215 N. Marengo Ave., Suite 250 Pasadena, CA 91101 Tel: (626) 229-9191 Fax: (626) 229-9199 e-mail: training@GuidanceSoftware.com web: www.GuidanceSoftware.com
EnCase Forensic v7 Essentials Training OnDemand v7.04.01i (06.06.2012) Copyright 2012, Guidance Software, Inc.
EnCase is a trademark of Guidance Software, Inc. All rights reserved. No part of this publication may be copied without the express written permission of Guidance Software, Inc. 215 N. Marengo Ave., Suite 250, Pasadena, CA 91101
Structured management, budgeting and reduction of training expenses Qualify for CPE credits on all classroom courses Attendance at all courses, including EnCase Training OnDemand, qualifies for training hours earned towards EnCE certification or renewal Train in one of our state-of-the-art facilities, at one of our Authorized Training Partners throughout the world, or our EnCE-certified instructors can come to you Customize a course to suit your organizations needs Enroll in one of our online courses with EnCase Training OnDemand Enhance professional standing by participating in one or both of our certification programs: the EnCase Certified Examiner (EnCE) or EnCase Certified eDiscovery Practitioner (EnCEP)
http://www.guidancesoftware.com /computer-forensics-trainingcertifications.htm
Program
One Year Annual Training Passport Two Year Annual Training Passport One Year upgrade Two Year upgrade
Details, terms and conditions of the program and upgrade options can be viewed at: http://www.guidancesoftware.com/computer-forensics-training-annual-training-passport.htm
Program
GTO (5-seat minimum)
Fees and restrictions are subject to change. For the most up-to-date information on any of our courses or programs, contact Guidance Software Training at training@guidancesoftware.com or 626-229-9191 ext. 566.
www.guidancesoftware.com
Training Facilities
Los Angeles, CA (Pasadena, CA) 215 North Marengo Avenue Suite 250 Pasadena, CA 91101 Washington, DC (Dulles, VA) 21000 Atlantic Boulevard Suite 750 Dulles, VA 20166 Chicago, IL (Rosemont, IL) 9450 West Bryn Mawr Avenue Suite 200 Rosemont, IL 60018 Houston, TX 1300 Post Oak Boulevard Suite 550 Houston, TX 77056 London, UK (Slough) Thames Central, 5th Floor Hatfield Road, Slough, Berkshire UK SL1 1QE We also have Authorized Training Partners all over the world For a complete listing visit: http://www.guidancesoftware.com/ computer-forensics-training-partners. html
Program
Training Instructor Fee - 1 instructor / up to 12 students Training Instructor Fee - 2 instructors / 13 to 24 students Standard Shipping U.S. Standard Shipping International
For a complete list of mobile options call Guidance Software Training at 626-229-9191 ext. 566 or visit our website at: http://www.guidancesoftware.com/computer-forensics-training-mobile-onsite.htm
Price U S D $4,485
Price G B P 2,803.13
Fees and restrictions are subject to change. For the most up-to-date information on any of our courses or programs, contact Guidance Software Training at training@guidancesoftware.com or 626-229-9191 ext. 566. Our Customers
Guidance Softwares customers are corporations and government agencies in a wide variety of industries, such as financial and insurance, technology, defense, energy, pharmaceutical, manufacturing and retail. Our EnCase customer base includes more than 100 of the Fortune 500 and more than half of the Fortune 50, including: Allstate, Chevron, Ford, General Electric, Honeywell, Northrop Grumman, Pfizer, UnitedHealth Group and Viacom. About Guidance Software (NASDAQ: GUID) Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase platform provides the foundation for government, corporate and law enforcement organizations to conduct thorough, network-enabled, and court-validated computer investigations of any kind, such as responding to eDiscovery requests, conducting internal investigations, responding to regulatory inquiries or performing data and compliance auditing - all while maintaining the integrity of the data. There are more than 40,000 licensed users of the EnCase technology worldwide, the EnCase Enterprise platform is used by more than sixty percent of the Fortune 100, and thousands attend Guidance Softwares renowned training programs annually. Validated by numerous courts, corporate legal departments, government agencies and law enforcement organizations worldwide, EnCase has been honored with industry awards and recognition from Law Technology News, KMWorld, Government Security News, and Law Enforcement Technology.
2012 Guidance Software, Inc. All Rights Reserved. EnCase and Guidance Software are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners.
www.guidancesoftware.com
T FS 0130-11019
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
ii
Organizing Columns .............................................................................................................................................................. 96 Other Table Pane Views ......................................................................................................................................................... 96 Bookmarking in Evidence View ........................................................................................................................................... 97 Timeline View ......................................................................................................................................................................... 99 Disk View............................................................................................................................................................................... 100 View Pane .............................................................................................................................................................................. 101 Status Bar ............................................................................................................................................................................... 108
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Contents
iii
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
ENCASE FORENSIC V7
EnCase Forensic v7 (EnCase v7) is the next advancement in computer forensics technology, workflow, and best practices. With powerful automation capabilities, streamlined user interface, and optimized case management, EnCase v7 will transform how you perform investigations. Just a few of the paradigm-shifting features are: Intuitive, streamlined interface Powerful processing capabilities Find evidence faster with unified search Review e-mail the way you want it Smartphone acquisition Quick case access Increased scalability
At the core of EnCase v7 is our commitment to robust file and operating system support. With version 7, you will be able to investigate more file and operating systems than ever before.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Leveraging the indexing engine from our EnCase Command Center (EnCase eDiscovery and EnCase Cybersecurity) products, you will now have search results across multiple types of files all in one location, including files, e-mail, instant message (IM) conversations, Smartphones, etc. Dramatically change the workflow through the product to improve efficiency through automation Harness the power of indexing and searching versus browsing for the needle of evidence in the ever-increasing volume of the digital haystack Use the index to build relationships between items throughout EnCase v7, including items from EnScript processing and Smartphone acquisitions Increase the usability of the software to find evidence faster
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
ENCRYPTION SUPPORT
EnCase v7 supports the following encryption products. Vendor
Check Point
Product
Check Point Full Disk Encryption (formerly Pointsec PC) Mobile Guardian
Supported Versions
6.3.1 up to 7.4
64-bit Support
Yes
CREDANT
5.2.1, 5.3, 5.4.1, 5.4.2, 6.1 through 6.8 7 and 8 9.2.2 , 9.3.0, 9.4.0, 9.5.0, 9.5.1 4.5, 6 (Windows and Macintosh) Vista, 7 4.5, 5.5
No
No Yes
McAfee
SafeBoot
No
Microsoft Sophos
BitLocker and BitLocker To Go SafeGuard Easy (formerly Utimaco) PGP Whole Disk Encryption Endpoint Encryption
Yes Yes
Symantec Symantec
9.8, 9.9, 10 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 8.0 4.5, 4.6
Yes Yes
WinMagic
No
You can now mark files with user-defined tags to help remember important information about the file. These tags can be used later for filtering and reporting. We have streamlined the number of configuration items; for example the view for configuring file types, file signature, and file viewers have been combined into File Types.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
We have made the configuration settings accessible at the time that you are accessing that area; for example Text Styles are now set in the text pane itself. Weve separated EnCase v7 configuration settings from user settings. This allows us to update the delivered configuration files while leaving your files untouched. The Evidence Processor helps automate your work in preparing for an investigation. Viewing and working with e-mail is easier in EnCase v7. Searching is more powerful and has a new index engine. There are new templates for customize reports. Smartphone support is included. New file system and file type support: o o o o EXT4, including Linux Software RAID 1 and 10 Arrays for Ubuntu version 9.1 and version 10.04 HFSX Microsoft Office 2010 support Check Point/Pointsec
If the installation does not auto start from the DVD, browse to locate and run Setup.exe
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
2.
Note that the bottom right corner of the dialog displays the version of EnCase that will be installed into this path first, followed automatically by EnCase v7
3. 4.
Click Next> If the folder does not yet exist, click Yes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
5.
If you are upgrading, click OK or Cancel to go back and change the installation folder.
6. 7.
Following is a license agreement page for EnCase Forensic Read and acknowledge your acceptance of the license agreement by clicking Next>
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
8.
The next window offers to install additional properties if it is a first-time installation with no security key drivers installed NOTE: If this is the first installation of EnCase software, remove any dongles and check the box next to Install HASP Drivers to install or upgrade the drivers needed for the EnCase dongles.
9.
Click Next>
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
10. You may be notified that your system should be rebooted; to ensure the registration of certain DLLs and enable the drivers, etc., it is strongly encouraged to reboot at this time 11. Make the reboot selection and click Finish
With the program successfully installed, the shortcut to EnCase v7 will appear on your Desktop.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
NOTE: With Windows 7 and Vista, you will need to copy the cert files onto your hard drive from the Internet and then copy them into the C:\Program Files\EnCase7\Certs directory. The security permissions of Windows 7 and Vista prevent direct copying from e-mail or the Internet into C:\Program Files.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
10
RUNNING ENCASE
Double-click on the EnCase v7 icon on your Desktop to run EnCase for the first time. Please take a moment to register you EnCase v7.
Follow the instructions on the webpage, depending if you have Internet connectivity
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
11
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
12
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
13
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
14
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
ENCASE FORENSIC
EnCase Forensic v7 (EnCase v7) provides investigators with a single tool for conducting largescale and complex investigations from beginning to end. It features superior analytics, enhanced e-mail/Internet support, and a powerful scripting engine. With EnCase v7 you can: Acquire data in a forensically sound manner using software with an unparalleled record in courts worldwide Investigate and analyze data from multiple platforms Windows, Linux, AIX, OS X, Solaris, and more using a single tool Find information despite efforts to hide, cloak, or delete Easily manage large volumes of computer evidence, viewing all relevant files, including deleted files, file slack, and unallocated space Transfer evidence files directly to law enforcement or legal representatives as necessary Review options that allow non-investigators, such as attorneys, to review evidence with ease Use reporting options for quick report preparation
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
16
FORENSIC WORKFLOW
EnCase v7 facilitates the forensic workflow process through the: 1. 2. 3. Preview and processing of case data Analysis of evidence Reporting of findings
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase Concepts
17
E01 had the ability of using a soft password, meaning that the data itself was not encrypted. Ex01 encrypts the data symmetrically, using AES-256 by default. The encryption key for this can be protected with: A password that generates a symmetric key An asymmetric key pair Both of the above
For instruction on acquiring digital evidence, please consider one or more of the following courses:
Course
First Responder with EnCase Forensic, Tableau, and EnCase Portable EnCase Computer Forensics I EnCase Portable Configuration and Examinations
Course website
http://www.guidancesoftware.com/EnCaseFirst-Responder.htm http://www.guidancesoftware.com/comput er-forensics-training-encase1.htm http://www.guidancesoftware.com/encaseportable-examinations.htm
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
18
CASE FILE
In prior versions of EnCase, the case file is a text file that contains information specific to one case. In EnCase v7, a case is no longer contained within a single file, but is stored within a folder containing many components. The case contains pointers to any number of evidence files or previewed devices, bookmarks, search results, sorts, hash analysis results, signature analysis reports, etc. Before media can be previewed or evidence files analyzed, a case file must be created when you run EnCase. The case cannot be simultaneously accessed by more than one examiner at a time. In EnCase v7, the default location for saving the case files is the User Data folder.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase Concepts
19
User Data
(C:\Users\<username>\My Documents \EnCase)
o
This folder is for user-created files that are not necessarily EnCase-version or installation specific. Files like case files and EnScript files would default to this folder.
This folder is for configuration files and user temp files that pertain to a specific user and installation folder of EnCase (Window sizes, fonts, etc.)
This folder contains files that are for the configuration of EnCase regardless of the user (NAS settings, etc.)
This folder contains files that are created by the installer and are unmodified by the application
This folder can be pointed to a folder where you keep shared files (EnScript modules, Searches, Conditions, File Types, Text Styles, and Keys)
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
20
ENSCRIPT PROGRAMS
EnScript programs are saved in two or three directories: The EnScript modules shipped with EnCase continue to be stored in the C:\Program Files\EnCase7\EnScript folder Your EnScript programs are now stored in your user folder under C:\Users\<userfolder>\EnCase\EnScript You can also specify a shared folder to be able to browse to your EnScript library
You now run your EnScript modules from the toolbar drop-down instead of the former tree control in the lower right pane.
