenceClick on the evidence name …
ENCASE V7 ESSENTIAL TRAINING 16
Sherif Eldeebhttps://eldeeb.net
Browsing the evidence
ENCASE V7 ESSENTIAL TRAINING 17
Sherif Eldeebhttps://eldeeb.net
Acquiring evidenceRight click on evidence name -> Acquire -> Acquire…
ENCASE V7 ESSENTIAL TRAINING 18
Sherif Eldeebhttps://eldeeb.net
Location & Name
ENCASE V7 ESSENTIAL TRAINING 19
Sherif Eldeebhttps://eldeeb.net
Format`Current` format is NOT compatible with v6!!
ENCASE V7 ESSENTIAL TRAINING 20
Sherif Eldeebhttps://eldeeb.net
Acquisition will startPress `OK`
Wait for it to finish … then you’ll have the evidence file in `.ex01` format
Next section we will learn how to add an existing evidence file to a case.
ENCASE V7 ESSENTIAL TRAINING 21
Sherif Eldeebhttps://eldeeb.net
Stopping FastBloc SEThe USB device(s) will remain write-blocked till FastBloc SE is stopped “Clear All”
ENCASE V7 ESSENTIAL TRAINING 22
Sherif Eldeebhttps://eldeeb.net
Adding Evidence Files
ENCASE V7 ESSENTIAL TRAINING 23
Sherif Eldeebhttps://eldeeb.net
Adding `Evidence Files`Go to `Home` tab -> Add Evidence
ENCASE V7 ESSENTIAL TRAINING 24
Sherif Eldeebhttps://eldeeb.net
Adding `Evidence Files``Add Evidence File` -> select file
ENCASE V7 ESSENTIAL TRAINING 25
Sherif Eldeebhttps://eldeeb.net
Adding `Evidence Files`You can cancel the `Verification` process if you want by double clicking here
ENCASE V7 ESSENTIAL TRAINING 26
Sherif Eldeebhttps://eldeeb.net
Adding Raw image files `DD`
ENCASE V7 ESSENTIAL TRAINING 27
Sherif Eldeebhttps://eldeeb.net
Adding `Raw DD Files`Home -> Add Evidence -> `Add Raw Image`
ENCASE V7 ESSENTIAL TRAINING 28
Sherif Eldeebhttps://eldeeb.net
Adding `Raw DD Files`Image type -> Disk
Right-Click -> New…
ENCASE V7 ESSENTIAL TRAINING 29
Sherif Eldeebhttps://eldeeb.net
Adding `Raw DD Files`Pick the file -> Open -> OK
ENCASE V7 ESSENTIAL TRAINING 30
Sherif Eldeebhttps://eldeeb.net
Acquiring Mobile PhonesPRE-REQUISITES AND IMPORTANT CONSIDERATIONS
ENCASE V7 ESSENTIAL TRAINING 31
Sherif Eldeebhttps://eldeeb.net
Mobile Phone SupportEnCase v7 supports acquiring data fromsmartphones and tablets directly.
Evidences could be acquired from the deviceitself, or a backup file located on the suspectComputer.
Allows exporting geo-tags and other locationdata which can then be loaded into googlemaps!
Creating a report is very easy!
ENCASE V7 ESSENTIAL TRAINING 32
Sherif Eldeebhttps://eldeeb.net
Supported devices & Data
ENCASE V7 ESSENTIAL TRAINING 33
Sherif Eldeebhttps://eldeeb.net
Physical v.s. Logical AcquisitionFor some devices (like Android) it is possible to perform `Physical Acquisition`, that enables recovery of more data, including deleted files which will not possible otherwise.
Logical acquisition is like “copying” the data from the device, yet deleted data will not be available for parsing.
Physical acquisition requires that the device is rooted (Google that if you are unfamiliar with the term).
ENCASE V7 ESSENTIAL TRAINING 34
Sherif Eldeebhttps://eldeeb.net
IMPORTANT!!!
