Uploaded by Etienne Meersschaut

EnCase Version 6.12 Modules Manual

advertisement
EnCase Version 6.12
Modules Manual
Copyright © 1997‐2008 Guidance Software, Inc. All rights reserved.
EnCase®, EnScript®, FastBloc®, Guidance Software® and EnCE® are registered trademarks or trademarks owned by Guidance Software
in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be
claimed as the property of their respective owners. Products and corporate names appearing in this manual may or may not be
registered trademarks or copyrights of their respective companies, and are used only for identification or explanation into the owners'
benefit, without intent to infringe.
No part of this document may be copied or reproduced without the written permission of Guidance Software, Inc. Products and
corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies, and
are used only for identification or explanation into the owners' benefit, without intent to infringe. Any use and duplication of this
material is subject to the terms of the license agreement between you and Guidance Software, Inc. Except as stated in the license
agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act, no part of this publication
may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning or otherwise. Product manuals and documentation are specific to the software versions for which they are written.
For previous or outdated manuals, product release information, contact Guidance Software, Inc. at:
http://www.guidancesoftware.com. Specifications and information contained in this manual are furnished for informational use only,
and are subject to change at any time without notice.
Contents
CHAPTER 1 Introduction
3
Introduction ....................................................................................................................................................... 4
Minimum Recommended Requirements .......................................................................................................... 4
Installing the EnCase Modules........................................................................................................................... 5
EnCase Decryption Suite Module ...................................................................................................................... 7
EnCase Physical Disk Emulator Module ............................................................................................................. 7
EnCase Virtual File System Module ................................................................................................................... 8
FastBloc SE Module............................................................................................................................................ 9
CD/DVD Module ................................................................................................................................................ 9
CHAPTER 2 EnCase Decryption Suite
11
Overview.......................................................................................................................................................... 12
EDS Features .................................................................................................................................................... 12
Product Matrix................................................................................................................................................. 13
Using EDS ......................................................................................................................................................... 14
Secure Storage Tab .......................................................................................................................................... 17
Secure Storage Items ....................................................................................................................................... 23
SafeBoot Encryption Support (Disk Encryption) .............................................................................................. 23
Utimaco SafeGuard Easy Encryption Support.................................................................................................. 26
BitLocker Encryption Support (Volume Encryption) ........................................................................................ 32
WinMagic SecureDoc Encryption Support....................................................................................................... 34
GuardianEdge Hard Disk Encryption Known Limitation................................................................................... 37
CREDANT Encryption Support (File‐Based Encryption).................................................................................... 37
CREDANT Encryption Support (Offline Scenario)............................................................................................. 41
S/MIME Encryption Support ............................................................................................................................ 43
NSF Encryption Support................................................................................................................................... 49
Lotus Notes Local Encryption Support............................................................................................................. 51
Windows Key Architecture .............................................................................................................................. 56
Dictionary Attack ............................................................................................................................................. 56
CHAPTER 3 Physical Disk Emulator
61
What is the Physical Disk Emulator?................................................................................................................ 62
Using Physical Disk Emulator ........................................................................................................................... 62
Third‐Party Tools.............................................................................................................................................. 67
Boot Evidence Files and Live Systems with VMware ....................................................................................... 68
VMware/EnCase PDE FAQs.............................................................................................................................. 72
PDE Troubleshooting ....................................................................................................................................... 73
CHAPTER 4 Virtual File System
75
What is VFS? .................................................................................................................................................... 76
Mounting Evidence with VFS ........................................................................................................................... 76
Dismount the Network Share .......................................................................................................................... 84
Accessing the Share ......................................................................................................................................... 85
Third‐Party Tools.............................................................................................................................................. 86
VFS Server ........................................................................................................................................................ 89
Troubleshooting............................................................................................................................................... 93
CHAPTER 5 FastBloc SE Module
95
What is the FastBloc SE Module? .................................................................................................................... 96
Background Information.................................................................................................................................. 96
Installing the FastBloc SE Module.................................................................................................................... 97
Using the FastBloc SE Module ......................................................................................................................... 98
Disk Caching................................................................................................................................................... 103
Troubleshooting............................................................................................................................................. 103
CHAPTER 6 CD/DVD Module
107
What is the CD/DVD Module? ....................................................................................................................... 108
Burning Evidence Files During Acquisition..................................................................................................... 108
Burning Logical Evidence Files During Acquisition......................................................................................... 110
Burning Files and Reports .............................................................................................................................. 110
Burning Existing Evidence and Logical Evidence Files.................................................................................... 114
Guidance Software
117
Legal Notification........................................................................................................................................... 117
Support .......................................................................................................................................................... 117
Customer Service ........................................................................................................................................... 122
Message Boards............................................................................................................................................. 123
Downloads ..................................................................................................................................................... 123
Training .......................................................................................................................................................... 123
Professional Services ..................................................................................................................................... 123
Index
125
CHAPTER 1
Introduction
In This Chapter
ƒ
Introduction
ƒ
Minimum Recommended Requirements
ƒ
Installing the EnCase Modules
ƒ
EnCase Decryption Suite Module
ƒ
EnCase Physical Disk Emulator Module
ƒ
EnCase Virtual File System Module
ƒ
FastBloc SE Module
ƒ
CD/DVD Module
4
EnCase Version 6.12 Modules Manual
Introduction
Since version 4 of EnCase® software, Guidance Software® has provided a variety of software
modules that put powerful investigative tools at the disposal of forensic investigators. These
modules are add‐ons to the software, and require purchasing certificates from
www.guidancesoftware.com to activate them.
The following modules are available for version 6.01:
ƒ
EnCase Decryption Suite (EDS)
ƒ
Physical Disk Emulator (PDE)
ƒ
Virtual File Server (VFS)
ƒ
FastBloc® Software Edition (SE)
ƒ
CD‐DVD Module
A brief description of the modules follows; for more information on how to configure and use each
of the modules, please refer to the respective chapters of this document.
Minimum Recommended Requirements
To ensure acceptable performance, machines using the EnCase modules should fulfill the following
minimum specifications:
ƒ
Current version of the EnCase software (updates are available from the Web site at
http://www.guidancesoftware.com)
ƒ
Pentium IV 1.4 GHz processor
ƒ
1 GB of RAM
ƒ
Windows 2000, XP Professional or 2003 Server
ƒ
At least 100 MB of free hard drive space
VFS Module Specific Requirements
ƒ
At least 100Mb/s network infrastructure for VFS
FastBloc SE Module Specific Requirements
One of the following IDE controller cards (Write‐blocking on‐board IDE devices are not supported with
the FastBloc SE module):
ƒ
Promise Ultra133 TX2
ƒ
Promise SATA150 TX2plus (only the SATA adapters are supported)
ƒ
Promise Ultra100 TX2
ƒ
SIIG Ultra ATA/133 PCI
ƒ
SIIG Ultra ATA 100 PCI RAID
ƒ
Tekram Ultra ATA 100 RAID
To write‐block SCSI ports, Guidance Software has tested and recommends the following hardware:
Introduction
ƒ
StarTech DRW150SCSIBK SCSI drive bay
ƒ
Adaptec 29160 controller card
5
CD-DVD Module Specific Requirements
A CD/DVD burner must be installed on the forensic machine. These burners are supported:
ƒ
AOPEN
ƒ
Plextor 712A
ƒ
ASUS 0402P
ƒ
Sony RU‐710A
ƒ
Memorex DVD double
ƒ
Toshiba R5372layer 16X w/ USB bus
ƒ
Pioneer DVR‐108
Installing the EnCase Modules
In order to activate one of the EnCase modules, you must have a licensed copy of the EnCase
software and purchase the appropriate modules from Guidance Software. Installing the modules is
completed through one of two ways:
ƒ
Certificates programmed on the Security key
ƒ
Certificate files for your Security key
Certificates Programmed on the Security Key
If you ordered EnCase software at the same time that you ordered the modules, then your security
key will be programmed with the appropriate certificates, and no other files are needed.
