Sei sulla pagina 1di 37
EnCase ® Forensic Imager V E R S I O N 7 . 0 6
EnCase ® Forensic Imager V E R S I O N 7 . 0 6
EnCase ® Forensic Imager V E R S I O N 7 . 0 6
EnCase ® Forensic Imager V E R S I O N 7 . 0 6

EnCase ® Forensic Imager

VERSION 7.06

USER’S GUIDE

Imager V E R S I O N 7 . 0 6 USER’S GUIDE GUIDANCE SOFTWARE

GUIDANCE SOFTWARE | USER’S GUIDE | ENCASE FORENSIC IMAGER

Copyright © 1997-2013 Guidance Software, Inc. All rights reserved.

EnCase®, EnScript®, FastBloc®, Guidance Software® and EnCE® are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Products and corporate names appearing in this work may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation into the owners' benefit, without intent to infringe. Any use and duplication of this work is subject to the terms of the license agreement between you and Guidance Software, Inc. Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act, no part of this work may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise. Product manuals and documentation are specific to the software versions for which they are written. For previous or outdated versions of this work, please contact Guidance Software, Inc. at http://www.guidancesoftware.com. Information contained in this work is furnished for informational use only, and is subject to change at any time without notice.

Contents

EnCase Forensic Imager User's Guide

3

Overview

5

Launching EnCase Forensic Imager

5

Types of Acquisitions

5

Sources of Acquisitions

6

Types of Evidence Files

6

EnCase Evidence Files

6

Logical Evidence Files

6

Raw Image Files

7

Single Files

7

Acquiring a Local Drive

7

Acquiring Non-local Drives

7

Creating Encrypted Evidence Files

8

Creating an Encrypted Logical Evidence File

8

Creating an Encrypted Evidence File

16

Acquiring Other Types of Supported Evidence Files

22

Verifying Evidence Files

22

Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)

23

Using a Write Blocker

24

Windows-based Acquisitions with Tableau and FastBloc Write blockers

24

Acquiring in Windows without a Tableau or FastBloc Write Blocker

25

Acquiring a Disk Running in Direct ATA Mode

25

Acquiring Disk Configurations

26

Software RAID

26

RAID-10

26

Hardware Disk Configuration

27

Windows NT Software Disk Configurations

27

Support for EXT4 Linux Software RAID Arrays

28

Dynamic Disk

28

Disk Configuration Set Acquired as One Drive

28

Disk Configurations Acquired as Separate Drives

29

Acquiring a DriveSpace Volume

30

Canceling an Acquisition

31

CD-DVD Inspector File Support

31

Reacquiring Evidence

31

Reacquiring Evidence Files

31

Retaining the GUID During Evidence Reacquisition

32

Adding Raw Image Files

32

Restoring a Drive

33

EnCase Forensic Imager User's Guide

In This Chapter

Overview

Launching EnCase Forensic Imager

Types of Acquisitions

Sources of Acquisitions

Types of Evidence Files

Acquiring a Local Drive

Creating Encrypted Evidence Files

Acquiring Other Types of Supported Evidence Files

Verifying Evidence Files

Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)

Using a Write Blocker

Acquiring a Disk Running in Direct ATA Mode

Acquiring Disk Configurations

Acquiring a DriveSpace Volume

Canceling an Acquisition

4

EnCase Forensic Imager User's Guide

CD-DVD Inspector File Support

Reacquiring Evidence

Adding Raw Image Files

Restoring a Drive

EnCase Forensic Imager User's Guide

5

Overview

With EnCase Forensic Imager, you can acquire, reacquire, and translate evidence files into EnCase evidence files that include CRC block checks, hash values, compression, and encryption. EnCase Forensic Imager can read and write to current or legacy EnCase evidence files and EnCase Forensic Imager logical evidence files.

With the LinEn utility, you can perform disk-to-disk acquisitions, and when you couple LinEn with EnCase Forensic Imager, you can perform network crossover acquisitions.

This User's Guide provides detailed information about all types of EnCase Forensic Imager acquisitions.

Note: EnCase Forensic Imager is not designed to be run on a suspect system, as it makes changes to the file system, including writing to temporary files.

Launching EnCase Forensic Imager

To launch the application, double click the EnCase Forensic Imager.exe file.

Running the EnCase Forensic Imager executable auto extracts the tool to your Windows Temp directory.

Types of Acquisitions

EnCase Forensic Imager can acquire evidence in four basic formats:

Current EnCase evidence files (.Ex01): .Ex01 format improves upon the .E01 format with LZ compression, AES256 encryption with keypairs or passwords, and options for MD5 hashing, SHA-1 hashing, or both.