Few things needs to be considered before acquiring evidence from mobile devices:◦ Examination environment considerations
◦ Computer-side preparation and necessary drivers installation.
◦ Preparing target mobile device for acquisition
ENCASE V7 ESSENTIAL TRAINING 35
Sherif Eldeebhttps://eldeeb.net
Use a faraday Bag/Cage!!!All smart phones have a `Remote Wipe`capability, if the suspect “or someone relatedto him” managed to initiate/schedule aremote wipe, we lose big time.
ENCASE V7 ESSENTIAL TRAINING 36
Sherif Eldeebhttps://eldeeb.net
Install driversFor EnCase to be able to acquire evidencefrom mobile devices, appropriate driversneeds to be installed the computer needs torecognize them correctly first.
This means installing
iTunes for apple devices,
and appropriate drivers
for others.
ENCASE V7 ESSENTIAL TRAINING 37
Sherif Eldeebhttps://eldeeb.net
Android: Prerequisites
ENCASE V7 ESSENTIAL TRAINING 38
Sherif Eldeebhttps://eldeeb.net
Requirements As per Encase, we need to do the following ON THE PHONE before acquiring evidence (don’t forget to document your actions):
+ For Physical acquisition, we need root.
ENCASE V7 ESSENTIAL TRAINING 39
Sherif Eldeebhttps://eldeeb.net
Enable unknown sources
• Settings might change slightly
• Google is your best friend, just find how to enable this setting and do it!
ENCASE V7 ESSENTIAL TRAINING 40
Sherif Eldeebhttps://eldeeb.net
Enable USB Debugging
ENCASE V7 ESSENTIAL TRAINING 41
Sherif Eldeebhttps://eldeeb.net
In Recent Android versions (>=4.2), theDeveloper Options menu and USBDebugging option have been hidden, andneeds to be enabled first.◦ `About Phone`
◦ Click `Build number`
10 times
Now Developer options
are available, then
continue as prev. slide
Enable USB Debugging(!)
ENCASE V7 ESSENTIAL TRAINING 42
Sherif Eldeebhttps://eldeeb.net
Rooting the phoneAs mentioned earlier, physical acquisition(and recovery of deleted data) requires thedevice to be `Rooted`.
If it is already rooted, you’re in good shape,if it is not, please note that there is a veryhigh probability that the device gets fullyerased, or irrecoverably damaged!
Short answer, don’t ever root a device incourse of examination!!! `unless authorized,and after “authority” understands the risk`
ENCASE V7 ESSENTIAL TRAINING 43
Sherif Eldeebhttps://eldeeb.net
Android: Acquisition Demo
ENCASE V7 ESSENTIAL TRAINING 44
Sherif Eldeebhttps://eldeeb.net
Once all is set …
ENCASE V7 ESSENTIAL TRAINING 45
Sherif Eldeebhttps://eldeeb.net
Press OK on phone first …
ENCASE V7 ESSENTIAL TRAINING 46
Sherif Eldeebhttps://eldeeb.net
Set Password if you wish
ENCASE V7 ESSENTIAL TRAINING 47
Sherif Eldeebhttps://eldeeb.net
Wait … and keep waitingIt took us around 1½ hours to acquire a 16GBNote2, problem is the progress bar is notmoving, and there’s no indication on themobile!
Have faith `it works` & have patience `it willtake time`.
ENCASE V7 ESSENTIAL TRAINING 48
Sherif Eldeebhttps://eldeeb.net
Acquisition done!
ENCASE V7 ESSENTIAL TRAINING 49
Sherif Eldeebhttps://eldeeb.net
Note!For some reason, photos taken by camera(the ones usually in DCIM) were not includedin the evidence file when we acquired it …
We didn’t check why, but you may copy thefiles from the phone storage directly andtake appropriate notes (MD5 hashes … etc.)◦ Or make a logical evidence file which includes the
images.
ENCASE V7 ESSENTIAL TRAINING 50
Sherif Eldeebhttps://eldeeb.net
iTunes Backup Files
ENCASE V7 ESSENTIAL TRAINING 51
Sherif Eldeebhttps://eldeeb.net
Acquiring iTunes BackupTo acquire an iTunes backup file: Open a case and click Add Evidence > Acquire Smartphone.