When you select Run or Edit, you are presented with a file selection dialog that allows for easy browsing to all of the default locations via an EnCase tree on the left side. NOTE: On operating systems prior to Windows Vista, this functionality will not be available and you will need to manually navigate to the EnCase v7-shipped EnScript folder or your shared folders.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase Concepts
21
File Viewers
There are no default viewers shipped with EnCase v7, so any viewers you add will be saved in an .ini file that only exists in your user directory.
Text Styles
Text styles are split into separate files and are viewable by you in a settings dialog that separates your user entries from the Guidance Software delivered entries with tabs.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
22
Folder Name
Certs Condition Config Drivers EnScript Filter Help Lib License Mobile Noise Template ViewLib
Description
License certificates Default conditions Application configuration options Application drivers Default EnScript programs Default filters Help files Application library files EnLicense files Mobile phone drivers Default noise file for the Index Default case templates Outside in libraries
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase Concepts
23
User Data
The following are user-created files that are not necessarily EnCase-version or installation specific: Windows 7 and Windows Vista path: \Users\<Username>\My Documents\EnCase Windows XP: \Documents and Settings\<Username>\My Documents\EnCase
Backup: Windows 7 and Windows Vista path: \Users\<Username>\My Documents\EnCase Windows XP: \Documents and Settings\<Username>\My Documents\EnCase
Folder Name
Condition EnScript Filter Keys Keyword Logs Search Template
Description
User-defined conditions User-defined EnScript modules User-defined filters Encryption keys User-defined keyword searches Console logs User-defined searches User-defined case templates
Case Folder
This folder contains all files that make up an EnCase v 7 case: Windows 7 and Windows Vista default path: \Users\<Username>\My Documents\EnCase\<Case Name> Windows XP: \Documents and Settings\<Username>\My Documents\EnCase\<Case Name>
Item
Corrupt Pictures E-mail Export Results Searches Tags Temp <Case Name>.Case
Description
Corrupt pictures E-mail thread database Default case export folder Results of search queries Keyword search results (non-Evidence Processor) Tag database Default case temp folder EnCase case file
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
24
Evidence Cache
This folder contains the cache, index, and keywords results for a device that are created by the EnCase Evidence Processor: Windows 7 and Windows Vista default path: \Users\<Username>\My Documents\EnCase\Evidence Cache\<Hash> Windows XP: \Documents and Settings\<Username>\My Documents\EnCase\Evidence Cache\<Hash>
Item
Device Cache DeviceIndex Searches
Description
Device caches Device index Keyword search results (Evidence Processor)
Folder
Config
Description
User-edited application configuration files
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase Concepts
25
\ProgramData\EnCase\EnCase7-<#>
Windows XP:
o o
\Documents and Settings\All Users\Application Data\EnCase \Documents and Settings\All Users\Application Data\EnCase\EnCase7-<#> NOTE: \Users\All Users\AppData = \ProgramData
Item
Logos Config ParseCache Storage
Description
Default report logo NAS and other global configuration files Parse cache files EnScript configuration files
Shared Files
This is a folder location in which you store shared files, such as EnScript programs, searches, conditions, keys, file types, text styles, and so forth. Windows 7 and Windows Vista path: <User Defined> Windows XP: <User Defined>
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
26
Main Application Tool Bar Removed The old text menu bar with applications was
removed. There are now top-level, drop-down menus that provide greater flexibility.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase Concepts
27
New Side Bar Menu Each pane now has a side bar menu for common functions, such
as Conditions, Filters, and Tags.
Flexible Pane Layouts Rather than the static four panes of v6, you can set a preferred
layout for each view:
o o o o
Floating Box for Text If the data in a table cell is truncated by the column size, hovering
over it will display the content in a floating box.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
28
Tabs for Multi-dimensional Cell Data The bottom pane contains tabs for multidimensional data, such as Fields, Permissions, Hash Set Properties, and File Extents. This is different from the single Additional Details tab in v6, and the tabs are available regardless of what cell is currently highlighted.
Drop-down Menus In contrast to the trees in v6, you now have drop-down menus for
selecting functions; for example:
o
Filters Now available via a drop-down in the View Pane top menu bar.
Configuration Settings The configuration items are now accessible where they are
needed. For example, you can create and/or select keywords at the time the search is executed, such as under Raw Search All
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase Concepts
29
VIEW MENUS
The following is a summary of the major changes in the EnCase v7 GUI.
EnCase v6 Function
Archive Files Cases Encryption Keys File Signatures File Types File Viewers Hash Sets Keywords EnScript Filters Conditions Display Queries Text Styles
EnCase v7 Location
Removed Cases drop-down menu Accessed where used Removed (merged with File Types) Accessed where used; View drop-down menu Accessed where used Accessed where used; View drop-down menu Accessed where used; Entries Keyword Search toolbar item To EnScript drop-down To Filter drop-down on Entries, Records, Search Results To Condition drop-down on Entries, Records, Search Results To individual Filter tabs No longer a function in EnCase To drop-down above Text/Hex/etc., view
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
30
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase Concepts
31
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
32
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
One of the most powerful features of EnCase v7 is its ability to organize different types of media together, so that they can be indexed and searched as a unit rather than individually. This process saves time and allows you to concentrate on examining the evidence.
CASE MANAGEMENT
Before starting an investigation and acquiring media, consider how the case will be accessed once it has been created. It may be necessary for more than one investigator to view the information simultaneously. In such an instance the evidence files should be placed on a central file server and copies of the case file should be placed on each investigators computer (since case files cannot be accessed by more than one person at a time). The EnCase Forensic methodology strongly recommends that you use a second hard drive, or at least a second partition on the boot hard drive, for the acquisition and examination of digital evidence. It is preferable to wipe an entire hard drive or partition rather than individual folders to ensure that all of the temporary, suspect-related data is destroyed. This will aid in deflecting any claims of cross contamination by the opposing counsel if the forensic hard drive is used in other cases. Of course the evidence in the EnCase evidence files is always protected from crosscontamination. One method of organization is to create a folder for each case and to place the associated case file and evidence files in that folder. Reports and evidence copies can then be placed in the same folder or in subfolders. Create a Cases folder on your evidence drive for case management.
34
The Home page, like all pages within EnCase, is divided into several sections, each with a specific set of functions. In descending order, they are as follows:
Application Toolbar Appears below the title bar and provides drop-down menus to
major functionality. The menus and their selections are primarily static throughout your investigation. The menus and their selections are discussed in more detail later in this lesson.
Tab Toolbar These components include the back and forward arrows, which
function the same as in any standard browser as well as various viewing options that allow you to resize the panel dimensions to whatever best suits your needs. This toolbar also contains menus and buttons that are specific to the selected tab.
Page body The Page body varies, depending on the tab that you are viewing.
The Home page consists of labels that identify the product, case, functionality available, and sections that identify categories of EnCase components and contain links to the features or actions belonging to each category.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
35
NEW CASE
To start a new case, click on the New Case link.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
36
The Case Options dialog box will appear, allowing for the selection of the Base case and evidence cache folders for the new case. By default, paths to your user directory are displayed. The investigator should change these paths to those specific to the case in order to segregate case data.
A. Case Template
When you create a new case, you will see a list of available templates (these are .CaseTemplate files). EnCase supplies several predefined templates whose names appear in this box along with any saved templates. To select a template: Click on a name from the case Templates list to select it. In the previous figure, the #2 Forensic template is selected.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
37
Although you can configure a new case completely from scratch, Guidance Software recommends using a template as it simplifies the case-creation process. Each case template contains a uniquely configured set of the following: Case info items with default values Bookmark folders and notes Tag names Report template User-defined report styles
You can also create your own templates by saving any case as a template. Afterwards, the new template will appear in the Templates list and will be available for future use. If you intend to create a number of cases with a similar structure, it makes sense to save one of them as a template and use it to generate the other cases.
B. Case Information Case info Case info items are user-configurable, name-value pairs that document
information about the current case. These items are primarily used to insert user-definable information into a report. To update a value, double-click on the row. To create case info items, use the New button above the table to generate as many namevalue pairs as you need.
C. Case Name Name Text string you enter to identify the case file. In EnCase v7, a case is no longer
contained within a single file, but is stored within a folder containing many components. The name specified in this field will be used to name the case folder as well as components contained within that folder.
Full Case Path The folder in which the case file is stored. This field is not writable.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
38
D. Case Folders Base Case folder This is the location where the case folder will be created. By default
EnCase uses a folder under your My Documents folder.
Primary evidence cache EnCase v7 uses cache files to speed up application responsiveness,
enhance stability, and provide scalability across large data sets. The primary evidence cache folder is the location where EnCase will save and/or access these files. Cache files may be created in advance through the Evidence Processor and you can simply point to a folder that contains this data. Although there is an evidence cache for each device in a case, the evidence cache does not need to be stored with the evidence files. If cache files have not been created for a device, they will be stored in this folder when the Evidence Processor is run.
Secondary evidence cache EnCase allows you to specify a secondary location where a
previously created evidence cache can be found. This allows you to specify a folder on a network share or other location where cache files may be stored. Unlike the primary evidence cache folder, EnCase will only read previously created files from this location. All new cache files will be stored in the Primary evidence cache folder.
E. Backup settings Backup every 30 minutes By default, EnCase will back up your case every 30 minutes.
Since backups can take a significant amount of time, they occur in a background thread, allowing you to continue with your work. Concerning the case backup:
Can be canceled at any time, like any other background thread Stops silently if the case is closed If interrupted, continues at a later time, resuming where it left off (not copying the unchanged files again) Runs on this schedule: o o o Every 30 minutes while a case is open When a case is opened, if that case has not been opened for more than 30 minutes 30X minutes after the case is opened, if the case has not been opened for X minutes where X is less than 30
Stops if the Evidence Processor is running Does not run if the Evidence Processor is already running Disables the automated backup timer while running
Maximum case backup size (GB) By default, EnCase will allocate a maximum of 50GB of
space for the case backup files
Backup location This is the location where the backup files saved. By default EnCase uses a
folder under your My Documents/CaseBackup folder.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
39
The last backup folder location, maximum amount of disk space, and enable/disable backup are saved in the global settings and are automatically populated when you create a new case. Click OK to apply the case options. To aid you, these constraints are checked: If you create a case with backup disabled, a dialog asks if you are sure you want to disable backup for this case. A warning displays if the backup location is not a valid path Choosing a backup and case folder on the same drive letter displays a warning, asking if you are sure you want to back up the case on the same drive as the case. Choosing a backup and evidence folder on the same drive letter displays a warning, asking if you are sure you want to back up the case on the same drive as the evidence cache.
The Home tab will then display a page for this particular case with the case name displayed at the top. This case page lists hyperlinks to many common EnCase features and you can use it as the main landing page for this case. You are now ready to begin building your case.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
40
Case Selections Save (Ctrl-S) Saves the current case file. The default suffix for a case file is *.Case;
the default suffix for a backup case file is *.cbak.
Save As... Used to save and rename the current case file or create a copy of the
case file with a different name.
Create Package (Ctrl-P) Creates a case package file for portability with the evidence. Case Backup Accesses the Case Backup dashboard. Save As Template... Used to save the case as an EnCase template to use with new cases.
The extension for a case template file is *.CaseTemplate.
Close Closes the active case file. Open... Opens an existing case file. (Note that you can have more than one
case file active at a time.)
New Case... Opens the Case Options dialog so that you can create a new case file. Options... Allows you to edit the Case Options for the active case. Hash Libraries... Displays the Hash Libraries dialog, which provides a list of hash
libraries and hash sets used in the current case and allows you to change libraries or enable and disable hash libraries and sets.