Current Logical evidence files (.Lx01): .Lx01 format improves upon the .L01 format with LZ compression and options for MD5 hashing, SHA-1 hashing, or both. Encryption is not available for legacy logical evidence (.L01) files.

Legacy EnCase evidence files (.E01): . E01 format makes current acquisitions accessible to legacy versions of EnCase Forensic Imager.

Legacy Logical evidence files (.L01): .L01 format makes current logical acquisitions accessible to legacy versions of EnCase.

6

EnCase Forensic Imager User's Guide

Sources of Acquisitions

Sources for acquisitions within EnCase Forensic Imager include:

Previewed memory or local devices such as hard drives, memory cards, or flash drives.

Evidence files supported by EnCase Forensic Imager, including legacy EnCase evidence files (.E01), legacy logical evidence files (.L01), current EnCase evidence files (.Ex01), current logical evidence files (.Lx01), DD images, VMware files (.vmdk), or Virtual PC files (.vhd). You can use these to create legacy EnCase evidence files and legacy logical evidence files, or you can reacquire them as EnCase Forensic Imager .Ex01 or .Lx01 format, adding encryption, new hashing options, and improved compression.

Single files selected to create a Logical Evidence File from an existing evidence file or an acquired device.

Network crossover using LinEn and EnCase Forensic Imager to create .E01 files or .L01 files. This strategy is useful when you want to preview a device without disassembling the host computer. This is usually the case for a laptop, a machine running a RAID, or a machine running a device with no available supporting controller.

Types of Evidence Files

EnCase Evidence Files

Legacy EnCase evidence files (.E01) are a byte-for-byte representation of a physical device or logical volume. Current EnCase evidence files (.Ex01) can be encrypted; however, .Ex01 files are not backward compatible with legacy versions of EnCase.

EnCase evidence files provide forensic level metadata, the device level hash value, and the content of an acquired device.

Dragging and dropping an .E01 or .Ex01 file anywhere on the EnCase Forensic Imager interface adds it to the currently opened case.

Logical Evidence Files

Logical evidence files (.L01) are created from previews, existing evidence files, or Smartphone acquisitions. These are typically created after an analysis locates some files of interest, and for forensic reasons, they are kept in a forensic container.

Current logical evidence files (.Lx01) provide encryption and hashing options, but they are not backward compatible with legacy versions of EnCase.

When an .L01 or .Lx01 file is verified, the stored hash value is compared to the entry's current hash value.

If the hash of the current content does not match the stored hash value, the hash is followed by an asterisk (*).

If no content for the entry was stored upon file creation, but a hash was stored, the hash is not compared to the empty file hash.

If no hash value was stored for the entry upon file creation, no comparison is done, and a new hash value is not populated.

EnCase Forensic Imager User's Guide

7

Raw Image Files

Raw image files are a dump of the device or volume. There are no hash comparisons or CRC checks. Therefore, raw image files are not as forensically sound as EnCase evidence files. Although the files are not in EnCase evidence file format, EnCase Forensic Imager supports a number of popular formats.

Before you can acquire raw image files, they must be added to a case. Raw image files are converted to EnCase Forensic Imager evidence files during the acquisition process, adding CRC checks and hash values if selected.

Single Files

You can export single files from a previewed/mounted device.

Acquiring a Local Drive

Before you begin, verify that the local drive to be acquired was added to the case.

1. To protect the local machine from changing the contents of the drive while its content is being acquired, use a write blocker. See Using a Write Blocker on page 24.

2. Verify that the device being acquired shows in the Tree pane or the Table pane as write protected.

Acquiring Non-local Drives

The LinEn utility acquires non-local drives by performing a network crossover acquisition. When you use the LinEn utility to acquire a disk through a disk-to-disk acquisition, you must add the resulting EnCase evidence file to the case using the Add Device wizard.

8

EnCase Forensic Imager User's Guide

Creating Encrypted Evidence Files

Creating an Encrypted Logical Evidence File

To create an encrypted logical evidence file:

1. In the Evidence tab, select one or more entries in the left pane. Right click, then click Acquire > Create Logical Evidence File from the dropdown menu.

> Create Logical Evidence File from the dropdown menu. Note : The folder highlighted when you

Note: The folder highlighted when you click Create Logical Evidence File is treated as the root folder for including entries in the logical evidence file. Only blue checked child entries inside that folder are included. To include files from more than one folder, you must highlight a folder that is a common parent. For instance, in the example above, if you wanted to include files from both the System Volume Information and $Recycle Bin folders, you would need to highlight either C, v7_Sample_Evidence, or Entries.