ENCASE V7 ESSENTIAL TRAINING 52
Sherif Eldeebhttps://eldeeb.net
Point to `Manifest.plist`
ENCASE V7 ESSENTIAL TRAINING 53
Sherif Eldeebhttps://eldeeb.net
Browsing and Viewing Evidence
ENCASE V7 ESSENTIAL TRAINING 54
Sherif Eldeebhttps://eldeeb.net
Tree, Table, Traeble & View
ENCASE V7 ESSENTIAL TRAINING 55
Sherif Eldeebhttps://eldeeb.net
Tree, Table, Traeble & View
ENCASE V7 ESSENTIAL TRAINING 56
Sherif Eldeebhttps://eldeeb.net
Selection and DisplayingSelection is different than viewing
To select, tick the box
ENCASE V7 ESSENTIAL TRAINING 57
Sherif Eldeebhttps://eldeeb.net
Selection and DisplayingTo display only a subset, tick the
Very useful to focus on specific files or folders
ENCASE V7 ESSENTIAL TRAINING 58
Sherif Eldeebhttps://eldeeb.net
TimelineTick from the left, display on the right
Easier focusing on finding what happened in a specified time range
ENCASE V7 ESSENTIAL TRAINING 59
Sherif Eldeebhttps://eldeeb.net
Something looks interesting?Select it, then Bookmark it!
ENCASE V7 ESSENTIAL TRAINING 60
Sherif Eldeebhttps://eldeeb.net
Other features to considerConsider them on your own! Covering them here can take forever …
Take a look at Chapter 7 in the user manual.
Filtering & conditions.
Searching.
ENCASE V7 ESSENTIAL TRAINING 61
Sherif Eldeebhttps://eldeeb.net
Mounting Evidence
ENCASE V7 ESSENTIAL TRAINING 62
Sherif Eldeebhttps://eldeeb.net
Mounting evidenceEvidence could be mounted as local, ornetwork mounted drives.
This will enable casually “browsing” theevidence, or perform a virus scan.
Virtual Machines could be created fromevidence if mounted as local drive.
This also enables to view all file systemseven those not supported by windows “e.g.evidence from Linux or Mac computers”
ENCASE V7 ESSENTIAL TRAINING 63
Sherif Eldeebhttps://eldeeb.net
Mounting evidence: VFS
Virtual File System (VFS) mounts a drive, volume or folder as read-only offline network share.
1
2
34
ENCASE V7 ESSENTIAL TRAINING 64
Sherif Eldeebhttps://eldeeb.net
Mounting evidence: VFSNext Finish Ok
ENCASE V7 ESSENTIAL TRAINING 65
Sherif Eldeebhttps://eldeeb.net
Mounting evidence: VFSVFS shows evidence as EnCase “sees” it (e.g.deleted files, alternate streams, unallocatedclusters will show up as files)
To stop the VFS service, double click “VirtualFile System” in lower-right corner
ENCASE V7 ESSENTIAL TRAINING 66
Sherif Eldeebhttps://eldeeb.net
Mounting evidence: PDEAnother way to mount evidence is PhysicalDisk Emulator (PDE), which “tricks” windowsinto thinking that the evidence is an actualphysical disk attached to the examinermachine.
This enables analysis of the evidence usingother forensic tools, or use it to boot into avirtual machine.
But this limits the supported file systems forcasual browsing to those supported bywindows (i.e. FAT & NTFS)
ENCASE V7 ESSENTIAL TRAINING 67
Sherif Eldeebhttps://eldeeb.net
Mounting evidence: PDE1
2
34
ENCASE V7 ESSENTIAL TRAINING 68
Sherif Eldeebhttps://eldeeb.net
Mounting evidence: PDERemoving “Disable Cache” enables write-emulation “i.e. programs will believe theyare able to modify files on evidence” … onlythat changes are sent to cache folder ofcourse
ENCASE V7 ESSENTIAL TRAINING 69
Sherif Eldeebhttps://eldeeb.net
Mounting evidence: PDEMounted Evidence recognized as a locallyattached physical drive.