If you need to update the Case options later, they are available under the Case menu.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
41
Make any required changes to the case information and click OK. NOTE: You cannot change the information contained in the Name or Case path fields; this information in displayed for reference purposes only and is read only.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
42
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
43
EvidenceCache Storing cache files and containers for processed evidence Email E-mail processing folder Documents Default folder for documents Searches Default folders for saving Search queries Export Default folder for exporting evidence Tags Tags storage Temp Default temporary folder for file viewing
CorruptPictures Holds corrupt pictures during the thumbnails creation process Results Stores the results of index queries
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
44
Create a folder named LocalEvidence and copy the TDurden.Ex01 evidence file from the EnCase Essentials OnDemand distribution website into the folder.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
45
The Case Backup menu opens a backup folder location and displays the case backup dashboard. The dashboards input is the folder location, which comes from three possible locations. The Case Backup menu allows you to obtain the backup folder location from:
Use Current Case: Uses the backup folder location from the currently open and active
case
Specify Case File: Reads from and uses the backup folder location from an unopened
case file through an open file dialog
Specify Backup Location: Uses the backup folder location specified by the user through
a folder dialog
For each case backup, the dashboard displays these columns: Name Created Size (in bytes, KB, MB, GB, etc.) Custom name (if available) Comment (if available)
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
46
The dashboard shows a list of all available case backups in a tree format and sorts them by type. Daily, weekly, and monthly backups are created as a result of aging scheduled backups. The backup types and their aging attributes are:
Custom: This is a user-created backup where you can provide a custom name and
comments. Custom backups are retained until explicitly deleted.
Scheduled: A scheduled backup is created when you open a new case or schedule a backup manually using the Create Scheduled option. Daily: Every scheduled backup that is closest to that days local midnight time is copied
and stored as a daily backup.
Weekly: Every daily backup that is closest to that weeks Sunday local midnight time is
copied and stored as a weekly backup.
Monthly: Every daily backup that is closest to that months first day at local midnight
time of the next month is copied and stored as a monthly backup.
By default, the database stores a maximum of: 48 scheduled backups Seven daily backups Five weekly backups
Monthly backups are kept until the maximum size allowed is exceeded. Oldest monthly backups are deleted to stay under the maximum size allowed.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
47
2.
3.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
48
4.
After the backup is scheduled, the Create Scheduled Backup dialog closes. To verify that the backup was scheduled, click the Scheduled folder in the Backups directory.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
49
2.
3. 4.
Enter a custom name and, if desired, a comment, then click OK. To verify that the custom backup was created, click the Custom folder in the Backups directory.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
50
1.
2.
Select the case file you want then click Open. The dashboard displays for the case file you selected.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
51
3.
If you desire to restore a backup, select a backup file and click Restore.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
52
2. 3.
Navigate to the location you want for the backup, then click OK. The Case Backup Folder is displayed. Click OK.
Primary evidence cache (only those evidence caches referenced in the case) Secondary evidence cache (only those evidence caches referenced in the case) Dates, times, and sizes for all files.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
53
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
54
4.
The Restore Backup dialog displays. Click either Restore to original case locations (default) or Restore to new locations, then click Next>.
If you click Restore to original case locations, the Name, Location, and Full Case Path fields populate automatically and you cannot edit them. All other options are disabled. if you click Restore to new locations, the Name, Location, and Full Case Path fields populate and you cannot edit them. However all other options are enabled, and you can change any of them. When you are done, click Finish.
5.
NOTE: Restoring will overwrite the contents of the selected Case directory.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
55
DELETING A BACKUP
To delete a backup go to the dashboard using any of the options in the CaseCase Backup dropdown menu. From the Backups directory, open the folder containing the backup you want to delete. 1. Blue-check the backup or backups you want to delete, then click Delete.
2.
3.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
56
3.
You can make these changes: Enable or disable Backup every 30 minutes Maximum case backup size (GB) Backup location
4.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
57
The Options tab can modify the EnCase core configuration The Global tab allows various features to be changed, including the Auto Save Feature, picture, and timeout options The Date tab allows you to set the format for date and time stamps The NAS tab contains all of the settings needed to enable the network authentication of the EnCase dongle if on a server instead of the local machine The Colors tab provides the ability to set the color scheme for different elements of the EnCase interface The Fonts tab can alter screen fonts typically used for foreign-language support The Shared Files tab provides the ability to set the path to where user and application data is stored as well as the evidence and cache folders The Debug tab is utilized by EnCase users who experience abnormal shutdowns or program lockups and by those working with customer service to determine the nature of the problem
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
58
Global
This tab allows you to select options that establish the global-configuration settings for a case.
Picture Options
Enable Picture Viewer This option allows pictures to be displayed in various views. Enable ART image display This option provides you with the ability to not display files
with these characteristics, which if corrupted, may cause an Internet browser like Internet Explorer to crash.
Invalid Picture Timeout This option enables EnCase to stop trying to read a corrupted
image file. Instead the file is cached so that EnCase will not attempt to read it in the future. The default is 12 seconds.
Force ordered rendering in Gallery This new option for EnCase v7 was added to force
the rendering of pictures in the Gallery to be in order from top left to bottom right. Checking this box forces the order rendering, while turning the option off makes EnCase render small pictures immediately and queue up the longer/bigger pictures.
o
This option is off by default because the Gallery view flows better from a userinterface perspective. However some users like to go to the Gallery view and scroll down one row at a time to see the pictures show up in order from left to right. This option was created for those users.
Code Page
Code Page Set the default code page for text viewing.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
59
Additional Options
Show True / Show False This option defines the data that will appear in a Table column, indicating whether a condition is true or false. It is best to set these items to something that can be easily understood (such as Yes for true and No for false) rather than retain the default settings of bullet for true and blank for false. Default Char The character used for non printable values, such as 00h, 01h, 02h, etc. Flag Lost Files This option is unchecked by default, which means that lost clusters are
treated as unallocated space, decreasing the amount of time required to access the evidence file through a case file. If this option is checked, EnCase will tag all lost clusters in Disk view (indicated by yellow blocks with a question mark). This option must be set before an evidence file is added to the case.
Detect FastBloc Detect legacy FastBloc for write blocking during evidence acquisition. Dont verify evidence when opened Open evidence without verifying acquisition hash
and CRC.
Date
This tab allows you to configure the date and time displays, including displaying the time zone on dates.
MM/DD/YY (for example, 06/21/08) DD/MM/YY (for example, 21/06/08) Other enables you to specify your own date format Current Day displays the current date in the specified date format
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
60
Time Format includes these options: 12:00:00PM uses a 12-hour clock for the time format 24:00:00 uses a 24-hour clock for the time format Other enables you to specify your own time format Current Time displays the current time in the specified time format
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
61
NAS NAS (Network Authentication Server) This option allows multiple copies of EnCase to
authenticate to a single hardware key. This is typically used in lab environments with multiple examiners and multiple copies of EnCase.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
62
Colors
This tab allows you to change the colors for different elements of the EnCase interface.
Fonts
This option allows you to alter fonts for viewing convenience and to accommodate the special font requirements of some foreign languages to display correctly.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
63
Shared Paths
This option allows you to specify the folder for shared files, such as the filetypes.ini file, EnScript modules, filters, searches, conditions, and keywords.
Debug
This option is utilized by EnCase users who experience abnormal shutdowns or program lockups and by those working with customer service to determine the nature of the problem.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
64
Hashing Features
EnCase v7 contains several new and expanded hashing features: A versatile user interface for hash library management: you can create hash sets and libraries, import and export hash libraries, query hash sets, and view hash sets or individual hash items Hash libraries can contain multiple hash sets and each set can be enabled or disabled You can create as many hash libraries or hash sets as you want If a hash belongs to multiple sets, every match will be reported Each case can use up to two different hash libraries at the same time You can save individual hashes in a separate folder without placing them in a specific hash set or hash library (for example, you may want to retain a hash of an item for later use without committing it to a particular hash set or library)
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
65
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
66
NSRL
You may wish to use a centralized hash library or one already created. Guidance Software, Inc. has converted the National Software Reference Library (NSRL) RDS 2.32 March 2011 (http://www.nsrl.nist.gov/Downloads.htm) hash set into the EnCase v7 format. You can obtain the converted hash set from the EnCase Support Portal (https://support.guidancesoftware.com/) Download the converted NSRL hash sets from the EnCase Support Portal at: https://support.guidancesoftware.com/
Place them in a directory that it easily accessible and usable, such as: C:\Program Files\EnCase7\Hash Libraries\NSRL Hash Library
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
67
To open a hash library, click Open Hash Library and browse to the directory from the Manage Hash Library panel toolbar.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
68
Select whether you want to change the existing category or tag on the hash sets, then enter the new value in the text box.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
69
2.
Browse for a directory or create a new folder to hold the hash library
NOTE: If you use an existing folder, it must be empty (otherwise, the contents of the folder will be deleted). 3. Provide a name for the hash library (for example, Hash Library #1)
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
70
4.
Click OK
If you wish to import hash sets from another library, select Import Hash Sets from the toolbar. You can then browse to a library and select individual sets to import, such as importing the NSRL library into your new Hash Library #1. NOTE: Ctrl+Space Bar will select all of the hash sets.
Click Finish to import the hash sets; for now, click Cancel. NOTE: With 11 GBs of hash sets, importing the NSRL RDS will take a long time.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
71
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
72
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
73
To select a hash library, click on Change Hash Library. Browse to the Primary hash library and click OK.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
74
The Primary hash library will now be enabled and ready for use with the Evidence Processor. You can also select a Secondary hash library.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
75
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
76
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
77
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
78
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Preview devices (local and enterprise) Preview physical and process memory (local and enterprise) Preview via a crossover cable Add image files (including E01s, L01s, Safeback, vmdk, etc.) Preview a Palm device
Course
First Responder with EnCase Forensic, Tableau, and EnCase Portable
Course website
http://www.guidancesoftware.com/EnCaseFirst-Responder.htm http://www.guidancesoftware.com/computerforensics-training-encase1.htm http://www.guidancesoftware.com/encaseportable-examinations.htm
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
80
In EnCase v7, functionality that was in EnCase v6 Add Devices wizard is split into separate menus. These menus are accessed from the Add Evidence button on the Home page or the drop-down menu.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
81
Add Local Device Initiate the process of adding a local device attached directly to your
local computer. This can be the main system drive, removable drive write blocked with FastBloc SE, or a device attached through a Tableau write blocker.
Add Evidence File Specify an evidence file to add to the active case. This can be an
EnCase evidence file (E01) or logical evidence file (L01).
Add Raw Image Add a raw or dd image file of a physical device to the active case.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
82
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
83
Or, if the Add Evidence hyperlink was selected, click on Add Evidence File.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
84
Browse to the TDurden.Ex01 evidence file that you copied to the examination drive and click Open.
EnCase v7 will then add the device to the case Evidence tab and automatically begin the verification process of the evidence file hash value and CRCs, unless you specifically choose the option to not verify evidence files (certainly not recommended).
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
85
EVIDENCE TAB
The Evidence tab allows you to browse selected devices as in previous versions of EnCase software (EnCase). To browse a single item of evidence, click on the hyperlink in the Name column. Click on TDurden. EnCase will parse the Master File Table (MFT) and allow you to browse the file structure.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
86
If you desire to open two or more devices, blue-check the evidence and click Open.
To remove evidence, blue-check the device and click Remove Selected Evidence.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
87
The selections in the Tree Pane affect the Table Pane; the selections in the Table Pane affect the View Pane.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
88
You can change the split of the screen with the Split Mode button and select the preferredviewing screen based on the investigation you are conducting.
Table Table in top pane and View in bottom pane (no Tree view) Tree-Table Default view with Tree in left pane, Table in right pane and, View in bottom
pane); this is the traditional EnCase Entries view
Traeble Table in top pane and View in bottom pane with the ability browse the folder
structure in the Name column
Tree Tree in left pane and View in right pane (no Table view)
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
89
There are three methods used within EnCase v7 to focus on specific files or folders. These methods have different purposes:
Highlighting a folder displays the entries within that folder in the Table Pane (this is used for viewing information only).
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
90
The Set Included Folders option method (sometimes called the polygon or home plate) displays all the entries, files, and folders for that folder and all subfolders in the Table Pane. It overrides the highlighting option. It is activated by clicking on the polygon next to the tree of the folder name in the Tree Pane in the EvidenceViewing (Entry) view and in any other views displaying a similar folder structure. This is used for viewing information only. When a folder is included, the other folders are grayed out. All files and folders within the folder and subfolders are displayed in the Table Pane. To deactivate this function, click on the Set Include Option icon again or click twice on another include icon.