EnCase Forensic Imager User's Guide

9

2. The Create Logical Evidence File dialog displays. It opens to the Location tab by default.

dialog displays. It opens to the Location tab by default. 3. In the Location tab: a.

3. In the Location tab:

a. Enter the evidence file name.

b. Enter the evidence number.

c. Enter the case number.

d. Enter the examiner name.

e. Add notes, if desired.

f. Check the Add to existing evidence file checkbox if you want to add this file to an existing logical evidence file. You must specify the output path to an existing logical evidence file that is not locked.

g. Specify the output path for the logical evidence file.

10

EnCase Forensic Imager User's Guide

4. In the Logical tab:

Forensic Imager User's Guide 4. In the Logical tab: Source is the root level folder or

Source is the root level folder or device containing blue checked items to include in the logical evidence file.

Files contains the number of files and the total size of the file or files to include in the logical evidence file.

Target folder within Evidence File is an optional user-specified folder that is created inside the logical evidence file. Any selected files in the source location are placed inside this folder. This is useful for organizing multiple additions to a single logical evidence file.

Include contents of files checkbox: If checked, file content data displays in the View pane when you open the logical evidence file.

File in use checkbox: If checked, the hash is computed when the file is read from evidence. This is valuable when previewing live data that may have changed since initially calculating the hash value.

Include original extents checkbox: If checked, original extent information is added to the logical evidence file. Physical Location, Physical sector, and File Extents columns in the logical evidence file will match the original entries.

Include contents of folder objects checkbox: If checked, folder content data displays in the View pane when you open the logical evidence file.

Lock file when completed checkbox: If checked, the logical evidence file is locked after creation.

EnCase Forensic Imager User's Guide

11

5. In the Format tab:

Imager User's Guide 11 5. In the Format tab: a. For the Evidence File Format ,

a. For the Evidence File Format, select Current (Lx01). This is the default.

b. From the Entry Hash dropdown menu, select a hashing algorithm:

Nonethe Entry Hash dropdown menu, select a hashing algorithm: MD5 (default) c. Specify Compression as Enabled

MD5 (default) (default)

c. Specify Compression as Enabled (default) or Disabled.

d. Specify the File Segment Size (MB) (minimum: 30MB, maximum 8,796,093,018,112MB, default: 2048MB).

6. Click the Encryption button to open the Encryption Details dialog.

Note: By default, Encase Forensic Imager saves encryption keys to the My Documents folder of the current user profile. To save the encryption keys to a different location, right click in the Encryption Details dialog, then click Change Root Path from the dropdown menu.

12

EnCase Forensic Imager User's Guide

7. Click the key icon in the upper pane to open the New Encryption Key dialog.

the key icon in the upper pane to open the New Encryption Key dialog. 8. Click

8. Click Next to generate a new encryption key.

the key icon in the upper pane to open the New Encryption Key dialog. 8. Click

EnCase Forensic Imager User's Guide

13

9. After the key is generated, the Password dialog displays.

9. After the key is generated, the Password dialog displays. 10. Enter a name for the

10. Enter a name for the encryption key, then enter a password and enter the password again to confirm it. The Password Quality bar indicates if the password you entered is acceptable.

11. When you have entered an acceptable password, confirm the password, then click Finish.

12. EnCase Forensic Imager prompts you to save the public key file you just created.

the password, then click Finish . 12. EnCase Forensic Imager prompts you to save the public

14

EnCase Forensic Imager User's Guide

13. Back in the Encryption Details dialog, click Update to display a checkbox for the key you just created.

Update to display a checkbox for the key you just created. 14. Click the checkbox for

14. Click the checkbox for the new key, then click OK.

EnCase Forensic Imager User's Guide

15

EnCase Forensic Imager User's Guide 15 Using an Existing Public Key If you want to use

Using an Existing Public Key

If you want to use an existing public key, copy the .PublicKey file to the My Documents folder of the current user profile, then click Update.

existing public key, copy the .PublicKey file to the My Documents folder of the current user

16

EnCase Forensic Imager User's Guide

Creating an Encrypted Evidence File

To create an encrypted evidence file:

1. In the Evidence tab, select one or more entries in the left pane. Right click, then click Acquire > Acquire from the dropdown menu.

then click Acquire > Acquire from the dropdown menu. Note : If a physical device is

Note: If a physical device is added (a device that contains one or more volumes, such as device 2,3,4, etc), EnCase can either acquire the entire physical device, or a single volume contained within that device. It depends on what you highlight in the tree pane.

Highlighting Entries and acquiring acquires the entire physical device. Entries and acquiring acquires the entire physical device.

Highlighting the device number (for example, 1, 2, 3, 4) or the evidence name (for example, Hunter XP or V7_Sample_Evidence) acquires the entire physical device.Entries and acquiring acquires the entire physical device. Highlighting the volume (C, D, E, F, etc.)