ENCASE V7 ESSENTIAL TRAINING 70
Sherif Eldeebhttps://eldeeb.net
Running evidence as a Virtual Machine
ENCASE V7 ESSENTIAL TRAINING 71
Sherif Eldeebhttps://eldeeb.net
Running evidence as a VMOnce mounted using PDE, we can create avirtual machine which boots as the evidence.
ENCASE V7 ESSENTIAL TRAINING 72
Sherif Eldeebhttps://eldeeb.net
Running evidence as a VMCreate a new VM, custom (advanced)
ENCASE V7 ESSENTIAL TRAINING 73
Sherif Eldeebhttps://eldeeb.net
Next, next … next
ENCASE V7 ESSENTIAL TRAINING 74
Sherif Eldeebhttps://eldeeb.net
No network!!Or else bad things might happen … thencontinue clicking through.
ENCASE V7 ESSENTIAL TRAINING 75
Sherif Eldeebhttps://eldeeb.net
Specifying a Disk for the VM“Use a physical disk (for advanced users) …then pick the emulated device …
ENCASE V7 ESSENTIAL TRAINING 76
Sherif Eldeebhttps://eldeeb.net
Finish, then VM should start …
ENCASE V7 ESSENTIAL TRAINING 77
Sherif Eldeebhttps://eldeeb.net
Or not …
Most probably windows won’t
start without manual fix
…
YMMV.
ENCASE V7 ESSENTIAL TRAINING 78
Sherif Eldeebhttps://eldeeb.net
Processing Evidence… . WHERE THE FUN BEGINS
ENCASE V7 ESSENTIAL TRAINING 79
Sherif Eldeebhttps://eldeeb.net
What is `Evidence Processing`?The Evidence Processor runs, in a singleautomated session, a collection of potentanalytic tools against the case data.
Examples include: File carving, Internetartifact extraction, history of connected USBdevices, network info (IP address & MACaddresses), System info, Instant messagingparser, Recovery of deleted files … and muchmore!
ENCASE V7 ESSENTIAL TRAINING 80
Sherif Eldeebhttps://eldeeb.net
Evidence ProcessingSome tasks take very, very … very long time.
It is recommended that you pick what youare looking for only.
It has two pre-requisites:◦ Evidence must have been Acquired.
◦ Set the time zones of the evidence.
… let’s see how to get the time zone of theevidence and configure EnCase appropriately
ENCASE V7 ESSENTIAL TRAINING 81
Sherif Eldeebhttps://eldeeb.net
Setting right time zoneIf you know the time zone, set it directly.
Device -> Modify time zone settings
ENCASE V7 ESSENTIAL TRAINING 82
Sherif Eldeebhttps://eldeeb.net
If you don’t know the Time Zone
If we don’t know the time zone “like in manycases we get the evidence from overseas”, wehave to know from which time zone it came.
In windows computers, Time Zone information isstored in the registry in the following key:
Which is stored in the following registry file:
\windows\system32\config\SYSTEM
Browse to that file in the left pane …ENCASE V7 ESSENTIAL TRAINING 83
Sherif Eldeebhttps://eldeeb.net
If we don’t know the Time ZoneRight click -> Entries -> View file Structure
Wait for parsing to finish.
ENCASE V7 ESSENTIAL TRAINING 84
Sherif Eldeebhttps://eldeeb.net
When processing is finished, there will be a little green “+” beside the SYSTEM name
Now click the SYSTEM file, it will expand
If we don’t know the Time Zone
ENCASE V7 ESSENTIAL TRAINING 85
Sherif Eldeebhttps://eldeeb.net
If we don’t know the Time ZoneWe go to that key
ENCASE V7 ESSENTIAL TRAINING 86
Sherif Eldeebhttps://eldeeb.net
If we don’t know the Time ZoneIt’s `Pacific Standard Time` … let’s reconfigure
ENCASE V7 ESSENTIAL TRAINING 87
Sherif Eldeebhttps://eldeeb.net
To get back to the main evidence area “i.e. exit from the SYSTEM hierarchy”, Press the `Back` green button
If we don’t know the Time Zone
ENCASE V7 ESSENTIAL TRAINING 88
Sherif Eldeebhttps://eldeeb.net
Processing Evidence…CONTD.