The blue-check or Select for future action method is used for designating files or folders on which to perform an analysis operation, such as a keyword search. This can be implemented from a variety of views. It is activated by clicking on the square next to the tree of the entry name in any view.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
91
In the following example, several folders have been selected. These folders have a white background within the blue-checked square ( ) indicating that all entries within the folder have been selected. If there is a gray background within the blue-checked square ( ), it indicates not all entries within the folder have been selected. The Selected box above the Table Panes indicates how many entries have been selected. To deselect all entries, click within this Selected box to remove the blue-check and to remove blue-checks from elements of the EvidenceViewing(Entry) view and the Table Pane.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
92
RIGHT-CLICK
Veteran users of previous versions of EnCase are trained to right-click on an object in the Tree Pane to bring up a context menu with many selection options. Also, there is a drop-down menu on the far right side of the menu bar.
ADDITIONAL VIEWS
Within the Tree Pane there are many views that can be accessed for different purposes. All of these views may be accessed through the tabs available above the Tree Pane or through the View menu. Any tabs not displayed above the Tree Pane will be displayed by selection through the View menu.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
93
Table Pane
By default the Table Pane is in the Table view. Within this view are the subfolders and files that are contained within the folder(s) and highlighted or included (Set Included Folders) in the Tree Pane. Highlighting or including (Set Included Folders) a folder affects the display in the Table Pane as previously explained. The highlighting and Set Included Folders features are intended to view desired files and folders in the Table Pane. If there are one or more folders designated with the include feature, the highlighting feature will not change the number of files/folders displayed in the Table Pane. This differs from the Selected box located to the right of the pointed box. This is intended to select with a blue-check the files and folders on which to perform certain operations, including but not limited to searching, copying, and exporting. With the Set Included Folders feature activated, the select operation will not alter the number of files/folders displayed in the Table Pane. The Table view in the Table Pane displays many columns of information about the displayed entries:
Name identifies the file/folder/volume, etc., in the evidence file. Tag displays the tag(s) placed by you on an entry. File Ext displays the entrys extension, which initially determines whether this entry is
displayed in the Gallery view.
Logical Size specifies the file size as the operating system addresses the file. Item Type identifies the type of evidence, such as Entry (file or folder), Email, Record, or
Document.
Category indicates the category of the file from the File Type table. File Type (formerly Signature) displays signature of a Match or an Alias (renamed
extension).
Signature Analysis the results of a file signature analysis. File Types Tag displays the Unique Tag (from the File Types table) for the entry after a
file signature analysis (this column can be activated from the Show Columns drop-down menu) This column was formerly called the Signature Tag.
Last Accessed displays the last accessed date/time. This typically reflects the last time the
operating system or any compliant application touched the file (such as viewing, dragging, or right-clicking). Entries on FAT volumes do not have a last-accessed time.
File Created typically reflects the date/time the file/folder was created at that location. A
notable exception to this is the extraction of files/folders from a ZIP archive. Those objects will carry the created date/time as they existed when the objects were placed in the archive.
Last Written reflects the date/time the file was last opened, edited, and then saved. This
corresponds to the Modified time in Windows with which users are familiar.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
94
Code Page displays the character encoding table upon which the file is based. MD5 displays a 128-bit value for a file entry generated by a hash analysis process. SHA1 displays the SHA-1 hash value for a file entry generated by a hash analysis process. Item Path identifies the location of the file within the evidence file, including the
evidence file name and a volume identifier.
Description describes the condition of the entry whether it is a file or folder, deleted, or
deleted/overwritten.
Protection complexity provides details on the files protection. Is Deleted displays True if the entry is in a deleted state; blank if it is not. Entry Modified indicates when the administrative data for the file was last altered for
NTFS and Linux.
File Deleted displays the deleted date/time if the file is documented in the Recycle Bins
Info2 file.
File Acquired identifies the date/time the evidence file in which this entry resides was
acquired.
Initialized Size indicates the size of the file when it is opened; applies only to NTFS file
systems.
Physical Size specifies the size of the storage areas allocated to the file. Starting Extent identifies the starting cluster of the entry. File Extents displays the cluster fragments allocated to the file. Click within this column for an entry and then click on the Details tab in the View Pane to see the cluster
fragments.
Permissions shows security settings of a file or folder in the View Pane. Physical Location displays the number of bytes into the device at which the data for an
entry begins.
Physical Sector lists the sector number into the device at which the data for an entry
begins.
Evidence File displays where the entry resides. File Identifier displays an index number for a Master File Table (NTFS) or an Inode Table
(Linux/UNIX).
GUID indicates the Global Unique Identifier for the entry; to enable tracking throughout
the examination process.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
95
Hash Sets displays if a file belongs to one or more hashsets, generated by including hash
sets in a hash library in a hash analysis process.
Short Name displays the name Windows gives the entry, using the DOS 8.3 naming
convention.
VFS Name is used to display the name for files mounted with the EnCase Virtual File
System (VFS) module in Windows Explorer. This replaces the Unique Name column in previous versions of EnCase.
Original Path displays information derived from data in the Recycle Bin. For files within
the Recycle Bin, this column shows where they originated when they were deleted. For deleted/overwritten files, this column shows the file that has overwritten the original.
Symbolic Link displays data pertaining to the equivalent of a Windows Shortcut in Linux
and UNIX.
Is Duplicate displays True (Yes) if the displayed file is a duplicate of another. Is Internal indicates whether the file is an internal system file, such as the $MFT on an
NTFS volume.
Is Overwritten indicates if the first or more clusters of an entry has been overwritten by a
subsequent object.
You can use the Show Columns drop-down menu on dialog box to hide or show columns from your Table Pane.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
96
ORGANIZING COLUMNS
Table columns may be rearranged in any order just as is done in Microsoft Excel. Click and hold down on the column heading then drag and drop it into its new location. Columns may be sorted by up to five layers deep. To sort by a particular column, double-click on the column heading. To institute a sub-sort, hold down the Shift key and double-click on the column heading. Columns may be locked on the left side of the Table view so that when you scroll to the right of the Table view, the initial columns are still visible. To lock a column, right-click on the column heading, select Columns, and select Set Lock. The lock is instituted on the position of the column. If other columns are moved into that position, they are locked. To release the lock, right-click on the column, select Columns, and then Unlock.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
97
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
98
Place the evidence bookmarks in the appropriate folder of your case report template or you can create a new folder. NOTE: If you bookmark several files (Ctrl+Shift+B), you are not able to add a Bookmark comment. If wish to add a comment to an individual file, then bookmark that Single File (Ctrl+B).
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
99
TIMELINE VIEW
The Timeline view shows patterns of different types of dates and times. You can zoom in (higher resolution) to a second-by-second timeline and zoom out (lower resolution) to a year-by-year timeline.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
100
DISK VIEW
The Disk view allows viewing of files and folders in terms of where the data appeared on the media. Placement of clusters and/or sectors and fragmentation of files may be observed.
EnCase v7 has a new Auto Extents option in Disk view. When you select a sector, it autohighlights all of the extents that make up the file. This is different behavior from EnCase v6 (you had to double-click on the sector), and currently you can turn it off with the checkbox. Click on the Evidence tab to return to the entries browsing.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
101
VIEW PANE
The View Pane displays the contents of the item highlighted in the Table Pane. The View Pane has default settings that should be understood. Initially the View Pane defaults to the Fields view. You can undock the View Pane for dual monitors.
To return the View Pane to the main EnCase v7 interface, close the View Pane.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
102
Fields
The Fields tab provides you with a table of the metadata (data about the file) for the entry. In EnCase v7, all of the fields are able to be searched in an Index query.
Text
The following screenshot displays a document file in Text view.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
103
Although the text is readable, its format can be improved by altering the text style from the Text Styles menu in the View Pane.
By default, EnCase v7 includes two Unicode and two ASCII code pages:
Unicode - Fit to page Unicode - Line breaks at 120 characters ASCII (Western European) - Fit to page ASCII (Western European) - Line breaks at 120 characters
Click New to create a new text style. Give it a name, such as German Line Breaks, and then select the line Wrap or Line Breaks. The changes will be displayed immediately in the View Pane. Click on the Code Page tab to select the code page.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
104
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
105
The new text style is now applied to the Text tab in the View Pane
Doc
Here is the same document file displayed in Doc view where it is converted to appear as in the authoring application, Microsoft Word.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
106
Transcript
The Transcript tab displays the extracted text from the file. This is the searchable text when conducting a Transcript search with the Index, such as Microsoft 2007 and 2010 files, including .docx, xlsx, and pptx.
Permissions
The Permissions tab displays the security permissions for a file, including the name and security identification number (SID) of the user(s) who have permission to read, write, and execute a file.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
107
Picture
EnCase checks the contents of the file highlighted in the Table Pane to see if it is an image that can be decoded internally. If so, EnCase will provide the ability for you to select the Picture view in the View Pane and display the image.
If numerous files highlighted in the Table Pane are images, EnCase v7 will default to the Picture view for subsequent images. If a Microsoft Word document is then highlighted, EnCase v7 will change the default view in the View Pane to Text. If you wish to have every highlighted item displayed in Hex or Text view, you need only click on the square beside Lock to lock that view. To unlock the view, remove the blue-check from the box.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
108
Hex
The following screenshot displays the same picture viewed in hexadecimal.
STATUS BAR
It is important to be aware of your current positioning within the case, especially when documenting the location of evidence found in unallocated space. The status bar found at the bottom of the screen will provide that information.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
109
PS LS CL SO FO LE
Physical sector number Logical sector number Cluster number Sector offset The distance in bytes from the beginning of the sector File offset The distance in bytes from the beginning of the file Length The number in bytes of the selected area
The status bar also shows the full path of the item highlighted. If a deleted/overwritten file is highlighted, it indicates the overwriting file. Full-path information is available on all tabs that have the Item Path column (Entries, Records, Search Results, and Bookmarks, as examples). The sector information is available on the Entries and Disk views.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
110
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
111
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
112
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EVIDENCE PROCESSOR
After adding evidence to a case and confirming that the data is valid and browsable, the first task you undertake is to run the EnCase Evidence Processor. The Evidence Processor lets you run, in a single automated session, a collection of powerful analytic tools against your case data. Since you can run the Evidence Processor unattended, you can work on other aspects of the case while this tool is processing data. After completion, the case data will be processed and ready for you to begin the important analytic and reporting phases of your investigation. Evidence Processor functions fall into two categories: Preparation Processing
Before using the Evidence Processor: There must be evidence in your case to process If you are previewing a device, you must acquire that device prior to processing or as part of the processing You should confirm that time zone settings for the evidence are configured properly NOTE: EnCase v7 will utilize the time zone setting of your examiner workstation if no time zone is set for the evidence.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
114
Before running the core tasks of the EnCase Evidence Processor, you should confirm the time zone setting of the device. This information is found in the SYSTEM registry hive for Windows 2000, XP, Vista, and 7. The SYSTEM hive is located in C:\Windows\System32\Config.
To view the data in the SYSTEM hive, use the View File Structure feature in EnCase v7. With the SYSTEM hive selected in the Table Pane, right-click on the file or use the Entries drop-down menu. Select EntriesView File Structure.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
115
EnCase v7 will read the header of the file to detect if it can be processed. You have the option to calculate the unallocated space of the compound file and find deleted content. Click OK to begin the parsing process.
EnCase v7 will scan and parse the registry file and then build a cache file. This allows the file structure of the registry to be written to disk rather than stored in RAM as in previous versions of EnCase.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
116
When the parsing is completed, a plus icon (+) will appear and the file name will become a hyperlink, indicating it is a processed compound file. Double-click on the file to open the file cache for examination.
Browse the registry file to that location to find the text string with time zone. On the TDurden evidence, it is set to Pacific Standard Time.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
117
Check to confirm the dynamic Daylight Time disabled is off (indicated by Hex 00 00 00 00). This means daylight saving time is indeed utilized for this device.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
118
2. 3. 4.
Right-click on the TDurden evidence file Right-click on Device in the context drop-down menu Click Modify time zone settings...
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
119
5.