Highlighting the volume (C, D, E, F, etc.) acquires that volume.or V7_Sample_Evidence) acquires the entire physical device. Highlighting any folder or entry inside a volume acquires

Highlighting any folder or entry inside a volume acquires only the volume that contains the highlighted entry.the volume (C, D, E, F, etc.) acquires that volume. If a volume (not a physical

If a volume (not a physical device) is added (for example, C, D, E, F, but not 1, 2, 3, 4), then the volume is acquired regardless of what you highlight.

EnCase Forensic Imager User's Guide

17

2. The Acquire Device dialog displays. It opens to the Location tab by default.

dialog displays. It opens to the Location tab by default. 3. In the Location tab: a.

3. In the Location tab:

a. Enter the evidence file name.

b. Enter the evidence number.

c. Enter the case number.

d. Enter the examiner name.

e. Add notes, if desired.

f. Restart Acquisition restarts a canceled or disconnected acquisition. If the acquisition was interrupted, but not canceled, that acquisition cannot be restarted.

g. Accept the designated Output Path, or browse to another location.

h. Enter an optional Alternate Path if desired.

4. In the Format tab:

Alternate Path if desired. 4. In the Format tab: a. For the Evidence File Format ,

a. For the Evidence File Format, select Current (Ex01). This is the default.

18

EnCase Forensic Imager User's Guide

b. Specify Compression as Enabled (default) or Disabled.

c. From the Verification Hash dropdown menu, select a hashing algorithm:

MD5 (default) (default)

SHA-1dropdown menu, select a hashing algorithm: MD5 (default) MD5 and SHA-1 d. Specify the File Segment

MD5 and SHA-1menu, select a hashing algorithm: MD5 (default) SHA-1 d. Specify the File Segment Size (MB) (minimum:

d. Specify the File Segment Size (MB) (minimum: 30MB, maximum 8,796,093,018,112MB, default: 2048MB).

5. Click the Encryption button to open the Encryption Details dialog.

Note: By default, Encase Forensic Imager saves encryption keys to the My Documents folder of the current user profile. To save the encryption keys to a different location, right click in the Encryption Details dialog, then click Change Root Path from the dropdown menu.

6. Click the key icon in the upper pane to open the New Encryption Key dialog.

Change Root Path from the dropdown menu. 6. Click the key icon in the upper pane

EnCase Forensic Imager User's Guide

19

7. Click Next to generate a new encryption key.

Guide 19 7. Click Next to generate a new encryption key. 8. After the key is

8. After the key is generated, the Password dialog displays.

8. After the key is generated, the Password dialog displays. 9. Enter a name for the

9. Enter a name for the encryption key, then enter a password and enter the password again to confirm it. The Password Quality bar indicates if the password you entered is acceptable.

10. When you have entered an acceptable password, confirm the password, then click Finish.

20

EnCase Forensic Imager User's Guide

11. EnCase Forensic Imager prompts you to save the public key file you just created.

prompts you to save the public key file you just created. 12. Back in the Encryption

12. Back in the Encryption Details dialog, click Update to display a checkbox for the key you just created.

Update to display a checkbox for the key you just created. 13. Click the checkbox for

13. Click the checkbox for the new key, then click OK.

EnCase Forensic Imager User's Guide

21

EnCase Forensic Imager User's Guide 21 Using an Existing Public Key If you want to use

Using an Existing Public Key

If you want to use an existing public key, copy the .PublicKey file to the My Documents folder of the current user profile, then click Update.

existing public key, copy the .PublicKey file to the My Documents folder of the current user

22

EnCase Forensic Imager User's Guide

Acquiring Other Types of Supported Evidence Files

In addition to the native EnCase Forensic Imager file formats, .Ex01, .E01, .Lx01, and .L01, EnCase Forensic Imager supports SafeBack files (.001), VMware files (.vmdk), and Virtual PC files (.vhd) directly. To add any of these types of evidence files:

1. Select Add Evidence File from the Add Evidence view of the Home tab, or click the Add Evidence dropdown menu while in the Evidence tab and select Add Evidence File.

2. The Add Evidence File Dialog displays. Use the dropdown menu at the bottom right corner of the dialog to change to the appropriate file extension for your evidence or choose the All Evidence Files option.

3. Navigate to the location of your evidence and select the first file of the evidence set as you would for EnCase evidence files, then click Open.

Verifying Evidence Files

Verify Evidence Files checks CRC values of selected files. It is a way to ensure that evidence is not tampered with. Verified CRC information is written out to a log file. From the Evidence tab, you can check the CRC Errors tab in the bottom pane and bookmark any sectors that contain errors.