ENCASE V7 ESSENTIAL TRAINING 89
Sherif Eldeebhttps://eldeeb.net
Change view to `Evidence`Change view to `Evidence` instead of `Entry`
ENCASE V7 ESSENTIAL TRAINING 90
Sherif Eldeebhttps://eldeeb.net
Process …Right click on Evidence -> Process Evidence -> Process…
ENCASE V7 ESSENTIAL TRAINING 91
Sherif Eldeebhttps://eldeeb.net
Processor Options
ENCASE V7 ESSENTIAL TRAINING 92
Sherif Eldeebhttps://eldeeb.net
Processor OptionsProcess all evidence files? Or just current?
ENCASE V7 ESSENTIAL TRAINING 93
Sherif Eldeebhttps://eldeeb.net
Processor OptionsIf it is blue, it’s a hyperlink and it has more options.
ENCASE V7 ESSENTIAL TRAINING 94
Sherif Eldeebhttps://eldeeb.net
Prioritization What to process first?
To process only the types of selected items, Check Process only prioritized items
ENCASE V7 ESSENTIAL TRAINING 95
Sherif Eldeebhttps://eldeeb.net
Recover FoldersTry to recover deleted files and folders
When you turn on the Recover folderstructure of NTFS 3.0 files option, recoverywill take longer, but will reconstruct (foldertree); if you left that unchecked, all foundfolders will be grouped together withouttree structure.
ENCASE V7 ESSENTIAL TRAINING 96
Sherif Eldeebhttps://eldeeb.net
File Signature AnalysisA quite common technique for masking datais to rename a file and change its extension;for example, “image.jpg” might be renamedto “program.exe”.
Signature analysis verifies file type bycomparing the file headers, or signature,with the file extension, and flag mismatches.
ENCASE V7 ESSENTIAL TRAINING 97
Sherif Eldeebhttps://eldeeb.net
Protected File Analysis Relies on “Passware Kit” to be installed on examiner machine and properly configured
http://www.lostpassword.com/encase.htm
Identify password-protected files
This will take long, long time.
ENCASE V7 ESSENTIAL TRAINING 98
Sherif Eldeebhttps://eldeeb.net
Thumbnail creationWill create “thumbnails” for all images to be viewed in the “Gallery” … upfront.
ENCASE V7 ESSENTIAL TRAINING 99
Sherif Eldeebhttps://eldeeb.net
Hash AnalysisCalculate hash value for all files.
Is required for more advanced analysis.
“Entropy” -> high value indicates compression or encryption.
Takes time, if not required, unselect.
ENCASE V7 ESSENTIAL TRAINING 100
Sherif Eldeebhttps://eldeeb.net
Expand Compound FilesWill expand ZIP, RAR, BZIP2 and othercompressed files, and make files within themavailable for processing.
VERY USEFUL!
ENCASE V7 ESSENTIAL TRAINING 101
Sherif Eldeebhttps://eldeeb.net
Find EmailWill extract messages (and attachments) from email archives (e.g. PST).
ENCASE V7 ESSENTIAL TRAINING 102
Sherif Eldeebhttps://eldeeb.net
Find Internet ArtifactsBrowser History and cached web pages
Chrome & Firefox supports: cookies,downloads, keyword search, login data`users and passwords` and top visited sites.