To aaccount for daylight savings time, select the Pacific Time (US & Canada) time zone, and click OK NOTE: The daylight saving time start-and-end dates changed in 2007. You have the ability to choose which version to apply.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
120
To acquire and/or run select evidence through the Evidence Processor in a single operation, select Process Evidence from the Add Evidence menu.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
121
It will take a few moments to initialize the Evidence Processor and you will see the status in the bottom right corner. You can run the Evidence Processor using a template with saved or preconfigured settings or you can select the analytic tools to enable and customize their settings prior to running it. If additional evidence becomes available at a later date, you can always rerun the same options on that data. The Evidence Name pane contains checkboxes for acquiring and processing evidence. Note that you must acquire previewed evidence before you can process it. Initially, the checkboxes in the Evidence Name pane are cleared. Check the boxes for the evidence you want to acquire and/or process. If you have already acquired an item of evidence named in the list, you do not need to check the Acquire box for that item. In the following example, we acquire devices 1 and RAM by checking their boxes under Acquire and set them up for processing by checking their boxes under Process.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
122
Use this pane to choose the processor settings to run and to configure their settings.
Description
Change the display format of the options pane Save the current selection of settings as an Evidence Processor template Load a saved template to run against the current data Edit the options for a selected task in the window results and changing the layout of the Evidence Processor panels
Drop-down side menu Allows you to perform actions, such as printing the
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
123
Click the Process check box for the TDurden evidence file to enable the Evidence Processor Task list.
A major benefit of the Evidence Processor is that its settings do not require your interaction during operation. Functions with the lock cannot be changed or disabled. Functions with the red flag cannot be run at a future time on the evidence if they are not selected initially. The following evidence processing functions are available:
Recover folders Recover files that have been deleted or corrupted on FAT and
NTFS volumes
File signature analysis Determine if the extension of a file has been altered and whether
or not the extension matches the file type as specified by the files header
Protected file analysis Identify encrypted and password-protected files with the
Passware Encryption Analyzer
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
124
Thumbnail creation Creates image thumbnails for faster display in the EnCase GUI Hash analysis Generate MD5 and/or SHA1 hash values for files and compare against
your case Hash Library
Expand compound files Expand compound and compressed files, such as ZIP, RAR,
GZ, and Windows registry archives
Find email Extract individual messages from e-mail archive files, such as PST
(Microsoft Outlook), NSF (Lotus Notes), DBX (Microsoft Outlook Express), EDB (Microsoft Exchange), AOL, and MBOX.
Find internet artifacts Collect Internet-related artifacts, such as browser histories and
cached web pages. You also have the option to search unallocated space for the Internet artifacts.
Search for keywords Search raw (not transcript) text for specific keywords. Index text and metadata Create an index for when you need to search for keywords in
compound files (Microsoft Office 2007 and 2010) and across large amounts of data. You can adjust the parameters for index creation, such as the minimum word length to index and whether to use a noise file (which does not index specific and common words).
The Evidence Processor contains numerous useful features: The simultaneous processing of multiple devices The convenience of acquiring devices right from the Evidence Processor Saving sets of Evidence Processor options as templates to be run with little or no modification at a later date The ability to be run from the command line On-screen instructions that guide you through the use of each setting Automatic processing of the results from any EnScript modules according to the current processor settings (Index, Keyword search, etc.)
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
125
RECOVER FOLDERS
Running the Recover Folders task on FAT partitions will search through the unallocated clusters of a specific FAT partition for the dot, double -dot signature of a deleted folder. When the signature matches, EnCase v7 can rebuild files and folders that were within the deleted folder. This task can recover NTFS files and folders from unallocated clusters and continue to parse through the current Master File Table (MFT) records for files without parent folders. This operation is particularly useful when a drive has been reformatted or the MFT is corrupted. Recovered files are placed in the gray Recovered Folders virtual folder in the root of the NTFS partition.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
126
THUMBNAIL CREATION
By default, the Evidence Processor generates thumbnails for all image files and stores them as part of the cache. Because thumbnails are smaller and load faster, generating thumbnails significantly improves the speed with which you can work with pictures in EnCase v7.
HASH ANALYSIS
A hash is a digital fingerprint of a file or collection of data, commonly represented as a string of binary data written in hexadecimal notation. In EnCase v7, it is the result of a hash function run against any mounted drive, partition, file, or chunk of data. The most common uses for hashes are to: Identify when a chunk of data changes, which frequently indicates evidence tampering Verify that data has not changed in which case the hash should be the same both before and after the verification Compare a hash value against a library of known good and bad hashes, seeking a match
The Evidence Processors hash analysis setting allows you to create MD5 and SHA-1 hash values for files, so that you can later use them for the reasons specified previously. When you click the Hash Analysis hyperlinked name, the Edit Settings dialog appears, allowing you to check whether to run either or both of these hashing algorithms.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
127
FIND E-MAIL
Select this setting to extract individual messages from e-mail archives. To select the e-mail archive types to search for messages: 1. 2. 3. Click Find Email Click the e-mail archive file types whose messages you want to examine and click OK Check the Search for Additional Lost or Deleted Items box for a search for deleted e-mails
After processing is completed, EnCase v7 can analyze the component files extracted from the archives, according to the other Evidence Processor settings you selected.
Thread E-mail
By default, the Evidence Processor performs a thread analysis on e-mail messages that it processes. Once your evidence has been processed, you can track the different e-mail threads and communication patterns among senders and receivers of the messages with the Show conversation and Show related messages e-mail features.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
128
To edit the keyword settings, click Search for keywords. The Edit keyword list dialog appears.
In the dialog, use the checkboxes and toolbar items to: Add a keywords list to a file Add new keywords Edit keywords Delete keywords Specify where and how to search Change the layout of the keyword table
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
129
New Keyword
To add a new keyword, click New in the Edit keyword dialog. The New Keyword dialog appears.
1. 2.
Search Expression Enter your search expression in this box. It may be a simple
keyword, phrase, or a GREP expression. If you intend to search for keywords using a different character set, you may need to change the code page. In that case, click the Code Page tab, scroll through the list, and check the code page Name you want.
3.
Name Although not required, you may enter a descriptive name that will help you
remember what the search expression is intended to search for. This is very useful with GREP search expressions and foreign language searches.
4.
Case Sensitive EnCase v7 will locate the keyword regardless of the individual
characters case unless this box is checked. If checked, EnCase v7 will only locate the keyword if the case sensitivity is the same as the search expression entered.
5.
GREP The GREP option must be selected when utilizing GREP search characters. GREP
is used to narrow the search, limit false-positive search hits, and in those cases where only certain portions of the keyword being sought are known.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
130
6.
ANSI Latin 1 This default option will search for characters contained within the ANSI
Latin-1 code page, which is the default code page for the Microsoft Windows operating system. In earlier versions of EnCase software, this option was called Active Code Page. Since the active code page varied according to the active code page enabled on your computer, this option was replaced by ANSI Latin-1 to ensure consistent results.
7.
Unicode Unicode was developed in direct response to foreign language character sets.
Most MS Office products use Unicode as does Windows 2000, XP, Vista, and 7. Enabling both ANSI Latin-1 and Unicode options will locate both ASCII and Unicode characters. However selecting the Unicode option alone (without the ANSI Latin-1 option or appropriate code page selected) will find data stored in Unicode only. For more details on Unicode, please see http://www.unicode.org.
8.
Unicode Big-Endian Non-Intel based data formatting scheme that stores multiplebyte numerical values with the most significant byte values first, which is the reverse of little Endian.
9.
UTF-8 UTF stands for Universal Character Set Transformation Format. Applications
have several options for how they encode Unicode. The most common encoding is UTF-8, which is the 8-bit form of Unicode. This option offers foreign language support.
10. UTF-7 UTF-7 is a special format that encodes Unicode characters within US-ASCII in a way that all mail systems can accommodate. 11. Whole Word EnCase v7will locate the keyword as a whole word not within a larger word (i.e., Chris not Christopher)
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
131
Other Keyword Search Options Search entry slack This option tells EnCase v7 to search the slack area, which exists
between the end of the logical data to the end of the physical file for all items searched.
Use initialized size This option tells EnCase v7 to search only the initialized size of an entry
as opposed to the logical or physical size. When a file is opened on the NTFS file system, if the initialized size is smaller than the logical size, the space after the initialized size is zeroed out. Searching the initialized size searches only data a user would see within a file.
Undelete entries before searching This option will logically undelete deleted files prior
to searching. If a file is deleted, EnCase v7 and other tools can determine if the assigned starting cluster is not currently assigned to another file (if it is assigned, then the file is deemed deleted/overwritten). The unallocated clusters after the starting cluster may or may not belong to the deleted file. Choosing this option assumes that the unallocated clusters after the starting cluster do belong to the deleted file. This is the same assumption made when copying out a deleted file. Choosing this option will find a keyword fragmented between the starting cluster and the subsequent unallocated cluster. If determining the presence of a keyword on the media is critical to an investigation, you should also search for portions of the keyword, including utilizing GREP search expressions for fragments of the keyword.
Search only slack area of entries in Hash Library This option is used in conjunction with a
hash analysis. If a file is identified from the hash library, then it will not be searched. However the slack area behind the file (as described previously) will be searched. If this option is turned off, EnCase v7 will ignore the hash analysis.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
132
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
133
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
134
File slack The area between the end of a file and the end of the last cluster or sector
used by that file.
Unallocated space The sectors that are not associated with an allocated filethe free
space of a disk or volume.
Unallocated space consists of either unwritten-to sectors or previously written-to sectors that no longer have historical attribution data associated with them. All these sectors are aggregated into Unallocated Clusters. Unallocated Clusters are then divided into multiple sections, and these sections are indexed with shared metadata. If a word at the end of one section of text spans to another section of text, that word is skipped and not included in the indexed sections of text.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
135
The Evidence Processor uses identification processes to identify and differentiate ASCII, UTF-8/16/32 encodings as well as a number of East Asian and western codepages. The Evidence Processor uses built-in intelligence to index any text residing in slack and unallocated space. NOTE: Indexing with East Asian script support is recommended, especially when Index Slack and Unallocated is enabled. The additional processing enabled by this option prevents meaningless strings that are otherwise identified as Unicode strings with Asian characters from being added to the index.
Sectors that are not assigned to any partition scheme fall under Unused Disk Area. The Evidence Processor handles these sectors and Unallocated Clusters similarly. The following procedure provides the steps for including slack bytes and unallocated space when indexing text. After you have selected the evidence you want to acquire and process with the Evidence Processor, select the Index text checkbox and click Index text. The Edit Settings dialog displays. 1. 2. 3. 4. 5. 6. If you want to use a noise file, specify or browse to the filepath of your noise file Set the minimum word length (1-128 characters) for indexed text Select the checkbox for index slack and unallocated If you want to index only the slack area of either known items or all items in the hash library, select the corresponding checkbox To index using East Asian script support, select the corresponding checkbox Click OK
Personal Information
Credit Cards Search document, database, and Internet files as categorized by the
EnCase File Types for the following credit card number formats: Visa, MasterCard, American Express, and Discover
o
Utilizes credit-card industry algorithms to validate the credit card number with about 90% accuracy
Phone Numbers Search document, database, and Internet files as categorized by the
EnCase File Types for phone numbers with and/or without the area code
Email Search document, database, and Internet files as categorized by the EnCase File
Types for e-mail addresses
Social Security Numbers Search document, database, and Internet files as categorized
by the EnCase File Types for nine-digit United States Social Security numbers
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
136
MODULES
The Evidence Processor has the ability to run add-in modules during processing. Some modules will ship as part of EnCase v7 and you can add your own modules as well. Click on the Modules folder to open it and access additional evidence processing features. You should select the modules that are relevant to your case. The modules will add additional time to your processing, depending on the size of the evidence and the type of module selected as well as the module settings. Searching the unallocated clusters for evidence fragments, for example, will increase the processing time. NOTE: As best practice, you should not enable all modules by default. We will outline the essential function of each module.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
137
System Info Parser Report on the core system information for Linux and Windows,
including:
o o o o o o o o o o o
Startup routine (Linux only) User activity (Linux only) Operating system Hardware Software Accounts/users Network information Shared/mapped drives USB Devices Network Shares Advanced : Windows Registry Time zone setting Auto start Hardware User activity User defined keys Networking and other autorun When you select the System Info option in the Evidence Processor, you can search NetShare and USB registry information in the Records tab. You can see the UNC path visit history, the history of connected devices, and you can correlate USB devices to their drive letters.