To perform an Evidence File verification:

1. Acquire the evidence files.

2. Add the evidence files to your case.

3. Click ToolsVerify Evidence Files.

4. The Verify Evidence Files file dialog opens.

files to your case. 3. Click Tools  Verify Evidence Files . 4. The Verify Evidence

EnCase Forensic Imager User's Guide

23

5. Select one or more evidence files, then click Open. During verification, a progress bar displays in the bottom right corner of the window.

bar displays in the bottom right corner of the window. Acquiring Device Configuration Overlays (DCO) and

Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)

EnCase Forensic Imager can detect and image DCO and/or HPA areas on any ATA-6 or higher-level disk drive. These areas are detected using LinEn or a Tableau write blocker.

This applies to EnCase Forensic Imager applications using:

Tableau

LinEn when the Linux distribution used supports Direct ATA mode

The application now shows if a DCO area exists in addition to the HPA area on a target drive.

HPA is a special area located at the end of a disk. It is usually configured so the casual observer cannot see it, and so it can be accessed only by reconfiguring the disk. HPA and DCO are extremely similar:

the difference is the SET_MAX_ADDRESS bit setting that allows recovery of a removed HPA at reboot. When supported, EnCase Forensic Imager applications see both areas if they coexist on a hard drive.

It is important to note that if you choose to remove a DCO, it will make a permanent change to the drive controller of the device.

24

EnCase Forensic Imager User's Guide

Using a Write Blocker

Write blockers prevent inadvertent or intentional writes to an evidence disk. Their use is described in these sections:

Windows-based Acquisitions with Tableau and FastBloc Write Blockers on page 24

Acquiring in Windows without a Tableau or FastBloc Write Blocker on page 24

Windows-based Acquisitions with Tableau and FastBloc Write blockers

The following write blockers are supported in EnCase Forensic Imager:

Tableau T35es

Tableau T35es-RW

Tableau T4

Tableau T6es

Tableau T8-R2

Tableau T9

FastBloc FE

FastBloc 2 FE v1

FastBloc 2 FE v2

FastBloc LE

FastBloc 2 LE

FastBloc 3 FE

Computer investigations require a fast, reliable means to acquire digital evidence. These are hardware write blocking devices that enable the safe acquisition of subject media in Windows to an EnCase evidence file.

The hardware versions of these write blockers are not standalone products. When attached to a computer and a subject hard drive, a write blocker provides investigators with the ability to quickly and safely preview or acquire data in a Windows environment. The units are lightweight, self- contained, and portable for easy field acquisitions, with on-site verification immediately following the acquisition.

Support for Tableau write blocker devices enables EnCase Forensic Imager to:

Identify a device connected through the Tableau device as write blocked.

Access the Host Protected Area (HPA) and access, via removing, the Device Configuration Overlay (DCO) area of a drive using the Tableau device.

Note: EnCase Forensic Imager does not support access of DCO areas via EnScript. By default, HPA is automatically disabled on the device.

EnCase Forensic Imager User's Guide

25

Acquiring in Windows without a Tableau or FastBloc Write Blocker

Never acquire hard drives in Windows without a write blocker because Windows writes to any local hard drive visible to it. Windows will, for example, put a Recycle Bin file on every hard drive that it detects and will also change Last Accessed date and time stamps for those drives.

Media that Windows cannot write to are safe to acquire from within Windows, such as CD-ROMs, write protected floppy diskettes, and write protected USB thumb drives.

Acquiring a Disk Running in Direct ATA Mode

If the Linux distribution supports the ATA mode, you will see a Mode option. You must set the mode before acquiring the disk. An ATA disk can be acquired via the drive-to-drive method. The ATA mode is useful for cases when the evidence drive has a Host Protected Area (HPA) or Drive Control Overlay (DCO). Only Direct ATA Mode can review and acquire these areas.

Ensure LinEn is configured as described in LinEn Setup Under SUSE, and autofs is disabled (cleared). Linux is running in Direct ATA Mode.