Certificate Files for Your Security Key
If you ordered modules after you have received your v6 security key, then you will receive
certificate files that are matched with your security key. The certificate activates the module within
the EnCase software by comparing the security key serial number with the ID contained in the
certificate. Since a certificate can contain more than one security ID, an organization may submit the
IDs for several security keys, and receive a single certificate per module for all investigators to use.
Before you order a certificate, determine the security key ID numbers as follows:
1.
With a security key in place, open the EnCase program
2.
On the top menu bar, click Help and select About EnCase
3.
The security key ID (Dongle ID) is listed at the bottom of the left pane
6
EnCase Version 6.12 Modules Manual
This is the number that you will need to give to Customer Service when you order your
modules.
4.
When you receive the cert file from Customer Service, save the cert file to C:\Program
Files\EnCase6\Certs
Verifying the Modules are Installed
To verify the modules that are installed, perform the following:
1.
From the Help menu, select About EnCase.
2.
All installed modules are listed in the right pane:
Introduction
7
64-bit Module Limitations
When using the 64‐bit version of the EnCase software, there are some important limitations to
functionality:
ƒ
EDS is not supported
ƒ
PDE is not supported
ƒ
VFS is not supported
ƒ
The FastBloc SE module is supported, however only USB acquisitions are supported
If you have a 64‐bit computer, you may install a 32‐bit operating system and the 32‐bit version of
the EnCase software to remedy the limitations.
EnCase Decryption Suite Module
The EnCase Decryption Suite module allows investigators to decrypt files and folders protected by
several methods:
ƒ
Microsoft® Encrypting File System (EFS)
ƒ
Microsoft Outlook Password‐Protected PST Files
ƒ
Encrypted Windows Registry Information
ƒ
PC Guardian® Encryption
ƒ
SafeBoot Encryption
ƒ
Utimaco SafeGuard Easy Encryption
ƒ
BitLocker Encryption
ƒ
WinMagic SecureDoc Encryption
ƒ
GuardianEdge Hard Disk Encryption
ƒ
CREDANT Encryption
ƒ
S/MIME Encryption
ƒ
NSF Encryption
ƒ
Lotus Notes Local Encryption
The EDS module supports locally and domain authenticated users with the Microsoft EFS. The
module works with the operating systems capable of encrypting data with EFS, including Windows
2000 Professional, Windows 2000 Server, Windows XP Professional, and Windows 2003 Server. For
Window 2000 operating system, the EFS files and folders can be decrypted automatically if
properly configured on a domain.
EnCase Physical Disk Emulator Module
The Physical Disk Emulator can mount any EnCase‐supported evidence as an emulated physical
device. For a list of the formats supported, please see your EnCase User Manual. Any Windows‐
supported file system can be examined in Windows as a physical device connected to the machine.
If the file system is not compatible with Windows (such as ext2) the device will still appear in disk
management.
8
EnCase Version 6.12 Modules Manual
PDE can be used in conjunction with VMware Workstation to boot EnCase images of hard drives
mounted with PDE. This also provides investigators with the capability of sharing evidence files
that have been accessed remotely.
Once mounted, the read‐only media is available to native applications, Windows Explorer, or any
third‐party Windows utility or computer forensic tool that recognizes local devices. Some of the
functionality provided using additional software includes the following:
• File carving utilities
• Steganography detectors
•Virus scan software
• Word Indexers
• Spyware detectors
• ʺUndeleteʺ software
• Trojan detectors
• Encryption detection software
EnCase Virtual File System Module
The EnCase Virtual File System module allows investigators to mount computer evidence as a read‐
only offline network drive for examination through Windows Explorer. Most notably, this allows
investigators many options in their examinations, including the use of third‐party tools with
evidence served by the EnCase program.
VFS allows the investigator to view files in Windows Explorer that would not normally be accessed
by the operating system, such as mounted, deleted and file system‐level artifacts.
All computer evidence and image file formats supported by the EnCase software can be mounted
with VFS. For the formats supported, please see your EnCase User Manual.
Live computer forensic evidence supported by VFS includes
ƒ
Local machine preview of removable media
ƒ
Local machine preview through the FastBloc SE module
ƒ
Local machine preview through FastBloc Classic, FE, and LE hardware blockers
ƒ
Cross‐over network cable preview
ƒ
Local Palm Pilot preview
ƒ
EnCase Enterprise Edition and Field Intelligence Model live network preview
The VFS Server feature allows investigators to serve the mounted virtual drive to other
investigators, case agents, attorneys, etc., on the local area network for review in Windows
Explorer.
Introduction
9
FastBloc SE Module
FastBloc Software Edition provides a collection of disk controller utilities such as the same safe
subject media preview and acquisition in Windows to an EnCase evidence file currently available
from FastBloc hardware, and wiping and restoring of drives attached to the PCI controller card.
IDE, SCSI, USB and FireWire drives attached to supported PCI controller cards are write‐blocked
when configured as such by the module. Wiping and restoring of drives attached to the controller is
also possible, with the logical restore retaining the same hash value as the original drive. The
FastBloc SE module also allows access to HPA and DCO areas of a suspect drive in Windows (this
functionality is not available using a hardware write‐blocker with the EnCase program in
Windows).
CD/DVD Module
With this module the user can write entries, reports and other selected data to a CD or DVD. This
includes the ability to select and burn EnCase Evidence files and Logical Evidence Files, or to write
them to media at acquisition.
CHAPTER 2
EnCase Decryption Suite
In This Chapter
ƒ
Overview
ƒ
EDS Features
ƒ
Product Matrix
ƒ
Using EDS
ƒ
Secure Storage Tab
ƒ
Secure Storage Items
ƒ
SafeBoot Encryption Support (Disk Encryption)
ƒ
Utimaco SafeGuard Easy Encryption Support
ƒ
BitLocker Encryption Support (Volume Encryption)
ƒ
WinMagic SecureDoc Encryption Support
ƒ
GuardianEdge Hard Disk Encryption Known Limitation
ƒ
CREDANT Encryption Support (File-Based Encryption)
ƒ
CREDANT Encryption Support (Offline Scenario)
ƒ
S/MIME Encryption Support
ƒ
NSF Encryption Support
ƒ
Lotus Notes Local Encryption Support
ƒ
Windows Key Architecture
ƒ
Dictionary Attack
12
EnCase Version 6.12 Modules Manual
Overview
EnCase Decryption Suite (EDS) enables decryption of encrypted files and folders by domain users
and local users, including:
ƒ
Disk and volume encryption
Microsoft BitLocker
GuardianEdge Encryption Anywhere
GuardianEdge Plus
Utimaco SafeGuard Easy
McAfee SafeBoot
ƒ
File based encryption
Microsoft Encrypting File System (EFS)
CREDANT Mobile Guardian
ƒ
Mounted files
PST (Microsoft Outlook)
S/MIME encrypted email in PST files
NSF (Lotus Notes)
Protected storage (ntuser.dat)
Security hive
Active Directory 2003 (ntds.dit)
EDS Features
Disk and Volume Encryption
When an Evidence File (.E01) or a new physical disk is added to a new case, the Master Boot Record
(MBR) is checked against known signatures to determine whether the respective disk is encrypted.
If the disk is encrypted, EnCase asks for user credentials (see the Product Matrix on page 13 for a
table listing required credentials for supported encryption products).
If the correct credentials are entered, EnCase decrypts the disk. No password attacks are supported.