Searching in unallocated space will take time
ENCASE V7 ESSENTIAL TRAINING 103
Sherif Eldeebhttps://eldeeb.net
Searching for Keywords
Refer to page 132 in User Manual for explanations
ENCASE V7 ESSENTIAL TRAINING 104
Sherif Eldeebhttps://eldeeb.net
Add new keyword
ENCASE V7 ESSENTIAL TRAINING 105
Sherif Eldeebhttps://eldeeb.net
Creating an IndexAn `index` is a list of all “text” in an evidence;create it once, search through it very quickly.
• Will enable searchingacross all types ofinformation and viewresults in email, files,smartphones, andany other processeddata in one searchresults view.
Enable this, if you enable “Index Slack and unallocated!”
ENCASE V7 ESSENTIAL TRAINING 106
Sherif Eldeebhttps://eldeeb.net
Personal InformationCredit cards, Phone numbers, Email addresses & USA Social security numbers …
ENCASE V7 ESSENTIAL TRAINING 107
Sherif Eldeebhttps://eldeeb.net
Personal InformationInformation about the Qatari ID number, andhow to configure EnCase to look for themcould be found at the following site:
https://eldeeb.net/wrdprs/?p=330
ENCASE V7 ESSENTIAL TRAINING 108
Sherif Eldeebhttps://eldeeb.net
System Info ParserIdentify hardware, software, and user information.
Previously connected USB devices.
ENCASE V7 ESSENTIAL TRAINING 109
Sherif Eldeebhttps://eldeeb.net
IM ParserScans for AOL, MSN and Yahoo chat artifacts
Who is using those anyways :/ … not veryuseful unless you’re investigating anevidence acquired long, long time ago.
ENCASE V7 ESSENTIAL TRAINING 110
Sherif Eldeebhttps://eldeeb.net
File CarverFile carving is the process of reassemblingfiles from fragments in the absence offilesystem metadata.◦ e.g. there will be no file names or created time…
only file data.
This should be able to recover deleted fileswhich has not been overwritten, even if themetadata has been overwritten
Very useful for recovering deleted files,especially for relatively small files (images,audio …etc.)
ENCASE V7 ESSENTIAL TRAINING 111
Sherif Eldeebhttps://eldeeb.net
File Carver
ENCASE V7 ESSENTIAL TRAINING 112
Sherif Eldeebhttps://eldeeb.net
File Carver
ENCASE V7 ESSENTIAL TRAINING 113
Sherif Eldeebhttps://eldeeb.net
Windows Event Log ParserThis module parses .evt and .evtx files for Windows Event Logs, and also allows for processing by condition (e.g. event id)
ENCASE V7 ESSENTIAL TRAINING 114
Sherif Eldeebhttps://eldeeb.net
Windows Event Log ParserExample: only report log on events (ID = 528)
ENCASE V7 ESSENTIAL TRAINING 115
Sherif Eldeebhttps://eldeeb.net
Windows Artifact Parser
ENCASE V7 ESSENTIAL TRAINING 116
Sherif Eldeebhttps://eldeeb.net
Unix LoginThis module parses files with the names “wtmp” and “utmp” ◦ Those files keep track of all logins and logouts to
the system.
ENCASE V7 ESSENTIAL TRAINING 117
Sherif Eldeebhttps://eldeeb.net
Linux Syslog Parsersyslog is a widely used standard for message logging (you can think of it like Linux’s equivalent of Windows Event logs … sort of)
ENCASE V7 ESSENTIAL TRAINING 118
Sherif Eldeebhttps://eldeeb.net
Macintosh OS X Artifacts parserJust like all other Apple products, there’s not much you can do
Collects Lots of very useful info: USB devices, OS version, Installation Date, Network info, User activity, Keychain (stored passwords), and many other.