1. If the FAT32 storage partition to be acquired has not been mounted, mount it.

2. Navigate to the folder where LinEn resides and type ./linen in the console.

3. The LinEn main screen displays.

4. Select Mode, then select Direct ATA Mode. You can now acquire the disk running in ATA mode.

5. Continue the drive-to-drive acquisition with Step 3 of Performing a Drive-to-Drive Acquisition Using LinEn.

26

EnCase Forensic Imager User's Guide

Acquiring Disk Configurations

Guidance Software uses the term disk configuration instead of RAID. A software disk configuration is controlled by the operating system software (or LVM software), whereas a controller card controls a hardware disk configuration. In a software disk configuration, information pertinent to the layout of the partitions across the disks is located in the registry or at the end of the disk, depending on the operating system; in a hardware disk configuration, it is stored in the BIOS of the controller card. With each of these methods, you can create six disk configuration types:

Spanned

Mirrored

Striped

RAID-5

RAID-10

Basic

Mirrored  Striped  RAID-5  RAID-10  Basic Software RAID EnCaseForensic Imager applications support

Software RAID

EnCaseForensic Imager applications support these software RAIDs:

Windows NT: see Windows NT Software Disk Configurations

Windows 2000: see Dynamic Disk

Windows XP: see Dynamic Disk

Windows 2003 Servers: see Dynamic Disk

Windows Vista: see Dynamic Disk

Windows Server 2008: see Dynamic Disk

Windows Server 2008R2: see Dynamic Disk

Windows 7: see Dynamic Disk

RAID-10

RAID-10 arrays require at least four drives, implemented as a striped array of RAID-1 arrays.

EnCase Forensic Imager User's Guide

27

Hardware Disk Configuration

Hardware disk configurations can be acquired:

As one drive

As separate drives

Windows NT Software Disk Configurations

In a Windows NT file system, you can use the operating system to create different types of disk configurations across multiple drives. The possible disk configurations are:

Spanned

Mirrored

Striped

RAID 5

Basic

The information detailing the types of partitions and the specific layout across multiple disks is contained in the registry of the operating system. EnCase Forensic Imager applications can read this registry information and resolve the configuration based on the key. The application can then virtually mount the software disk configuration within the EnCase Forensic Imager case.

There are two ways to obtain the registry key:

Acquiring the drive

Backing up the drive

Acquire the drive containing the operating system. It is likely that this drive is part of the disk configuration set, but in the event it is notsuch as the disk configuration being used for storage purposes onlyacquire the OS drive and add it to the case along with the disk configuration set drives.

To make a backup disk on the subject machine, use Windows Disk Manager and select Backup from the Partition option.

This creates a backup disk of the disk configuration information, placing the backup on a CD or DVD. You can then copy the file into your EnCase Forensic Imager application using the Single Files option, or you can acquire the CD or DVD and add it to the case. The case must have the disk configuration set drives added to it as well. This process works only if you are working with a restored clone of a subject computer. It is also possible a registry backup disk is at the location.

In the EnCase Forensic Imager Evidence tab, select the device containing the registry or the backup disk and all devices which are members of the RAID. Click the Open button to go to the Entry view of the Evidence tab. Select the disk containing the registry, click the dropdown menu on the upper right menu of the Evidence tab. Select Device, then select Scan Disk Configuration. At this point, the application attempts to build the virtual devices using information from the registry key.

28

EnCase Forensic Imager User's Guide

Support for EXT4 Linux Software RAID Arrays

EnCase Forensic Imager provides the ability to parse EXT4 Linux Software RAID arrays (for Ubuntu version 9.1 and version 10.04), using the Scan for LVM option in the Device dropdown menu.

These configurations are supported:

RAID 1 (mirror)

RAID 10

Note: EnCase Forensic Imager does not support partial reconstruction of RAIDs. After parsing, all RAID devices must have full descriptors or the process will fail.

Dynamic Disk

Dynamic Disk is a disk configuration available in Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, Windows 2008 Server, Windows 7, and Windows 2008 Server R2. The information pertinent to building the configuration resides at the end of the disk rather than in a registry key. Therefore, each physical disk in this configuration contains the information necessary to reconstruct the original setup. EnCase Forensic Imager applications read the Dynamic Disk partition structure and resolve the configurations based on the information extracted.

To rebuild a Dynamic Disk configuration, add the physical devices involved in the set to the case. In the Evidence tab, select the devices involved in the Dynamic Disk and click the Open button on the menu bar to change to the Entries view of the Evidence tab. Select the devices then click the dropdown menu at the top right of the Evidence tab. Select Device and choose Scan Disk Configuration.

If the resulting disk configurations seem incorrect, you can manually edit them by returning to the highest Evidence view of the Evidence tab. Select the Disk Configuration option, click the dropdown menu from the top right corner of the Evidence tab, and select Edit Disk Configuration.

Disk Configuration Set Acquired as One Drive

Unlike software disk configurations, those controlled by hardware contain necessary configuration information in the card’s BIOS. Because the disk configuration is controlled by hardware, EnCase Forensic Imager cannot automatically reconstruct the configurations from the physical disks. However, since the pertinent information to rebuild the set is contained within the controller, the computer (with the controller card) actually sees a hardware disk configuration as one (virtual) drive, regardless of whether the set consists of two or more drives. Therefore, if the investigator acquires the set in its native environment, the disk configuration can be acquired as one drive, which is the easiest option. The best method for performing such an acquisition is to conduct a crossover network cable acquisition.