EDS supports these disk/volume encryption products:
ƒ
Microsoft BitLocker
ƒ
GuardianEdge Encryption Anywhere
ƒ
Utimaco SafeGuard Easy
ƒ
McAfee SafeBoot
EnCase Decryption Suite
13
File Based Encryption
Encryption can be applied at the file or folder level. If files or folders are encrypted, EnCase asks for
credentials (see Product Matrix on page 13 for a table listing required credentials for supported
encryption products).
If the correct credentials are entered, EnCase decrypts the files or folders.
EDS supports these file based encryption products:
ƒ
Microsoft Encrypting File System (EFS)
ƒ
CREDANT Mobile Guardian
Mounted Files
EnCase can review mounted files and search for encrypted data. If mounted files are encrypted,
EnCase asks for user credentials (see Product Matrix on page 13 for a table listing required
credentials for supported encryption products).
If the correct credentials are entered, EnCase decrypts the mounted files. These types of mounted
files are supported:
ƒ
PST (Microsoft Outlook)
ƒ
NSF (Lotus Notes)
ƒ
Protected storage (ntuser.dat)
ƒ
Security hive
ƒ
Active Directory 2003 (ntds.dit)
Product Matrix
The table below shows encryption products supported by EDS and credentials you need to provide
in order to use them with EnCase.
Product
Password
User
GuardianEdge
Encryption Plus
X
X
GuardianEdge
Encryption
Anywhere
X
X
Utimaco
SafeGuard Easy
X
X
McAfee
SafeBoot
Online
X
X
SafeBoot
Offline
Domain
Machine
Server
X
X
Path
Other
X
X
Algorithm
X
Algorithm
14
EnCase Version 6.12 Modules Manual
CREDANT
Mobile
Guardian
Online
X
X
Machine
CREDANT
ID
X
Shield
CREDANT
ID
Mobile
Guardian
Offline
X
Microsoft
BitLocker
X
Key
Microsoft
Encrypting File
System (EFS)
X
Keys
ZIP
X
Lotus Mail
X
ID File
S/MIME
X
PFX
X
Using EDS
Analyze EFS
This command scans a volume for data and processes it. You can also run Analyze EFS from the
secure storage; in that instance, it runs consecutively on all volumes in a case.
EnCase Decryption Suite
1.
Right click the volume you want to analyze, then click Analyze EFS from the dropdown
menu.
2.
The first Analyze EFS dialog displays. Click Next.
15
16
EnCase Version 6.12 Modules Manual
3.
The second Analyze EFS dialog displays with the Documents and Settings Path and Registry
Path fields populated by default. For unusual system configurations, data disks, and other
operating systems these values will be blank. You can modify them to point to the user
profile folders and/or the registry path.
4.
Click Next to begin the scan.
5.
When the scan is complete, the EFS Status dialog shows statistical information on keys
found and decrypted and registry passwords recovered.
EnCase Decryption Suite
6.
17
When you are done reviewing the EFS status, click Finish.
Note: Analyze EFS can also pop up the Syskey and Password Recovery Disk screens.
EFS Files and Logical Evidence (L01) Files
To decrypt an encrypted EFS file you need the following:
1.
The EnCase EDS module
2.
The matching $EFS stream. This is essential, since it contains the decryption key.
3.
A matching unencrypted private key. This can be the recovery agentʹs key or a userʹs key.
4.
File slack might be needed if the file size is not a multiple of 16. This is because files are
decrypted in 16‐byte chunks.
Note: For example, a 17-byte file needs 15 bytes of slack in order to decrypt the last
chunk. Otherwise, only multiples of 16 are decrypted.
In EnCase version 6.11, the scenarios for logical evidence files are different from prior versions of
EnCase:
1.
The file is encrypted and the $EFS stream is missing from the same folder within the L01: the
file cannot be decrypted.
2.
The file is encrypted and the $EFS stream is in the same folder: the file can be decrypted
(except for the remainder of the file, if any).
3.
The file is decrypted and the $EFS stream is missing: the file remains decrypted.
4.
The file is decrypted and the $EFS stream is in the same folder: the file will be decrypted
twice.
Note: The workaround in case 4 is to disable EFS or delete the private key from the secure storage.
From version 6.11 on, all the scenarios above are handled gracefully, because the $EFS stream is
added internally.
ƒ
If the file is encrypted, the $EFS stream is automatically stored with the file as metadata.
ƒ
If the file is decrypted, the $EFS stream is not automatically stored, as it is not needed. This
does not prevent you from storing the stream by specifically saving it to the LEF.
Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.
Secure Storage Tab
To organize security data gathered using Analyze EFS, EnCase includes a Secure Storage tab which
displays passwords, keys, and other items parsed from the system files and registry.
Although the tab is always present in the interface, you must install the EDS module to enable most
of the functionality.
Secure Storage Tab and EFS
To populate the Secure Storage tab:
18
EnCase Version 6.12 Modules Manual
1.
Run Analyze EFS (see page 14).
2.
Select the Secure Storage tab.
3.
Click an item in the Secure Storage tree to view its contents.
Enter Items
Enter Syskey
You can enter Syskey information before running the Analyze EFS wizard, or afterwards if the
wizard is already completed.
1.
Right click the root entry of Secure Storage.
2.
Select Enter Items from the dropdown list, then select the Enter Syskey tab.
3.
Select the location of the Syskey (for example, a file path or a floppy disk) or enter the
password manually.
4.
Click OK.
EnCase Decryption Suite
19
User Password
If you know the userʹs password:
1.
Right click the root entry of Secure Storage.
2.
Select Enter Items from the dropdown list, then select the User Password tab.
3.
Enter the password.
4.
Click OK.
If the Syskey is protected and you do not know the password, an attack on the SAM file for user
passwords will not be successful. This is a rare situation. Most Windows machines will not have a
protected Syskey. EDS includes a dictionary attack option to get past a protected Syskey. You can
obtain dictionary files from a number of sources. To access setup, right click the root of Secure
Storage and select Dictionary Attack.
During the Analyze EFS scanning of the registry, EnCase alerts you if the Syskey is password
protected or has been exported to a floppy disk. In these cases, the Analyze EFS wizard prompts
you to enter the Syskey password and/or insert the floppy disk containing the Syskey or browse to
the Syskey file location. The Syskey file is called startkey.key, and you should examine any
floppy disks collected at a scene for the presence of this file. If the Syskey file is recovered on a
floppy disk, it can be copied/unerased from EnCase to the examination machine, and you can
browse to the startkey.key location. This process is the same as when you use the Password
Recovery Disk.
Password Recovery Disk
Windows XP and 2003 Server enable local users to create a recovery disk containing their encrypted
password. The disk is designed to allow users to reset their password if they forget it, without
losing all of their EFS encrypted files and other important security credentials. The file is called
userkey.psw, and you should examine floppy diskettes recovered at the scene for the presence of
this file.
1.
With the floppy disk inserted, or the file copied to a hard drive, right click the root entry of
Secure Storage.
20
EnCase Version 6.12 Modules Manual
2.
Select Enter Items from the dropdown list, then select the Password Recovery Disk tab.
3.
Click the option button, File or Floppy, where the file is located.
4.
Enter the path or browse to it, then click OK.
Private Key File
If the logon password is unavailable, you can obtain the Domain Administratorʹs private key (PFX).
This also works for the userʹs key. To export and use the key:
1.
As Domain Administrator, double click C:\Windows\system32\certmgr.msc to
launch the Microsoft Management Console.
2.
Locate the Certificates folder containing the Domain Administratorʹs certificate.
3.
Right click the certificate.
4.
From the All Tasks menu, click Export.
5.
In the Certificate Export Wizard, click Next.
6.
Click Yes, export the private key, then click Next.
7.