IM Parser Search for Instant Messenger artifacts from MSN, Yahoo, and AOL Instant
Messenger clients. These artifacts include messages and buddy-list contents. It also allows you to select where to search from several general location categories.
o
File Carver Search evidence for file fragments based on a specific set of parameters,
such as known file size and file o The EnCase File Carver function automatically checks file headers for file length information and uses the actual number of bytes carved, by default. This produces more accurate carved files. When there is no file length information in the header, the footer or the default length is used. This additional parsing is not user configurable. Search all or selected files, file slack, and/or unallocated clusters for deleted or embedded files by header
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
138
Over 300 file types are supported for carving, including carving HTML files and webmail by keywords Running the File Carver in Evidence Processor gives you three options; you can select from either the full file types table, from the optimized file types table, or from both. Optimized file types include:
Compound document file Outlook personal folder Audio Video Interleave Flash video files Enhanced Metafile Graphic Microsoft bitmap format
When the File Carver finishes, you can see the files carved and optionally export the files for review.
Windows Event Log Parser Locate and parse Windows Event Logs
o
Link files Recycle Bin files MFT (NTFS Master File Table) transactions All or selected files, and/or unallocated clusters
Unix Login Search UNIX log files for specific events Linux Syslog Parser Search Linux syslog files for specific events Snapshot (Live preview of devices only) Running processes, open ports, logged on
users, etc.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
139
For now, select System Info Parser and Windows Artifacts Parser.
After finishing the EnCase Evidence Processor configuration, click OK. The time acquired to complete the processing depends on the size of evidence and the processing options selected. More processing power, RAM, disk I/O, etc., will affect the speed. NOTE: With the options selected in the example, it will take several hours to fully process the evidence dependent upon your machines processor, RAM, hard drives, etc . However you can continue to browse, examine, and bookmark the evidence as you would with prior versions of EnCase.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
140
You will see the Evidence Processor running in the lower right corner and you can continue your analysis of the evidence when it processes.
As the modules are processed, you will see the status change.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
141
1.
Select the checkboxes of the devices you want to add to the preview and click Finish
2.
3. 4. 5.
Under Process, select the checkboxes for the live devices you want to process Review and, if necessary, modify the current processing options Click OK
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
142
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
143
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
144
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
145
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
146
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCase v7 provides core enhancements to searching, such as: The ability to search across multiple types of data, including files, e-mail, and Internet history, as well as view the results on a single screen A powerful index search capability The ability to search based on user-customized tags
SEARCH TYPES
There are three principal methods of searching through evidence in EnCase v7:
Index searches Evidence data is indexed through the EnCase Evidence Processor prior
to searching
Raw searches Searches based on non-indexed, raw data Tag searches Searches based on user-defined tags
INDEX SEARCHES
Using the Evidence Processor, you create an index, a list of words from the contents of a device. The index entries contain pointers to the occurrences of the specific word on the device. There are two steps to using indexes: Generating an index (covered in the previous Processing Evidence Files lesson) Searching an index
Generating an index creates index files associated with devices. Creating an index can be time consuming, depending on the amount of evidence you are indexing as well as the capabilities of your computer hardware. Evidence file size, and thus the resultant index size, is an important consideration when building an index. Attempts to index extremely large evidence files can tax a computer's resources.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
148
You generate a search index early in the EnCase v7 workflow sequence as follows:
Make sure that your case contains the device you want to index As you may recall from a prior lesson, click Process Evidence from the Evidence menu
o
The Evidence Processor displays; this dialog contains the selection for indexing text
During the creation of an index, the transcript text of the file is extracted using Outside In technology, and then the text is broken into words that are added to the index. Unlike raw keyword searches, indexing is done against the transcript content of the file so that text contained in compound files, such as Microsoft Office 2007 and 2010 files, can be properly identified. Although EnCase v7 does not create a transcript of slack space and unallocated space, they are processed and broken into words in the best manner possible so that EnCase v7 can find hits in those areas also. Index searching (queries) allows you to rapidly search for terms in the generated index and it is the recommended type of search in EnCase v7.
2. 3.
In the Index window, enter the keyword(s) to query the Index, such as Tyler. A dynamic list is displayed on the right side of the window, showing the terms in the index and the number of occurrence of a term. This is extremely helpful when crafting a query so that you can immediately see if the term exists in the index.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
149
4.
EnCase v7 will show you all words in the index that start with the term that you have typed and will dynamically update the list as you type additional letters. At any time you can double-click on a query term and it will show the show the information about that term Click on the Play button to run the query.
5.
For examples of index query options, see the Appendix A Index Queries at the end of this manual. EnCase v7 will run the query display the results in the Table Pane of the Search view. You can review the file entries that contain the search term; for example, the webpage search[1].htm displays as follows.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
150
The Index query hits are displayed in yellow in the Transcript tab of the View Pane. Use the Next Hit button to view the search hit in a large file. NOTE: Raw Keyword search hits can be viewed in the Text tab.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
151
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
152
When appropriate, you can switch over to the Results tab to view the saved results.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
153
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
154
You will be taken to the Entries view of the Search Results tab to analyze the evidence in context.
You can bookmark the evidence from either the Search, Results or the Evidence view.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
155
You can add a comment to the bookmarked evidence and have the ability to use previous comments to save time.
Choose the folder in the case template to add the evidence or create a new folder. It will default to the last-selected folder to save time, so you dont have to selec t the destination folder for each bookmark.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
156
Use the Back button to return to the Search Results view of the query results.
FIND RELATED
New to EnCase v7 is the Find related button, allowing you to find related files and folders by name or by time. In this instance, in the Results view you found a link file called Nasty.lnk, showing that the user knew the folder or file was on the computer system and made an affirmative act by manually opening the folder or file. This would be a good artifact to bookmark and investigative lead to follow.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
157
The name will appear in a new Index query. Click on the hyperlink below the Index window to see the results in the Table Pane.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
158
Shorten the text query to Nasty to see additional related items of evidence. Click on the hyperlink to see the results in the Table Pane.
When you find a file you wish to investigate further, use the Go to file button to view it in the context of the Evidence folder structure.
In this case, the file was located because it is in the folder called Nasty. As you can see, the index allows searching on both file content and metadata.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
159
If the file is a picture, you can use the Picture view in the View Pane to show the image.
You can look at the Permissions tab to see that tyler.durden has access permission for the file.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
160
And then you may wish to add the evidence to your report template with a bookmark on all of the files.
NOTE: If you bookmark several files, you are not able to add a Bookmark comment. If wish to add a comment, then bookmark a Single File.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
161
2.
3.
Click on the hyperlink for the desired keyword to display the results in the Table Pane
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
162
You can review the file entries that contain the search term; for example, the document called Flschungen.doc displays as is shown in the following screenshot. Flschungen means counterfeiting in German. Use the Next Hit button to view the search hit in a large file.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
163
You will be taken to the Entries view of the Search tab to analyze the evidence in context.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
164
RAW SEARCHES
Although index searching is the recommended type of search, there may be times when you want to perform a search across the raw contents of a device. In those cases, you can perform a keyword or non-indexed search on your case data. Because keyword searching only searches the raw binary form of a file, some content may not be discovered if it is compressed or obfuscated. To perform a raw keyword search on your data, make sure that your case contains the device that you want to search. For information, see the Search for Keywords option of the Evidence Processor. In addition to keyword searching using the Evidence Processor, you can also initiate a raw keyword search of one or more devices from the Evidence tab. To initiate a search in this manner, follow these steps: 1. 2. 3. Navigate to the Evidence tab and then to the top level of the tab (using the View dropdown menu on the tab toolbar) Select the device or devices that you wish to search using the checkboxes on the left side of the table Select Raw Search All from the tab toolbar
4.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
165
5.
Add the keywords and options that you wish to use just like in the Evidence Processor and select OK
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
166
TAG SEARCHES
EnCase v7 also provides the capability to search for instances of a particular tag that you have created. Suppose you create a collection of three tags associated with pieces of evidence, one of which is named Submit to National Child Victim Identification Program. You can search through your evidence for all instances of that tag and the result set that displays will consist only of evidence with that tag. You can also tag files in this view. For more information, see Lesson 9, Bookmarking and Tagging Your Findings.
SEARCH SUMMARY
To see a description of all active search criteria click the Summary tab.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
167
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
168
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
FILE TYPES
When an evidence file is opened in EnCase v7, the file system contained on the device is parsed and displayed for browsing in the EvidenceViewing (Entry) tab. Files may be navigated and viewed in the table area of the Table Pane. EnCase v7 displays files, folders, and other objects on the media, including those that are deleted or overwritten, by maintaining invalid starting cluster addresses as well as other attributes or characteristics. The Description column provides information regarding the objects attributes, status (allocated or deleted), and other details dependent upon what the entry represents. To remove unnecessary complexity in EnCase v7, the File Types, File Viewers, and File Signatures tables in previous versions of EnCase software are now contained in one location, the File Types view. Click on the View menu and select File Types.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
170
FILE SIGNATURES
As stated previously, the File Signatures table has been incorporated into File Types in EnCase v7. There are thousands of file types. Some file types have been standardized. The International Standards Organization (ISO) and the International Telecommunications Union, Telecommunication Standardization Sector (ITU-T) are working to standardize different types of electronic data. Typical graphical images, such as the JPEG (Joint Photographic Experts Group), have been standardized by both of these organizations. When file types become standardized, a signature or header that programs can recognize usually precedes the data. File headers are the first few bytes of a file and are associated with specific file extensions. File extensions are the three or four characters that follow the last dot in a filename. They reveal the type of data that the file represents. If one were to see a .TXT extension, a data type of text would be expected. Many programs rely specifically on the extension to reflect the proper data type. Windows, for example, associates file types with applications programs by use of file extensions. Some users have been known to change file extensions to hide the true nature of the files. A JPEG (image file) that has an incorrect extension, such as .DLL, will not be recognized by most programs as a picture.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
171
By default EnCase v7 displays graphic files, such as that mentioned in the previous example, in the Gallery view based on their extensions. By running the file signature analysis process, EnCase v7 compares the files signature with the extension of the file, and then compares bo th with the File Types table to determine if the file extension has been changed. This process is essential to properly identify and classify files on a subjects hard drive.
File Types table contains the following information about each type of file:
Name (required) Name of the file type Extensions (Extensions or Header required) Extension(s) of the file type Category (required) The category of the file (used for the Entry Description) Viewer (required) The default viewer if the file is opened from EnCase v7 Header Signature (Extensions or Header required) Header associated with the file
type; may be a keyword string or GREP expression
Header GREP True or false for correct searching/analysis Header Case Sensitive True or false for correct searching/analysis Footer Signature If available; used for file carving Footer GREP True or false for correct searching/analysis Footer Case Sensitive True or false for correct searching/analysis Unique Tag Allows filtering for the file type tag (signature) with a unique tag name for
the file type
Default Length 0 unless changed by user User Defined If you edit or create a new a file type, it will be marked True as user
defined (this will prevent it from being overwritten when an update is released by Guidance Software)
Disabled Check the box to disable the File Type for file signature analysis
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
172
Before a File Signature Analysis is run with the Evidence Processor, the Evidence tab Entry columns will display the following:
Signature Analysis
o
Blank
File Type
o
Blank
You can also run the File Signature and Hash Analysis independent of the Evidence Processor. Select the desired files and choose the Entries drop-down menu. Select Hash\Sig Selected
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
173
Select the options for hashing and file signatures and click OK.
After Signature Analysis, the columns will display the results of the analysis:
Signature Analysis
o
Match
Signature matches a File Type Header and the Extension is included in the extensions for that File Type Signature does not match any File Type Header, but there is a File Type that matches the extension A .txt file with data at the beginning of the file not defined as a header within the File Signatures table is identified as a Match
Alias
Signature matches a File Type Search Expression Header, but the extension is not included in the extensions for that File Type
Bad Signature
Signature does not match any File Type Header, but there is a matching File Type Extension
Unknown
Signature does not match any File Type Header and there is no matching File Type Extension
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
174
Now that the columns are aligned, start examining the file signatures. Use the Set Included Folders option to display all entries in the Table view. Sort the columns in the following order:
First level Signature Analysis Second level File Type Third level Name
The arrows on each column heading should appear as they are displayed in the following screenshot. NOTE: Shift-double-click to enable secondary sorts.
To examine the signatures, scroll up or down while viewing the Signature column.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
175
You can bookmark discovered evidence items. Blue-check the entries, right-click, and choose BookmarkSelected Items You can also use the Bookmark drop-down on the menu bar.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
176
You can also activate the File Type Tag column to aid in your investigation. This will show you the Unique Tag for the File Type validated in the File Signature Analysis.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
177
PROCESSED EVIDENCE
The processed evidence will be found under the Records view.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
178
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
179
The processed compound files are in the Records view, where you can browse individual files under the Archive folder.