ENCASE V7 ESSENTIAL TRAINING 119
Sherif Eldeebhttps://eldeeb.net
Processing EvidenceRESULT SETS: LIMITING THE CASE PROCESSING SCOPE
ENCASE V7 ESSENTIAL TRAINING 120
Sherif Eldeebhttps://eldeeb.net
Case Processing is slow…If you are only interested in specific items, or time frame, you can limit the “scope” of the case processor using “Result Sets”
To create a Result Set (see next slide)1. select the files
2. -> right click on any of them
3. -> Entries
4. -> Create Results …
5. Call it something
ENCASE V7 ESSENTIAL TRAINING 121
Sherif Eldeebhttps://eldeeb.net
Creating Result Sets
ENCASE V7 ESSENTIAL TRAINING 122
Sherif Eldeebhttps://eldeeb.net
Result SetsTo view the Result Set, click “view” -> Results
ENCASE V7 ESSENTIAL TRAINING 123
Sherif Eldeebhttps://eldeeb.net
Limit Processing to Result SetsSelect set -> Process
In this example, only577MB out of 13GBwill be processed
ENCASE V7 ESSENTIAL TRAINING 124
Sherif Eldeebhttps://eldeeb.net
Viewing Case Processor Results
ENCASE V7 ESSENTIAL TRAINING 125
Sherif Eldeebhttps://eldeeb.net
Viewing Case Processor ResultsWhen the case is processed, an indication is at the bottom-right corner of the app.
After it isfinished, results are under-> View--> Records
ENCASE V7 ESSENTIAL TRAINING 126
Sherif Eldeebhttps://eldeeb.net
Viewing Case Processor Results
ENCASE V7 ESSENTIAL TRAINING 127
Sherif Eldeebhttps://eldeeb.net
General Useful Tricks
ENCASE V7 ESSENTIAL TRAINING 128
Sherif Eldeebhttps://eldeeb.net
Find Related Emails (Conversation)You can check email “conversations” by going to “Find Related” -> Show Conversation
ENCASE V7 ESSENTIAL TRAINING 129
Sherif Eldeebhttps://eldeeb.net
Find Related Emails (Conversation)
ENCASE V7 ESSENTIAL TRAINING 130
Sherif Eldeebhttps://eldeeb.net
Hash only selected filesSelect the files “Entries” “Hash\Sig Sel…”
ENCASE V7 ESSENTIAL TRAINING 131
Sherif Eldeebhttps://eldeeb.net
Smartphone Reports
ENCASE V7 ESSENTIAL TRAINING 132
Sherif Eldeebhttps://eldeeb.net
Smartphone ReportsCreating reports for smartphone information using EnCase couldn’t be easier◦ Tools Smartphone Report …
ENCASE V7 ESSENTIAL TRAINING 133
Sherif Eldeebhttps://eldeeb.net
Smartphone Reports`Tags` are explained in “Chapter 12” in user manual (and will be explained in next course, God willing)
`OK` and it will work for a while.
ENCASE V7 ESSENTIAL TRAINING 134
Sherif Eldeebhttps://eldeeb.net
Smartphone ReportsReports could be “Short” or “detailed”
You can pick what to be included
ENCASE V7 ESSENTIAL TRAINING 135
Sherif Eldeebhttps://eldeeb.net
Smartphone Reports
ENCASE V7 ESSENTIAL TRAINING 136
Sherif Eldeebhttps://eldeeb.net
Geo Location DataEnCase parses all location-related information from several sources, then allows for export to KMZ file which can be viewed on Google Earth
ENCASE V7 ESSENTIAL TRAINING 137
Sherif Eldeebhttps://eldeeb.net
Geo Location DataPhotos and icons will be placed on their exact locations
ENCASE V7 ESSENTIAL TRAINING 138
Sherif Eldeebhttps://eldeeb.net
Geo Location DataClicking on a picture/link reveals more info
ENCASE V7 ESSENTIAL TRAINING 139
Sherif Eldeebhttps://eldeeb.net
Export to CSVData could be exported as CSV for furtherdissemination using other tools
ENCASE V7 ESSENTIAL TRAINING 140
Sherif Eldeebhttps://eldeeb.net
The forensic challenge
ENCASE V7 ESSENTIAL TRAINING 141
Sherif Eldeebhttps://eldeeb.net
حمد اللَّه بم ت
Sherif Eldeebh t t p s : / /e l d e e b . n e t@ S h e r i e f E l d e e b