Accept the default for the export file format, then click Next.
8.
Select a path and name the key (this assigns a .PFX extension), then click Next.
9.
When prompted, note the password entered.
Note: The password cannot be left blank. It is needed when using the key.
10. Click Next. A confirmation window shows details about the export.
11. Click Finish to complete the export.
12. Right click the root entry of Secure Storage.
13. Select Enter Items from the dropdown list, then select the Private Key File tab.
EnCase Decryption Suite
21
14. Enter the path or browse to it.
15. Enter the Password in the next prompt, then click OK.
A status screen confirms successful completion and the Private Key displays in the Secure
Storage tab.
Enter Mail Certificate
You can enter a .PFX certificate to use for decrypting S/MIME‐encrypted emails found in PST files.
1.
Right click the root entry of Secure Storage.
2.
Select Enter Items from the dropdown list, then select the Enter Mail Certificate tab.
3.
Enter the path to the .PFX certificate and the password.
4.
Click OK.
5.
The .PFX cert is decrypted and stored in Secure Storage.
Associate Selected
To associate *nix users with volumes:
1.
Select the Secure Storage tab.
2.
Click the check box next to the item or items you want to associate.
3.
Right click a checked item.
22
EnCase Version 6.12 Modules Manual
4.
Select Associate Selected from the dropdown list.
5.
The Associate dialog displays.
6.
Expand the Volumes tree and select the volumes you want to associate.
7.
Click OK.
EnCase Decryption Suite
23
Secure Storage Items
In the Report tab of the View pane you can see details about the currently selected item in the
secure storage. The Text and Hex views show the raw data. These items have the following
properties:
ƒ
Name
ƒ
Encrypted
ƒ
Type
ƒ
Subtype
ƒ
Password
ƒ
Password Type
The following items are of interest:
Aliases: These are Security Identifiers (SIDs) that point to one or more SID entities. They have a
name and a comment.
Groups: SIDs that point to one or more SID entities. They have a name and a comment. These are
defined groups such as Administrators and Guests.
SAM Users: These are Local Users. The details are listed in the report tab of the View pane.
Passwords: Found and examiner added passwords appear here.
Net Logons: These are Local Users. The details are listed in the report tab of the View pane.
Nix User/Group: Unix users/groups
Lotus: Lotus Notes
Email Certificates: These are used for S/MIME decryption and signature verification.
Disk Credentials: Persistent key cache for disk/volume encryption products
Master Keys: Every user with a private key has a master key that protects it. The master key
itself is encrypted with a hash of the user’s Windows password.
Private Keys: Used in the decryption of EFS files
Internet Explorer (IE) Passwords: Passwords from IE 6
Policy Secrets: These are LSA secrets. They include the default password and passwords for
services. Some of these secrets are not passwords but binary data placed there by the system
and applications.
SAM Keys/Policy Keys/Dpapi/CERT: For internal use
SafeBoot Encryption Support (Disk Encryption)
EnCase provides a way for you to view SafeBoot encrypted hard drives during an investigation.
This feature is only available to a user with an EDS cert enabled.
Note: If no EDS cert is found or the integration Dlls are not properly installed, the physical device will mount, but the
encrypted file structure cannot be parsed. Since SafeBoot overwrites the original MBR only for the boot disk, always
preview the boot disk first and then any other disk in a multi-disk machine configuration.
1.
Use the Add Device Wizard to add the physical device.
24
EnCase Version 6.12 Modules Manual
2.
When prompted, select the appropriate encryption algorithm from the list, then enter a user
name, server name, machine name, and password when in online mode.
The SafeBoot encrypted drive is parsed.
The offline dialog is similar. The Online check box is blank and only the Machine Name,
Transfer Database field, and Algorithm are available:
3.
Save the case once a successful decryption is complete. The credentials entered in the dialog
are stored in Secure Storage, eliminating the need to enter them again.
EnCase Decryption Suite
25
This illustration shows results of a successful decryption. The Tree pane shows a SafeBoot
folder, the Table pane contains a list of decrypted files while the Text pane shows contents
of a decrypted file.
4.
The next figure shows the same files as they appear encrypted.
26
EnCase Version 6.12 Modules Manual
Supported SafeBoot Encryption Algorithms
EnCaseʹs SafeBoot decryption feature supports these encryption algorithms:
ƒ
AES256 FIPS
ƒ
AES256
ƒ
DES
ƒ
RC5 ‐ 12 Rounds
ƒ
RC5 ‐ 18 Rounds
Utimaco SafeGuard Easy Encryption Support
EnCase provides a way for you to view SafeGuard Easy (SGE) encrypted hard drives during an
investigation. This feature is only available to a user with an EDS cert enabled.
Note: If no EDS cert is found or the integration DLLs are not properly installed, the physical device will mount, but the
encrypted file structure cannot be parsed. Since SafeGuard Easy overwrites the original MBR only for the boot disk, only
the boot disk can be decrypted in EnCase.
1.
Use the Add Device Wizard to add the physical device.
2.
EnCase detects the device and displays a user name and password dialog.
3.
Enter a valid user name and password when in online mode.
4.
Click OK.
5.
Once a successful decryption is complete, save the case. The credentials entered in the
dialog are stored in Secure Storage, eliminating the need to enter them again.
Note: If the password is empty, the Challenge/Response wizard opens. For more information, see
Utimaco Challenge/Response Support on page 27.
Supported Utimaco SafeGuard Easy Encryption Algorithms
EnCaseʹs Utimaco SafeGuard Easy decryption feature supports these encryption algorithms:
EnCase Decryption Suite
ƒ
AES192
ƒ
AES256
ƒ
DES
ƒ
3DES
27
Utimaco Challenge/Response Support
Utimaco has an alternate method for decrypting their data using a challenge/response code. Once
the code is authenticated, EnCase returns the key and any additional data (such as encrypted
sectors) necessary to decrypt the data.
1.
In the SGE credentials dialog, enter a user name but leave the password blank.
2.
Click OK.
3.
A Challenge Response dialog displays with the challenge code in blue. Keep this dialog
open while performing the next steps.
28
EnCase Version 6.12 Modules Manual
4.
Log in as Administrator. On the Windows Start page, click All
Programs→Utimaco→SafeGuard Easy→Response Code Wizard.
5.
The Welcome dialog displays.
EnCase Decryption Suite
6.
Click Next to begin generating a one time password (OTP). The Authorization Account
dialog displays.
7.
Click Next. The Remote User ID dialog displays.
8.
Enter the User ID that was used to derive the challenge code, then click Next.
29
30
EnCase Version 6.12 Modules Manual
9.
The Challenge Code dialog displays. Enter the challenge code generated by EnCase from
step 3.
10. Click Next. The Remote Command dialog displays.
11. Select One time logon, then click Next.
EnCase Decryption Suite
12. The Summary dialog displays with the response code in blue.
13. In the EnCase dialog from step 3, select the code length and enter the response code to
enable decryption of the selected encrypted evidence.
14. Click OK.
15. In the Summary dialog from step 12 , click Close to close the SafeGuard Easy Response
Code Wizard, or click New to generate a new response code from a different challenge
code.
31
32
EnCase Version 6.12 Modules Manual
Utimaco SafeGuard Easy Encryption Known Limitation
Utimaco SafeGuard Easy treats a machine with multiple hard drives as one hard drive consisting of
all sectors of all physical hard drives.
In contrast, EnCase examines each hard drive individually. This creates a problem:
ƒ
SafeGuard Easy overwrites only the Master Boot Record (MBR) of the boot disk
ƒ
Only the boot disk is detected as encrypted and then decrypted (given the correct
credentials are entered)
This means EnCase support for SafeGuard Easy is limited to decrypting only the boot disk, because
this is the only drive detected as encrypted by examining the MBR.