The way to search and view data across multiple archives is through a Search using an Index query and viewed through the Search tab.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
180
The compressed files are displayed under the Archive folder where they can be sorted and browsed for an examination. Click on the blue hyperlinked name of the archive to open it for review.
You can open the compound file and view the contents. In this case, it is a steganography program, which you may wish to Bookmark as relevant evidence.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
181
INTERNET ARTIFACTS
To review the processed Internet artifacts, select the Internet folder in the Tree Pane and then the Internet hyperlink in the Table Pane.
The Internet browsers with discovered and processed artifacts will be displayed in folders, such Internet Explorer and Mozilla as shown in the following figure. If applicable, those artifacts that are recovered and cannot be associated with a specific browser are placed in an Unknown Browser folder.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
182
Currently, six browsers are supported. They are: Internet Explorer Macintosh Internet Explorer Safari Firefox Opera Chrome
NOTE: The difference between a regular search for Internet artifacts and a search of Internet artifacts in the unallocated clusters, is that keywords are added internally and marked with a special tag indicating that it is for Internet history searching only.
This gives you the option to search allocated or unallocated files for these Internet Explorer 9 artifacts. When processing is finished, you can also view and search inside Internet history items for these artifacts.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
183
Term
History Cookies
Definition
A list of Web sites recently visited. This typically consists of Web sites, usage, and time related data. A list of recent authentication and session data for sites with persistent usage. This typically consists of Web site, expiration times, and site-specific cookie data. A list of recently cached files. A list of recently downloaded files, typically consisting of Web sites, file names, location, size, and date. A list of recent keyword searches. This typically consists of search terms and the search result page. A list of login data. This typically consists of Web sites, username, password, and SSL information. A list of top Web sites such as Web site information, rank, thumbnails, and redirect information.
NOTE: EnCase does not currently provide the ability to recover Google Chrome Internet artifacts from unallocated clusters.
Firefox Artifacts
As an enhancement to the Search for Internet history function, EnCase parses Firefox artifacts stored in a SQLite database and displays them in the Records tab. The types of Firefox 8 artifacts parsed are: Bookmarks Cookies Downloads Keyword Searches History Form Data Cache Visited Links Web Data NOTE: The Records tab of an Internet history search for Mozilla Firefox artifacts displays Frecency and Rev Host Name columns.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
184
Frecency is a valid word used by Mozilla. Do not mistake it for frequency. For more information, see the Mozilla developer center article at https://developer.mozilla.org/en/The_Places_frecency_algorithm. The value displayed in the Frecency column is the score Mozilla gives to each URL. It includes how frequently a person visits the site and how recently the user visits the site. EnCase displays this value as it is stored in the places.sqlite file. Mozilla stores a URLs host name in reverse. EnCase displays it as such in the Rev Host Name column.
Cookies Text file stored on a hard drive by the web browser;may be used for
authentication, shopping, preferences, etc. NOTE: You can sort on the Name column to make the examination more efficient.
185
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
186
Cache Files are written to the hard drive to increase the in loading speed of frequently
visited web pages
o
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
187
HTML Hypertext Markup Language of visited web pages. Best viewed in the
Doc view. Placeholders for images are depicted by the box with the X.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
188
Image Best viewed in the Gallery view for quick review. The Timeline view will
assist with tracking user activity; the Table view contains the URL (Uniform Recourse Link) of the source website and date/time stamps, also available in the Report tab of the Review Pane.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
189
Daily History URLs from browsing as stored in the Daily History record, including
Windows Explorer browsing by the user
Weekly History URLs from browsing as stored in the Daily History record
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
190
Typed URL URLs typed directly into the browser by the user as stored in the users
NTUSER.DAT registry type. This is strong evidence of a deliberate act by the user.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
191
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
192
Entries Files and folders on the file system Records Evidence extracted, such as registry entries, link files, etc.
Results Modules
The results are organized according to the module name as shown in the following screenshot of a deleted image in the Recycle Bin.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
193
Click on the hyperlinked name to examine the multidimensional data, such as V12.jpg. The parsed record is displayed and can be included in a report as a bookmark.
Use the Back button to return to the Evidence Processor Module results.
The Windows Artifact Parser includes other artifacts, such as the Link Parser.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
194
You can bookmark relevant evidence, such as the user accessing the Nasty folder containing previously bookmarked evidence items.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
195
196
2. 3.
Make sure that you either browse and point to an existing hash library or create a new one (this is the hash library to which you will add the hash set) On the Manage Hash Library panel toolbar, click New Hash Set
4.
Enter a Hash Set Name and information for Hash Set Category and Hash Set Tags
5.
Click OK and click OK again when you are prompted to add the new hash set.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
197
The new hash set is listed under Existing Hash Sets in the Manage Hash Library panel.
7.
Choose the Hash Library to which to add the hash items by using the Hash Library Type drop-down menu
Select the Primary or Secondary hash library if they are defined or you can select Other and browse to a library
8. 9.
Once you have selected a library, select one or more previously created hash sets from the Existing Hash Sets window On the Add to Hash Library panel Fields list, select the fields you want to add to the hash library for the selected items
Some fields are added by default, however, you can add other optional fields, depending on your needs All fields that are added to the set will be reported when a hash comparison matches a particular hash set; the more fields that you add to a set, the larger the set becomes
10. Click OK
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
198
11. If the hash values were added to a library that was set as the Primary or Secondary hash library, you can check whether the item was successfully added to the hash set as follows:
On the Table tab, highlight the row containing the item In the bottom pane, click Hash Sets; the hash set name, hash library, and other hashing information about the item should appear
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
199
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
200
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail is a key area for forensic investigation; it not only maintains a record of individual and corporate communications, but also contains date stamps, provides additional names or corporate entities, and may contain attachments. All of which can add to an investigation and supply further leads. When e-mail is viewed in a case, EnCase v7 can search for specific kinds of mail and parse its contents for examination. EnCase v7 lets you view e-mail in a format that is similar to common e-mail programs (for example, the Microsoft Office Outlook client). The views are customizable (you can view the data in tree, table, or composite views), allowing you to see only the data you want in the format you find most convenient. EnCase v7 also allows you to track e-mail threads. In most situations, thread tracking can span multiple e-mail repositories, simplifying investigations that were previously complex and timeconsuming. You use the Find related Show conversation (e-mail thread) and Find related Show related messages to view e-mails across multiple repositories. Before conducting your e-mail analysis, make sure that you have already processed your case data with the Evidence Processor Find email selection checked.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
202
A list of processed e-mail archives will be displayed under the Email folder. To open an e-mail archive, click on the hyperlink of the name of the archive.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
203
The Tree-Table and the Traeble views are the most popular for e-mail review. Open the Root folder in the outlook.ost e-mail archive.
In this example, open the folder structure down to the IPM_SUBTREE. In Microsoft Exchange, the public folder database is divided into two trees: the IPM_Subtree and the non-IPM_Subtree. The IPM_Subtree contains folders visible to users and clients. For example, a folder created by Microsoft Outlook exists in the IPM_Subtree. A folder in the IPM_Subtree can be searched, accessed directly by users, and used to store user data. The non-IPM_Subtree contains folders not directly accessible by users, and therefore, it will not be found in an e-mail archive on workstation.1
1 http://technet.microsoft.com/en-us/library/aa997291(EXCHG.65).aspx
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
204
You will then be able to examine the e-mail folders, including Deleted Items, Inbox, Sent Items, etc. As you select the e-mails, you will see the attachment icon for e-mail containing attachment(s). In the following image, an expanded tree view of an Outlook.ost file and its folders is shown in the left pane, while the messages belonging to the .ost file are shown in the right pane, and the contents of a selected message are shown in the bottom pane.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
205
You export out an e-mail message into a *.msg by right-clicking on the message and choosing Export to *.msg You can also bookmark the e-mail message in the same context window.
You can bookmark an e-mail message as a Single item or multiple e-mails at once as Selected items just as you did with evidence entries.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
206
You can double-click on the e-mail to open it and review the attachments.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
207
If the user has organized e-mail into subfolders, those will be available for examination.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
208
To choose which form of threading to examine: 1. 2. In the Records tab, click the Find related menu Click either the Show conversation or Show related messages button
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
209
SHOW CONVERSATION
E-mail threading is based on conversation-thread related information found in the e-mail message headers. Different e-mail systems use different methods of identifying conversations; for example: The header fields Message-ID, Reply-To-ID, and References The header field Conversation Index The header field Thread-Index
EnCase v7 can display conversations for all supported e-mail types except AOL. This is because AOL messages do not store thread-related information. However the feature cannot always reconstruct complete conversations when the conversations include messages from multiple e-mail systems. For example EnCase v7 cannot fully recreate a conversation where some users are using Outlook, some are using Lotus Notes, and others Thunderbird s mbox. You can use the Find relatedShow related messages to aid with those types of investigations. If an e-mail does not have any of the message header fields previously specified, EnCase v7 cannot construct a conversation thread for it. Selecting such an e-mail message and clicking Show Conversation results in a tree containing only the selected e-mail message. The following figure shows a conversation list for a selected e-mail (note how the e-mails contained within the conversation list are identified by their conversation index ID).
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
210
If an e-mail message references an e-mail ID that is not found, it will display as <Message not present>, such as shown in the following example.
When completed, use the Back button to return to the e-mail archive.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
211
Following is an example of a list of related e-mails. The list is displayed in the left pane; the content of the first e-mail in the list is displayed in the Report tab.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
212
DEDUPLICATING MESSAGES
Multiple copies of an e-mail often exist because: An e-mail was sent to multiple e-mail aliases The senders Sent Items and the recipients Inbox are located in a single case multiple times in different e-mail archives
By default, EnCase hides any duplicate e-mail messages in a conversation, to avoid displaying the same message multiple times, EnCase v7 deduplicates (or removes duplicates) messages in both the Show conversation and Show related messages e-mail views. The deduplication is done with the Message ID, Thread ID, or Conversation ID; depending on the type of email program. You can now view duplicate e-mail messages in a conversation thread. To show all duplicates in a conversation, click Show Duplicates in the Records tab toolbar. Duplicate e-mail messages now appear with red alerts that indicate their status.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
E-mail Results
213
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
214
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
216
To bookmark data into a folder: 1. Click the Bookmarks link on the Case Home page in the Reports section
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
217
2. 3.
The Bookmarks tab will open Expand the Bookmarks folder to see the tree structure with the bookmarks made thus far in your examination
4.
The case template folders will be available to hold your bookmarks and you can add any desired notes to the folders
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
218
5.
You can rename, create new, or delete folders as appropriate for your case.
6. 7. 8.
As a reminder from previous lessons, to bookmark data, select the content from almost any tab and click the Bookmark drop-down menu on the Tab toolbar Select the appropriate bookmark type (Single File or Selected Files), add a name and comment as desired, and click OK View your bookmarks in the Bookmarks tab
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
219
BookmarkSingle item
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
220
You can add a comment to the bookmarked evidence and you also have the ability to use previous comments to save time.
221
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
222
Choose the folder in the Case Template in which to add the evidence. It will default to the lastselected folder to save time, so you dont have to select the destination folder for each bookmark.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
223
NOTE BOOKMARK
From the Bookmarks, Evidence, Record, Search Hits, and other evidentiary views, the Note Bookmark provides you more formatting flexibility than the other comment methods discussed thus far. This bookmark is designed for text data up to one-thousand characters. To create a Note Bookmark, right-click in the Table Pane and select Add Note (Insert).