Note: The LinEn boot disk for the subject computer needs to have Linux drivers for that particular RAID controller card.

To acquire the set:

1. Keep the disk configuration intact in its native environment.

2. Boot the subject computer with a Live Linux Boot Disk containing the LinEn utility and configured with the drivers for the RAID controller card.

EnCase Forensic Imager User's Guide

29

Note: The BIOS interprets the disk configuration as one drive, so EnCase Forensic Imager applications will as well. The investigator sees the disk configuration as one drive.

4. Acquire the disk configuration as you normally acquire a single hard drive, depending on the means of acquisition. Crossover network cable or drive-to-drive acquisition is straightforward, as long as the set is acquired as one drive.

If the physical drives were acquired separately, or could not be acquired in the native environment, EnCase Forensic Imager can edit the hardware set manually.

Disk Configurations Acquired as Separate Drives

Sometimes acquiring the hardware disk configuration as one drive is not possible, or the method of assembling a software disk configuration seems incorrect. Editing a disk configuration requires this information:

Stripe size

Start sector

Length per physical disk

Whether the striping is right handed

You can collect this data from the BIOS of the controller card for a hardware set, or from the registry for software sets.

When a RAID-5 consists of three or more disks and one disk is missing or bad, the application can still rebuild the virtual disk using parity information from the other disks in the configuration, which is detected automatically during the reconstruction of hardware disk configurations using the Scan Disk Configuration command.

To acquire a disk configuration set as one disk:

1. Add the evidence files to one case.

2. On the Evidence tab, click the down arrow in the far right corner to display a dropdown menu, then click Create Disk Configuration.

a dropdown menu, then click Create Disk Configuration . 3. The Disk Configuration dialog displays. Enter

3. The Disk Configuration dialog displays. Enter a name for your disk configuration. Click the appropriate disk configuration.

30

EnCase Forensic Imager User's Guide

5. Enter the start sector and size of the selected disk configuration, select the drive image which belongs as the first element of the RAID, then click OK.

6. Repeat steps 4 and 5 for each additional element drive of the RAID in order.

7. Back at the main Disk Configuration screen, set the Stripe Size, select whether this is a Physical Disk Image, and whether it uses Right-Handed Striping.

8. Once you are sure that the settings and order of the drives is correct, click OK. EnCase Forensic Imager will generate a new item in your Evidence tab containing the RAID rebuilt to your specifications. This new Disk Configuration can be acquired to an EnCase evidence file and processed in the Evidence Processor just like a physical drive.

Acquiring a DriveSpace Volume

DriveSpace volumes are only recognized as such after they are acquired and mounted into a case. On the storage computer, mount the DriveSpace file as a volume, then acquire it again to see the directory structure and files.

To acquire a DriveSpace volume:

1. A FAT16 partition must exist on the forensic PC where you will Copy/Unerase the DriveSpace volume. A FAT16 partition can be created only with a FAT16 OS (such as Windows 95).

2. Run FDISK to create a partition, then exit, reboot, and format the FAT16 partition using format.exe.

3. Image the DriveSpace volume.

4. Add the evidence file to a new case and search for a file named DBLSPACE.000 or DRVSPACE.000 .

5. Right click the file and copy/unerase it to the FAT16 partition on the storage computer.

6. In Windows 98, click StartAll ProgramsAccessoriesSystem ToolsDriveSpace.

7. Launch DriveSpace.

8. Select the FAT16 partition containing the compressed “.000” file.

9. Select Advance MountDRVSPACE.000, then click OK, noting the drive letter assigned to it. The Compressed Volume File (.000) from the previous drive is now seen as folders and files in a new logical volume.

10. Acquire this new volume.

11. Create the evidence file and add to your case. You can now view the compressed drive.

EnCase Forensic Imager User's Guide

31

Canceling an Acquisition

You can cancel an acquisition while it is running. After canceling, you can restart the acquisition.

To cancel an acquisition while it is running:

1. At the bottom right corner of the main window, double click the Thread Status line. The Thread Status dialog displays.

the Thread Status line. The Thread Status dialog displays. 2. Click Yes. The acquisition is canceled.

2. Click Yes. The acquisition is canceled. You can restart it at a later time.

CD-DVD Inspector File Support

EnCase Forensic Imager applications support viewing files created using CD/DVD Inspector, a third- party product. Treat these files as single files when adding them, as zip files, or as composite files when using the file viewer. Drag single files into the application.