Workarounds
There are two workarounds for this problem. The first solution:
1.
Obtain both disks.
The internal disk holding the SafeGuard Easy kernel (disk 1)
The external, i.e., non‐bootable disk (disk 2)
2.
Open the kernel on disk 1. You can then access disk 2.
The second solution:
1.
Obtain a SafeGuard Enterprise (SGN) kernel backup file of disk 1.
2.
Restore disk 1 to an empty disk.
3.
Add the non‐bootable disk as disk 2. The information in the newly restored kernel gives
you access to disk 2.
BitLocker Encryption Support (Volume Encryption)
Microsoftʹs BitLocker is available in Windows Vista Enterprise and Ultimate editions. It encrypts an
entire volume using one of three modes to store the encryption key:
ƒ
Transparent operation mode (requires Trusted Platform Module [TPM])
ƒ
User Authentication mode (requires TPM)
ƒ
USB Key mode (does not require TPM)
When BitLocker is enabled, a large file is created that holds all of unallocated (UAC) space, minus 6
Gigabytes.
Recovery Key and Recovery Password Files
The recovery key is a file with a GUID name (for example, 67FA3445‐29D7‐4AB5‐8D0F‐
7F69B88D1C04.BEK).
The recovery password is an Advanced Encryption Standard (AES) 256 key in plain text (.TXT).
EnCase Decryption Suite
33
These keys are matched by Volume GUID and Key Protector GUID and are usually stored on a
removable flash drive.
Decrypting a BitLocker Encrypted Device Using Recovery Key
1.
Add a BitLocker encrypted device into EnCase using Add Device or drop and drag.
2.
The BitLocker Credentials dialog displays.
3.
The Recovery Key option button is selected by default. Browse to the location of the .BEK
recovery key.
4.
Click OK.
Decrypting a BitLocker Encrypted Device Using Recovery Password
1.
Add a BitLocker encrypted device into EnCase using Add Device or drop and drag.
34
EnCase Version 6.12 Modules Manual
2.
The BitLocker Credentials dialog displays.
3.
Select the Recovery Password option button, then enter the recovery password.
4.
Click OK.
After successful authentication, EnCase saves credentials in Secure Storage, so you do not have to
re‐enter them the next time you open the saved case.
WinMagic SecureDoc Encryption Support
You can access the hard drive of a system encrypted with SecureDoc software. EnCase supports
SecureDoc version 4.5 and above.
EnCase Decryption Suite
There are three ways to add SecureDoc disks to EnCase:
ƒ
Preview the hard drive
ƒ
Use the Add Device Wizard
ƒ
Drag evidence files into EnCase
Once you preview a machineʹs disk or open an evidence file, the Master Boot Record (MBR) is
checked against known signatures to determine whether the disk is encrypted. The SecureDoc
signature is WMSD.
Each SecureDoc user has a key file which can contain multiple keys encrypted using a password
associated with the file.
SecureDoc users have either administrator or user privileges.
ƒ
Administrators can encrypt/decrypt drives, reset passwords, add keys to a key file, etc.
ƒ
Users can only change their passwords
An installer is provided to place these integration DLLs in
%ENCASE%\Lib\WinMagic\SecureDoc:
ƒ
SDForensic.dll
ƒ
SDC.dll
ƒ
SDUser.dll
Note: The integration is supported on the 32-bit version of EnCase.
1.
When adding a SecureDoc disk, Encase prompts for three credentials:
a. The path to the file containing the user keys (extension .dbk)
b. The password associated with the key file
35
36
EnCase Version 6.12 Modules Manual
c. The path to the emergency disk folder corresponding to the physical disk under
examination
2.
Enter the credentials, then click OK.
3.
If the credentials are correct, EnCase decrypts the disk and parses the file system structure.
4.
When you save the case, the ranges of encrypted sectors and the original MBR are retained
in the case file for previewed drives as well as evidence files.
The disk view shows encrypted information in the Text and Hex panes for encrypted drives.
The disk view shows decrypted information in the Text and Hex panes for decrypted drives.
Acquiring the Device
A local acquisition at the physical device level results in acquisition of all decrypted logical
volumes.
An enterprise acquisition at the physical device level results in acquisition of all sectors in an
encrypted state.
Note: To obtain decrypted data, perform a local acquisition on the result of the remote acquisition.
Note: SecureDoc 4.5 does not allow for enabling the SCSI_PASS_THROUGH; because of this, every sector's data is
decrypted by SecureDoc's filter driver during a physical acquisition.
You can acquire either:
ƒ
All logical volumes by acquiring at the physical level
ƒ
An individual logical volume by acquiring at the logical level
The completed acquisition contains the decrypted volumes. You do not need a password to view
the file structure.
EnCase Decryption Suite
37
GuardianEdge Hard Disk Encryption Known Limitation
With GuardianEdge Hard Disk Encryption (GEHD) version 8.6 and higher, you cannot use client
administrator credentials to authenticate to a physical drive in EnCase.
While adding the physical hard drive (as opposed to a logical acquisition), an authentication screen
displays. If you enter the client administrator account, password, and domain, the authentication
screen displays repeatedly without going to the next step.
Because GEHD has domainless client administrators, you need to use a default field for the domain:
1.
Make sure you have the EnCase Decryption Suite module with PC Guardian support
installed (Help→About EnCase).
2.
In the domain field, enter EA#DOMAIN as the client administrator account.
For more information, see Knowledge Base article 00002281 in the GuardianEdge Customer Support
Portal (https://na4.salesforce.com/sserv/login.jsp?orgId=00D300000001ZQU).
CREDANT Encryption Support (File-Based Encryption)
EnCase provides a way for you to access CREDANT‐encrypted data on Windows devices.
Note: You can obtain the CREDANT API installer from CREDANT Technical Support. Install it, then begin the
examination.
EnCase reviews your mounted files and looks for CREDANT‐encrypted data (CredDB.CEF file). If
it finds this data, a logon dialog displays.
38
EnCase Version 6.12 Modules Manual
1.
The dialog populates with a known user name and password, Server, Machine ID, and the
Shield CREDANT ID (SCID). CREDANT files are processed and decrypted with no further
interaction, given that the credentials are correct.
EnCase Decryption Suite
39
The offline dialog is similar. The Online check box is blank and the Machine ID and SCID fields
are unavailable.
2.
Save the case once a successful decryption is complete. The credentials entered in the dialog
are stored in Secure Storage, eliminating the need to re‐enter them.
The illustration below shows results of a successful decryption:
40
EnCase Version 6.12 Modules Manual
ƒ
The Tree pane shows a CREDANT folder
ƒ
The Table pane contains a list of decrypted files
ƒ
The Text pane shows contents of a decrypted file
The next illustration shows the same files as they appear unencrypted.
EnCase Decryption Suite
41
Supported CREDANT Encryption Algorithms
EnCaseʹs CREDANT decryption feature supports these encryption algorithms:
ƒ
AES128
ƒ
AES256
ƒ
3DES
ƒ
Rijndael 128
ƒ
Rijndael 256
ƒ
Blowfish
CREDANT Encryption Support (Offline Scenario)
If the machine to be investigated is not on the network with the CREDANT server, you must obtain
the CREDANT keys and store them in a location accessible to the Examiner machine.
Before you begin:
You must install the CREDANT Library Installer to run the utility with the appropriate DLLs.
You can obtain the installer from CREDANT technical support.
You must have EnCase Decryption Suite installed on the Examiner dongle that will decrypt the
CREDANT‐encrypted data.
You must obtain the URL for the CREDANT Mobile Guardian (CMG) Device Server.