Add the desired text and click OK. For example, translation of the file names: German : English Flschungen : Counterfeiting Kreditkartenverkauf : Credit Card Sales Missbrauch von CC : Abuse of CC
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
224
You may change the order of the bookmarks in a folder in the report. Left-click on the entry and drag the entire row to the new position.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
225
You can rename the folder (F2), reorder folders, add new folders, and arrange the examination report as appropriate.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
226
TAGS
The EnCase v7 tagging feature allows you to mark evidence items for review. You define tags on a per-case basis, and default tags can be part of a Case Template. Any item that you can currently bookmark can also be tagged. You can search for tagged items, view them on the Search Results tab, and view the tags associated with a particular item in an Evidence or Records table. Following is a list of tag features and characteristics: You can create tags as part of a case or add them to a Case Template. You can customize each of the tags with specific colors and display text. You can edit saved tags: change their colors and text, hide specific tags from viewing, and delete a tag. Tags are local to a specific case (that is, you cannot create global tags), and the maximum number of tags that you can use for a case is 63. You can directly manipulate tags on the EnCase user interface: change their order, delete them, and so forth. You can modify the order in which tags are displayed in the Tag column. Once you have created a tag, you can build searches based on tags and also tag search results. You can also combine tags with index and keyword search queries. You can create tags using EnScript modules.
CREATING TAGS
To create a tag: 1. From the Records, Evidence, or Bookmark tabs, click Tags on the toolbar
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
227
2.
3.
Sample tags are available for you to utilize as appropriate to your case, such as:
Review Review later as time permits Add to Report Reminder to add to the report Follow Up with Submitter Entry or recording requiring follow-up discussion
or review with the person submitting the evidence for analysis
4.
If you wish to add additional tags, click New from the Manage Tags toolbar
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
228
5.
On the New Tag Item panel, enter a Name, the Display text that you want to appear in the tag column (use short display names to conserve space in the column), and the Frame Color (foreground and background colors) for the tag; you can also hide or disable the tag by checking its Hidden box In this example, you can create a tag for images depicting apparent minors engaged in sexually explicit conduct for submission to the National Child Victim Identification Program
6.
7.
Repeat the steps until you have created the tags you want; you can always add, remove, and rename tags later
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
229
8.
Click OK and the tag will now be available for your case work
At anytime you can display a list of available tags by clicking TagsShow tag pane. You can use this to toggle the Tag pane on and off.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
230
The Manage tags pane will appear in the bottom right corner to assist you in your tag management.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
231
The evidence items will have the tag displayed in the Tag column of the Table Pane.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
232
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
233
4.
The tag you selected appears in the Tag column of the selected evidence item
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
234
One-click Tagging
You can also set a tag by clicking on its position in the Tag column.
1. To set a tag using the Tag column, click the space in the Tag column where the tag would
be displayed and it will then appear
As an example, if you have two tags configured, half of the column will be used to display the first tag and the second half of the column will be used to display the second tag If you click in the first half of the tag cell for the item you wish to tag, that will apply the first tag to that item and it will now appear in the column To remove a tag, simply click the tag in the column
You can change the order of the tags on a row by clicking on a tag and dragging it in the Tag pane.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
235
HIDING A TAG
If you have a tag that you do not currently want to show in the Tag column or the Tag pane, you can hide the tag using the options available from Manage tags window. This will not delete a tag, but will simply hide it from view. To hide a tag, follow these steps: 1. 2. From the Evidence tab, click the Tags button In the Manage tags dialog, check the box in the Hidden column for the cell corresponding to the tag you want to hide
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
236
DELETING TAGS
Tags that you do not want to use can be deleted from the Manage tags window. Deleting a tag removes the tag name from the case, and deletes all references to the tag in the tag database. This
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
237
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
238
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Lesson 10 Reporting
The final phase of a forensic examination is reporting the findings, which must be well-organized and presented in a format that the target audience will understand. EnCase v7 has added several enhancements to its reporting capabilities that strengthen this phase of the process. These include: The additional of reporting templates that you can use as is or adjust to suit your needs The capability to control a reports format, layout, and style The ability to add notes and tags to a report
Reports in EnCase v7 consist of two parts: 1. 2. Report templates that hold the formatting, layout, and style of the report. Bookmark folders where reference to specific items and notes are stored. The Report template links to bookmark folders to populate content into the report.
240
Report Sections Sections contain groups of like information and formatting and
provide the ability to organize your report
Report Formatting This includes page layout, section design, and text styles Report elements Collections of bookmarks, a key element of the report structure (you do not embed bookmarks into a report template, but embed a reference to the contents of
a bookmark folder)
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
241
For organization and flexibility in reporting, a report component can be designated as either a Report or Section, as shown in the Type column of each Table row. Report components typically only contain formatting information for components beneath them, while section components contain formatting information and report elements. The columns to right of Type indicate whether a particular formatting option is user-defined or inherited from the report or section above it in the hierarchy of rows.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
242
To add new reports or sections to the template: 1. 2. Highlight the row above the new element that you want to add Click New on the Table tab
3.
4. 5. 6. 7.
Type a name for the new report template component Select a type (Section or Report) for the new template component Select whether you want to customize a Format style by checking its box or use the default format style by leaving the box clear Click OK
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
243
The new template component will appear below the row that you highlighted.
Section Name This name is for organizational reference in the template only and does
not populate into the report
Paper This includes orientation and size Margins Values can be set for top, bottom, left, and right margins Header/Footer You can design a completely customized header or footer that contains
Case Info Items and other various data
Data Formats The display characteristics of each bookmark type can be customized;
this includes data style and content
Section Body Text The layout and content of each section is specified in the Body Text Show Tab This options determines if this report or section is displayed as a tab in the
Reports tab
Excluded Provides the ability to quickly exclude a section from a report if it is not
applicable
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
244
In the following example, the Margins cell for the Body element is selected and the left and right margins are changed from the default values to one inch
4.
NOTE: Remember formatting options, from beginning to end, are inherited by default. Therefore, in this example, the margins for the report components that follow the one you customized will inherit those margin settings unless you edit them.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
245
REPORT STYLES
As in Microsoft Word, styles are used to set text formatting options. EnCase v7 comes with many default styles that can be used in report templates and you can create your own styles. You can override a default style by creating a user style with the same name. Options that can be designated in a style include: Font type and font size Alignment (left, center, right, justified) Indenting (left, right, first line) Space before/after Borders Tabs Text color Background color
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
246
2.
The ability to edit or delete an existing user style can also be found in the toolbar
3.
Font, Text Foreground, and Text Background can all be set by double-clicking on the appropriate field
Reporting
247
VIEWING A REPORT
Once you have configured your report template and added bookmarks to the appropriate folders, there are two ways to view a report: 1. From the Report Templates tab, select View Report from the tab toolbar
This will list all reports that have the Show Tab option set Selecting a report from the menu takes you to the Reports tab to view the selected report
2.
You can also select the Reports tab from the case Home page or the View menu
In the Reports tab you will see a tab for each report that has the Show Tab option set
248
Reports are dynamically generated every time that you switch to a specific report in the Reports tab. To save a report, right-click on the report and select Save As. The following output formats are available: TEXT RTF HTML XML PDF
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
249
Once you select the output format, specify a Path and optionally set the Open file option if you want the file to open in the default application after saving.
NOTE: It is recommended that if you wish to edit your report in Microsoft Word, you save the report in RTF format. The EnCase RTF report is completely compatible with Microsoft Word.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
250
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
251
Copy Copy the case file, evidence cache(s), and other required files for case portability
between examiners
Archive Archive the case file, evidence cache(s), other required files, and the evidence
files of the case
The case information is displayed, including: Current case name and location Size of required items Size of optional items Total size
The Create Package options include: Target location to save the case package Checkbox for evidence files (only if items exist and are available) Checkbox for Primary Evidence cache items (only if items exist) Checkbox for Secondary Evidence cache items (only if items exist and primary is selected)
When the data is backed up to the target folder each evidence file or file set will be put into its own subfolder. A progress bar will show you the percentage complete.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
252
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
Reporting
253
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
254
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
2. 3.
In the Index window, enter the keyword(s) to query the index, such as Tyler A dynamic list is displayed on the right side of the window, showing the terms in the index and the number of occurrence of a term; this is extremely helpful when crafting a query so that you can immediately see if the term exists in the index. EnCase v7 will show you all words in the index that start with the term that you have typed and will dynamically update the list as you type additional letters; at any time you can double-click on a query term and it will show the information about that term
4.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
256
5.
Search New
By default, EnCase v7 searches for items containing all the keywords in the search term. For instance, the search term George Washington searches for all items that contain both the word George and the word Washington: You can search for documents containing either keywords by using the OR operator, e.g., George OR Washington You can use the AND operator for clarity, e.g., George AND Washington
However the latter term produces exactly the same results as the original search term.
Proximity
To search for two keywords within a specified number of words from each other, use the w/ operator: George w/3 Washington Abraham w/5 Lincoln
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
257
Exact phrases
You can search for exact phrases using quotation marks (), which is the same as using the pre/1 operator: George Washington is the same as George pre/1 Washington
Finds documents where George is one of the first three words in the document, and
Finds documents where Washington is not any of the last twenty words in the document
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
258
The index marks as responsive all items containing the word Bill within five words of either Clinton or Gates.
The index marks as responsive all items that contain both the words Bill and William within five words of both Clinton and Gates.
You can nest parenthetical expressions; for example: (George and (Washington or Bush)) o Finds all items that contain the word George and either the words Washington or Bush
Alternatively, (George and Washington) or Bush) o Finds all items that contain the words George and Washington, or Bush
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
259
You can use parentheses to join proximity queries (pre/, w/) to Boolean logic queries (AND, OR). For example, Delaware and (George pre/3 Washington) o Finds all items that contain the word Delaware and that also contain the word George no more than three words before Washington
You cannot use parentheses to put a Boolean term into a proximity term:
Instead, express this term as follows: (George pre/3 Washington) and (George pre/3 State)
You can use parentheses to group keywords together within a field: [Subject](George Washington) [Subject](George pre/2 Washington)
You can use aliases to group together a section of fields: [Address] searches the [To], [From], [CC] and [BCC] fields [Date] searches the [Accessed], [Created], [Modified], [Written], [Sent] and [Received] fields
Common fields for all items are: [Name]Name of file.File extension (the file will not be found unless it contains the extension) [Extension]File extension [Category]Category of file, such as Picture
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
260
You can also search for date ranges using an ellipsis ( ...): [Created]#2004-02-03...2004-02-17#
The previous term searches for any item with a creation date between Feb. 03, 2004 and Feb. 17, 2004. You can search for items before or after a particular date by leaving off one end of the range: [Created]#2004-02-03...# [Created]#...2004-02-17#
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
261
The previous term searches for any item with a size between 1000 bytes and 3000 bytes. You can search for numbers above or below a particular point by leaving one end of the range off: [Size]#...3000# [Size]#1000...#
You can specify case-sensitive queries for fields: <c>[subject](George pre/3 Washington)
Wildcard for single characters The ? operator stands as a placeholder for any single characters. For instance, c?t
o
Results in hits for documents containing cat, cot, and cut, but not caught
Wildcard for multiple characters The * operator stands as a placeholder for any number of characters. For instance, ind*
o
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
262
Multiple wildcards A keyword may contain multiple wildcards (either * or ?), but may not contain wildcards at both the beginning and end of the word. For instance, ind*ia*a c?t? *fi?y
o
Using wildcards with punctuation The wildcards ? and * only work for the following punctuation types: Dash (-) Underscore (_) Period (.) Comma (,) At symbol (@) Apostrophe (')
NOTE: Punctuation characters will not be found using wildcards if they are at the beginning or end of words.
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
263
Results in hits for documents containing swim, swims, swimming, swam, swum, etc. Stemming uses the language packs on the server to find words similar to your original term.
When you test your term, a stemming list is added to the term. Stemming lists are contained within the <> characters and clearly display the stems for the keyword. For instance, the default stemming list for swim is: <s:swim swims swims swims swimming swam swum swim>
You can override the default stemming behavior by modifying the stemming list. For instance: <s:swim swam swum>
o
would result in hits for documents containing swam and swum, but not swimming, swims, etc.
You can incorporate stemming into any location for which you would use the OR operator. For instance: run~ and [Created]#2002# <s:run ran running runner>
o
Results in hits for documents created in 2002 and contain at least one of instance run, ran, running, or runner
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
264
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
265
Name
o o o
For an Entry Item: Entry Name For an Email Record: Email Subject For an Internet History Record: URL
Logical Size
o o
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
266
Entry: Accessed Record: Accessed (PR_ACCESSED) Entry: Created Record: Created (PR_CREATION_TIME)
Recipients
o
The Search Result table displays two additional columns that are dynamically generated based on the items in the table:
Extension
o
Tags
o
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
267
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
268
Notes
Copyright 2012 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.