Reacquiring Evidence

When you have a raw evidence file generated outside an EnCase application, reacquiring it results in the creation of an EnCase evidence file containing the content of the raw evidence file and providing the opportunity to hash the evidence, add case metadata, and CRC block checks.

You may also want to reacquire an existing EnCase evidence file to change the compression settings or the file segment size.

Reacquiring Evidence Files

Start by adding the evidence file(s) to your case as previously described. You can reacquire evidence either from the Evidence tab or through the Evidence processor. To acquire in the Evidence tab:

1. Select the items you want to reacquire.

2. Click the Open button to change to the Entries view of the Evidence tab.

3. Highlight the item you want to reacquire, click Acquire on the top menu, and select Acquire from the dropdown menu.

4. Complete the Acquire Device dialog as you would for previewed evidence.

5. You can repeat steps 3 and 4 for each device or volume you want to reacquire.

32

EnCase Forensic Imager User's Guide

Retaining the GUID During Evidence Reacquisition

EnCase Forensic Imager now provides an option that retains the GUID when evidence is reacquired. To retain the GUID, select the Keep GUID checkbox that displays in the Advanced tab of the Acquire Device dialog. To open the Acquire Device dialog, select the device for acquisition.

Adding Raw Image Files

Reacquiring raw evidence files like DD images or CD-ROM .iso files embeds the device contents within an EnCase evidence file adding case metadata, CRC block checks and, optionally, the hash value of that image.

To acquire a raw evidence file:

1. In the Add Evidence dropdown menu, click Add Raw Image.

hash value of that image. To acquire a raw evidence file: 1. In the Add Evidence

EnCase Forensic Imager User's Guide

33

2. The Add Raw Image dialog opens.

User's Guide 33 2. The Add Raw Image dialog opens. 3. Drag and drop the raw

3. Drag and drop the raw images to be acquired. The raw images to be added are listed in the Component Files list. For DD images or other raw images consisting of more than one segment, the segments must all be added in their exact order from first to last.

4. Click the Generate true GUID checkbox for EnCase Forensic Imager to generate a unique GUID if a match is found.

5. Accept the defaults in the Add Raw Image dialog or change them as desired, then click OK.

6. A Disk Image object displays in the Evidence tab.

7. You can reacquire this image as you would any other supported evidence or previewed device.

Restoring a Drive

The following steps describe how to restore a drive. Note that before you begin, you first need to add evidence to the case.

1. From the EnCase Forensic Imager top toolbar, select the Evidence option from the View dropdown.

2. In the Table view, click the evidence file with the device you would like to restore.

34

EnCase Forensic Imager User's Guide

4. Click Next to collect local hard drives.

5. From the list of Local Devices, click the drive you want to restore.

6. Click Next. The Drives dialog displays.

7. Select options for wiping and verification.

8. Click Finish.

9. A dialog displays asking you to verify the local drive selection. Verify that you are restoring to the correct drive by typing Yes, then click OK.

The bar in the lower right corner of the screen tracks the progress of the restore.

Index

A

Acquiring a Disk Running in Direct ATA Mode • 25 Acquiring a DriveSpace Volume • 30 Acquiring a Local Drive • 7 Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) • 23 Acquiring Disk Configurations • 26 Acquiring in Windows without a Tableau or FastBloc Write Blocker • 25 Acquiring Non-local Drives • 7 Acquiring Other Types of Supported Evidence Files • 22 Adding Raw Image Files • 32

C

Canceling an Acquisition • 31 CD-DVD Inspector File Support • 31 Creating an Encrypted Evidence File • 16 Creating an Encrypted Logical Evidence File • 8 Creating Encrypted Evidence Files • 8

D

Disk Configuration Set Acquired as One Drive • 28

Disk Configurations Acquired as Separate Drives •

29

Dynamic Disk • 28

E

EnCase Evidence Files • 6 EnCase Forensic Imager User's Guide • 3

H

Hardware Disk Configuration • 27

L

Launching EnCase Forensic Imager • 5 Logical Evidence Files • 6

O

Overview • 5

R

RAID-10 • 26 Raw Image Files • 7 Reacquiring Evidence • 31

Reacquiring Evidence Files • 31 Restoring a Drive • 33 Retaining the GUID During Evidence Reacquisition • 32

S

Single Files • 7 Software RAID • 26 Sources of Acquisitions • 6 Support for EXT4 Linux Software RAID Arrays • 28

T

Types of Acquisitions • 5 Types of Evidence Files • 6

U

Using a Write Blocker • 24

V

Verifying Evidence Files • 22

W

Windows NT Software Disk Configurations • 27 Windows-based Acquisitions with Tableau and FastBloc Write blockers • 24