You must obtain an Administrator username and password. The CREDANT administrator
must have Forensic Administrator privileges, as specified in the CMG Server Web Interface for
CMG v5.4 and later servers. The administrator must have Security Administrator privileges for
the v5.3 server.
You must obtain the Administratorʹs login domain (for CMG 6.0 and later servers only), the
Machine ID for the target device (MUID), the Shield CREDANT ID (SCID), the Username that
the key material is being downloaded for, and the Password to use to encrypt the output .bin
file.
1.
At a computer that has communication to the CREDANT Server, run the utility
CEGetbundle.exe from the Windows command prompt. CEGetBundle.exe is supplied by
CREDANT in the CREDANT Library Installer, which also installs the DLLs necessary for
the decryption. Copy the integration DLLs and MAC file to the target device as well.
2.
Supply the parameters as follows: CEGetBundle [‐L] XURL ‐aAdminName ‐AAdminPwd [‐
DAdminDomain] [‐dDuid] [‐sScid] [‐uUsername] ‐oOutputFile ‐oOutputFile ‐IOutputPwd
-L
Legacy mode for working with pre 5.4 server installs
URL
Device Server URL (e.g.,
https://xserver.credant.com:8081/xapi)
AdminName
Administrator user name
AdminPwd
Administrator password
42
EnCase Version 6.12 Modules Manual
AdminDomain
Administrator domain (optional: required only if the CMG
Server is configured to support multiple domains)
MUID
Machine ID for the target device (also known as the Unique
ID or hostname)
SCID
Shield CREDANT ID (also known as DCID or Device ID)
Username
Name of the forensic administrator
OutputFile
File to save the key material in
OutputPwd
Password to encrypt output file
Here is a command example: cegetbundle ‐L ‐Xʺhttps://CredantServer:8081/xapiʺ ‐
aʺAdministratorʺ ‐Achangeit ‐dʺCredantWorkstation.Credant.localʺ ‐sCI7M22CU ‐
uʺAdministratorʺ ‐oʺC:\CredantUserKeys.binʺ ‐iChangeIt
3.
Place the .bin file downloaded from the CREDANT server in a path accessible from the
Examiner machine. Open EnCase and create a new case or open an existing one. You must
have EnCase Decryption Suite installed on the Examiner machine that decrypts the
CREDANT‐encrypted data.
Note: In legacy mode, you must execute this utility for each user targeted for investigation on the
target device while specifying the same output file. The keys for each user are appended to this
output file.
4.
Acquire a device with CREDANT encrypted files, or load an evidence file into the case. The
Enter Credentials dialog displays, prompting you for only the Username, Password,
Server/Offline Server File, Machine ID, and Shield CREDANT ID (SCID) information.
Note: In Offline mode, the only information you must provide is the Password and Server/Offline
Server File (full path and filename to the .bin file downloaded using the CEGetBundle.exe utility).
When EnCase decrypts CREDANT encrypted files, the key information is placed in Secure Storage
in EnCase, and saved with the case. You do not have to re‐enter this information.
CREDANT Files and Logical Evidence (L01) Files
To decrypt an encrypted EFS file you need the following:
1.
The EnCase EDS module
2.
The CredDb.CEF file residing in the folder. This is essential, since it contains the
information to get to the decryption key.
In EnCase versions prior to 6.12, there are different scenarios from logical evidence files from prior
versions of EnCase:
1.
The file is encrypted and the CredDB.CEF file is missing from the same folder within the L01:
the file cannot be decrypted.
2.
The file is encrypted and the CredDB.CEF file is in the same folder: the file can be decrypted.
3.
The file is decrypted and the CredDB.CEF file is missing: the file remains decrypted.
EnCase Decryption Suite
4.
43
The file is decrypted and the CredDB.CEF stream is in the same folder: the file will be
decrypted twice.
Note: The workaround in case 4 is to cancel the CREDANT Credentials dialog or delete the
CREDANT keys from the secure storage.
From version 6.12 on, all the scenarios above are handled gracefully, because the CredDB.CEF file is
added internally.
ƒ
If the file is encrypted, the CredDB.CEF stream is automatically stored with the file as
metadata.
ƒ
If the file is decrypted, the CredDB.CEF stream is not automatically stored, as it is not
needed. This does not prevent you from storing the stream by specifically saving it to the
LEF.
Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.
S/MIME Encryption Support
The EnCase S/MIME Encryption Support provides the ability to decrypt S/MIME‐encrypted emails
found in PST files. Email sent or received with the file extensions .pst, mbox and .edb support the
S/MIME PKCS #7 standard.
You must have PFX (PKCS 12 standard) certificates installed prior to parsing. PST, EDB, and MBOX
mail containers are supported.
To decrypt S/MIME data:
1.
Open or create a case and enter Secure Storage.
2.
Right click on a folder in the left pane.
A dropdown menu displays.
44
EnCase Version 6.12 Modules Manual
3.
Select Enter Items.
The Enter Items dialog displays.
4.
Select the Enter Mail Certificate tab.
Note: The only allowed certificate format is .PFX.
5.
Enter the path to the PFX certificate and the password, then click OK.
The PFX cert is decrypted and stored in Secure Storage.
S/MIME decryption and signature verification happens in the background.
Given the proper password, the certificate is stored in Secure Storage under E‐Mail Certificates
folder. After you import the required certificates into Secure Storage, you can parse the email
container files using the View File Structure feature in the Entry View.
EnCase Decryption Suite
S/MIME Email Certificate contents are displayed like this in Secure Storage:
45
46
EnCase Version 6.12 Modules Manual
When parsing is complete and successful a directory list displays. In the illustration, the folder is
entitled smime.p7m (S/MIME data comes as an attachment of the email). In Entries view, the text of
the email is shown in the Text pane while the emailʹs attachments appear in the Table pane.
EnCase Decryption Suite
View and work with content in the Records tab.
Troubleshooting a Failed S/MIME Decryption
If decryption fails, you can compare Entries view with Records view to try to find the error.
47
48
EnCase Version 6.12 Modules Manual
Entries view:
Records view:
EnCase Decryption Suite
49
Decrypting S/MIME Emails in an Evidence File Created in Windows Vista
You cannot decrypt S/MIME emails in an evidence file created in Windows Vista using an examiner
installed on Windows XP or earlier. This is because CryptoAPI on Vista (Crypto Next Generation,
or CNG) is not yet supported on XP.
So if an evidence file created in Vista contains S/MIME emails, you should perform the examination
to decrypt them on a Vista machine as well, given that proper certificates are available.
NSF Encryption Support
The Lotus Notes email client has security built into the product. Notes was the first widely adopted
software product to use public key cryptography for client‐server and server‐server authentication
and for encryption of data, and it remains the product with the largest installed base of PKI users.
The EnCase® Suite can decrypt encrypted NSF documents and send them to recipients within the
same Domino server.
Each server user has an ID file that contains a userʹs:
ƒ
encrypted private key
ƒ
public key
ƒ
password information
ƒ
password recovery information
It also has an NSF file that represents the userʹs mailbox in 8.3 format in the default path <domino
installation folder>\data\mail\<user>.nsf.
Recovering NSF Passwords
To retrieve the recovery password, you must have proper administrative rights on the Domino
server.
50
EnCase Version 6.12 Modules Manual
1.
Open the Domino Server.
2.
Log in as the server administrator.
3.
Click OK.
The password ID list displays.
4.
Click OK.
EnCase Decryption Suite
51
The recovery password displays.
5.
Click OK and define users authorized to generate recovery passwords.
Lotus Notes Local Encryption Support
EnCase can decrypt a local Lotus Notes user mailbox (NSF file suffix). The local mailbox is a replica
of the corresponding encrypted mailbox on the Domino server.
Each Domino server user has a corresponding NSF file representing that userʹs mailbox in 8.3
format. The default path is <Domino Installation Folder>\Data\Mail\<user>.nsf. The
Lotus Notes client is set up to use the local mailbox. Synchronization between the local and server
mailboxes occurs according to a replication schedule determined by the Domino administrator.
Encryption of the local mailbox is not mandatory but it is advisable, because without encryption a
person familiar with the NSF file structure could read email without needing Lotus Notes.
Encryption occurs at block level.
Determining Local Mailbox Encryption
Look in the header (the first 0x400 bytes) at offset 0x282. If the byte is 0x1, the mailbox is locally
encrypted.
Parsing a Locally Encrypted Mailbox
1.
Obtain the corresponding ID file from the Domino server. All user ID files are backed up on
the server either on disk as a file or in the Domino directory as an attachment to email.
52
EnCase Version 6.12 Modules Manual
2.
Parse it using View File Structure, so that the private key is inserted in Secure Storage.
Encrypted Block
The example below shows an encrypted block at offset 0x22000:
The decryption algorithm uses a seed that is based on the basic seed from the header and the block
offset.
EnCase Decryption Suite
Decrypted Block
Here is an example of a decrypted object map at offset 0x22000:
53
54
EnCase Version 6.12 Modules Manual
Locally Encrypted NSF Parsing Results
A successfully parsed locally encrypted NSF looks like this in Entry view:
EnCase Decryption Suite
55
If the corresponding ID file cannot be parsed successfully, the Secure Storage is not populated with
the data needed to parse the locally encrypted NSF; thus, the Lotus volume is empty:
56
EnCase Version 6.12 Modules Manual
Windows Key Architecture
Windows has an elaborate key protection mechanism. The Syskey protects the policy key, the SAM
key, and others. These keys protect the user’s password hashes.
In Windows 2000, however, the Master Key is protected by the user’s password hash with a
mechanism that slows down any attack. The Master Key protects the user’s private key. And the
user’s private key protects a key within the $EFS stream that allows for decryption of the EFS
encrypted file.
Dictionary Attack
Software implementing this method normally uses a text file containing a large number of
passwords and phrases. Each is tried in turn in the hope that one of the words or phrases in the file
will decrypt the data involved.
A large number of dictionary files (sometimes called word lists) are on the Internet, or you can
create your own list. Creating your own list may be preferable if the person under investigation has
a particular interest, such as football.
There are freeware utilities on the Internet you can use to create a dictionary from combinations of
letters, numbers, and characters up to a predefined length. Free Wordlist Generator
(http://www.soft82.com/download/windows/free‐wordlist‐generator/) is one example.
EDS can attack NT based user account passwords and cached net logon passwords using a
dictionary attack.
EnCase Decryption Suite
57
Built-in Attack
Specific items do have associated passwords. If they are not automatically retrieved, you can use a
trial and error mechanism. This may or may not succeed.
Items that can be Attacked
ƒ
Local users
ƒ
Network users that logged on (cached domain users)
ƒ
Syskey (password mode only)
ƒ
Master Key, if the user’s SAM or domain cache can’t be accessed (due to corruption,
account deletion or Syskey protection). This is much slower than attacking the
Local/Network Users
External Attack
Local users can be attacked with third party tools. There are freeware tools, and their performance
is much greater than EnCase because they can run on many computers at the same time and/or use
rainbow tables. EnCase can export the local user’s password hashes in the PWDUMP format that
most tools read. This is done from the User List.
58
EnCase Version 6.12 Modules Manual
User List
The User List of Secure Storage shows Local Users, Domain Users, Nix Users, and/or Nix Groups
from the local machine or evidence file. Information such as:
ƒ
last logon date
ƒ
user SID
ƒ
NT hash
ƒ
LanManager hash
is also associated with each account
Integrated Attack
There are three different sources for words to be tested:
ƒ
Internal passwords: These are the password items in the secure storage
ƒ
Dictionary words: The dictionary is a plain text file that can be in ANSI‐Latin1 or UTF16.
Every word needs to be on its own line (it can contain any character, including spaces).
ƒ
Brute force: Automatically generates words from an alphabet with a length in a given range
There are four “mutators” that can be applied:
EnCase Decryption Suite
59
ƒ
Toggle Case: Tries all the upper/lower case variations
ƒ
Append Digits
ƒ
Prepend Digits
ƒ
Combine Words: The words are combined with each other. For example, if the dictionary
contains the words ʺoldʺ and ʺdogʺ, the result is these four words:
old
dog
olddog
dogold
Brute Force Attack
A brute force attack works by trying to identify a password or passphrase by testing all possible
combinations of the characters of an alphabet. This alpahbet is in the text file pointed to by the
ʺalphabet path”. This is a is a plain text file that can be in ANSI‐Latin1 or UTF16, where the first line
uses all the characters. This can generate massive amounts of words to test.
An example of an alphabet path is “abcdefghijklmnopqrstuvwxyz01234567890‐( )“.
Depending on the settings, a dictionary attack can test thousands of passwords contained in a
dictionary file in a very brief time frame. It is usual to try a dictionary attack first and then progress
to a brute force attack if the password(s) cannot be found.
Any information concerning the possible structure/character length of the password helps
dramatically.
CHAPTER 3
Physical Disk Emulator
In This Chapter
ƒ
What is the Physical Disk Emulator?
ƒ
Using Physical Disk Emulator
ƒ
Third-Party Tools
ƒ
Boot Evidence Files and Live Systems with VMware
ƒ
VMware/EnCase PDE FAQs
ƒ
PDE Troubleshooting
62
EnCase Version 6.12 Modules Manual
What is the Physical Disk Emulator?
The EnCase® Physical Disk Emulator (PDE) module allows investigators to mount computer
evidence as a local drive for examination through Windows Explorer. The power of this feature is
well articulated in many forums. Most notably, this allows investigators many options in their
examinations, including the use of third‐party tools with evidence served by the EnCase program.
We are committed to the concept of providing an integrated product to our customers. Third‐party
tools continue to be developed to complement the core functions and features of the EnCase
program, and we encourage their creation and use. PDE allows third‐party access to all supported
computer evidence and file system formats. The EnCase program continues its evolution towards
becoming a server of forensic data, whether in an image file, a preview of an offline computer or
hard drive, or a live machine on a network.
Evidence File Formats Supported by EnCase PDE
EnCase PDE supports mounting of individual image files of hard drives and CDs, but not images
or previews of the local forensic machineʹs hard drive. All Image file formats and file systems that
are supported by the EnCase software can be mounted with PDE. In addition, the following live
computer forensic evidence is supported by PDE:
ƒ
Local machine preview of CDs
ƒ
Local machine preview of evidence hard drives through FastBloc® FE and LE hardware
write‐blocking devices
ƒ
Crossover cable network preview of hard drives and CDs
ƒ
Parallel port preview of hard drives and CDs
ƒ
EnCase Enterprise and Field Intelligence Model (FIM) live network preview of hard drives
and CDs
Using Physical Disk Emulator
Do not, under any circumstances, attempt to use PDE to mount EnCase images or previews of the local forensic hard
drives. Windows will blue screen if it detects multiple instances of the same drive. Use only evidence files of other
machines.
Starting Physical Disk Emulator
To mount a device using the Physical Disk Emulator, you must add a physical or logical disk image
to a case in the Entries subtab under Cases. PDE can only mount physical devices or volumes. If
you select a menu item from a non‐mountable level, the PDE configuration is limited to client
mode.
Physical Disk Emulator
Using PDE
1.
Right‐click the logical or physical drive, and select Mount as Emulated Disk.
2.
The Mount as Emulated Disk dialog displays.
Configuring the PDE Client
PDE assigns a local port the first time you run PDE. Afterwards the port number is disabled and
you cannot change it. To assign a new port number, close the Windows session and restart.
PDE does not use any other options in the Server Info tab.
63
64
EnCase Version 6.12 Modules Manual
To specify cache and CD options, click the Client Info tab.
Cache Options
If a physical device or volume (not a CD) is selected, decide whether to cache data. By default,
caching is disabled. Use the write cache if programs need to access the files in an emulated
read/write mode.
If cache is enabled, changes made by programs are sent to a separate cache file specified on your
local system.
1.
To create a new write cache file an EnCase Differential Evidence File, clear the Disable
caching check box.
2.
Select Create new cache in the Cache Type group and specify a Write cache path.
3.
Select Use existing cache and ensure the existing write cache file is specified in the Write
cache path field.
If you choose to use an existing cache path, make sure to use a write cache file that was created with
the evidence you are currently mounting.
Caching is necessary for PDE to function with VMware. In this state, Windows caches file deletions
and additions. This is used to boot the drive with VMware as described later in this section.
Caching is also necessary when mounting certain volume types.
[Placeholder for screenshot]
CD Options
If a CD is mounted, the CD Session to view option is enabled to specify which session on a multi‐
session CD should display in Windows. The default session is the last session on the active CD,
which is the one normally seen by Windows.
1.
To view a prior session, select that here.
2.
Click OK to continue.
Physical Disk Emulator
3.
65
If a message displays saying the software you are installing has not passed the Windows
Logo test, click Continue Anyway.
This allows Windows to add the evidence file as a drive with its own drive letter.
If using VMware, you need the physical Device Number.
Verify that the evidence file has been mounted with a drive letter by browsing in Windows
Explorer. With the drive letter, you can apply third‐party tools.
When the share is created, a sharing (hand) icon appears on the device in the interface.
Mounting Non-Windows Devices
Devices with file systems other than NTFS or FAT can be mounted using PDE; however, the
volume cannot be seen by Windows (although the physical device can be seen in Disk
Management). The process to mount such a device is the same as that used to mount an NTFS or
FAT device.
Accessing the Local Disk in Windows Explorer
After mounting the disk with PDE in the EnCase interface, open Windows Explorer. The new
volume is represented with a hard drive icon, assigned a volume letter, and labeled as a local disk.
Browse the mounted drive in Windows Explorer:
ƒ
To open hidden files, Enable Show hidden files and folders in Windows Explorer by
selecting Folder Options in the Tools menu
ƒ
To view deleted and system files and unallocated clusters, or to mount the evidence file use
the EnCase Virtual File System module
Files and folders on the mounted device can be accessed in Windows in the same manner as if the
device were an additional drive, although changes will be written to cache (if in use) instead of to
the device itself.
Saving and Dismounting the Emulated Disk
If write caching is enabled when mounting the device, you can save virtual changes made to the
evidence file.
1.
In the EnCase interface, right‐click the drive mounted using PDE.
2.
Select Save emulated disk state.
66
EnCase Version 6.12 Modules Manual
The cache is saved in the path specified for write caching. Each time after the initial save, an
instance number is appended to the cache file. These cache files can later be used to remount the
evidence in its saved state, but you must have all of the preceding cache files, located in the same
directory.
To end the emulation:
1.
Double‐click the flashing Physical Disk Emulator indicator in the lower right of the
application window.
2.
Click Yes in the Thread Status window to cancel the disk emulation.
If caching is enabled when mounting evidence, this screen displays:
The purpose of the final cache is to create a compressed and merged Differential Evidence File
(*.D01) containing the cached data. With the Save Emulated Disk State option selected, there are
multiple cache files for the same mounted evidence session. The final cache merges all these files. If
there is no need to save the final file, select Discard final cache.
Use the Differential Evidence File to open the evidence file and view the emulated disk with the
cached changes applied.
To apply the cached data:
1.
Right‐click the device.
2.
Select Mount as Emulated Disk.
3.
Click the Client Info tab.
4.
Clear the Disable caching check box.
5.
Select Use existing cache.
6.
Browse in the Write cache path field to find the *.D01 file.
After the disk mounts, Windows Explorer reflects the cached changes.
When the device is dismounted, a status screen informs whether the disk was dismounted
successfully.
Physical Disk Emulator
67
Closing and Changing the Emulated Disk
To mount a different drive, first dismount the currently emulated drive as previously described.
You can then set a new mount point.
Be sure to dismount evidence that is served through PDE before exiting. A reminder message appears if you attempt to
close the case or the EnCase program while evidence is mounted with PDE.
Temporary Files Reminder
EnCase Forensic, Enterprise and FIM allow investigators to redirect temporary files to a
Temp/Trash folder on a secondary hard drive for faster clean‐up after an examination, and to
prevent confidential or contraband materials from being redirected by Windows to the
investigatorʹs own temp folder on the operating system drive.
When opening a file mounted with PDE in Windows Explorer with a third‐party tool, the Windows
operating system controls the temporary file creation on the operating system drive, and any
necessary post‐examination cleanup is more laborious.
Third-Party Tools
Investigators with the PDE Module can use Windows Explorer to browse the structure of computer
evidence. They can also utilize third‐party tools capable of requesting and interpreting data from
Windows Explorer to examine evidence outside the EnCase program. Guidance Software® does not
certify the performance or accuracy of results obtained through any tools not developed by
Guidance Software.
Using Third-Party Tools
The third‐party tools and viewers available to the investigator for forensic examination are now
greatly expanded with EnCase PDE. To use a third‐party tool, open the file as follows:
1.
Double‐click a file served by PDE to have Windows Explorer request and receive the data
from the EnCase software.
2.
Open the data with the assigned program according to the file extension.
Quick View Plus
A popular viewing program is Quick View Plus, which allows the investigator to view dozens of
file formats without the native applications installed on the examination machine.
Malware Scanning
A common use for EnCase PDE is to mount computer evidence for scanning for viruses, Trojans,
and other malware programs. First, mount the drive or volume from the evidence file through PDE.
In Windows Explorer, select the newly mounted drive (in this case, F:). If an antivirus program is
installed and integrated with Windows Explorer, it can be used to scan for viruses. The program
reads the emulated disk presented to Windows Explorer. The EnCase program serves the requested
data to Windows Explorer, and then to the program for scanning.
68
EnCase Version 6.12 Modules Manual
Boot Evidence Files and Live Systems with VMware
Initial Preparation
For the Physical Disk Emulator to work properly, VMware version 4.5.1, build 7568 or later is
required. To use VMware to mount an evidence file:
1.
Determine the operating system of the subject evidence file using the following methods:
a. Use the Windows Initialize Case module from the Case Processor EnScript® program
to determine the operating system.
b. Check the contents of the boot.ini file, which is located on the partition root.
c. Examine the folder structure, noting the following:
Windows 2000, XP, and 2003 Server all use the C:\Documents and Settings
folder for user profiles and folders.
Windows NT and 2000 use the C:\WINNT folder for the system root.
Windows 9X, XP and 2003 Server use the C:\Windows folder for the system root.
2.
Mount the physical disk containing the operating system using Physical Disk Emulator.
Make sure to enable caching
3.
Determine what physical disk number has been assigned to it using one of these methods:
This information is provided when the device is mounted.
Select the Disk Management option by right‐clicking My Computer in Windows, then
select Manage.
There is currently an issue with VMware that prohibits VMware from booting a virtual machine located on a physical
disk that is preceded numerically by a SCSI, FireWire, or USB drive. For best results, ensure that only IDE drives are
plugged into the machine when you choose to mount as an emulated disk in the EnCase interface. This is easy to verify
in Disk Management. If you encounter a message stating, "The specified device is not a valid physical disk device", it is
most likely as a result of this issue.
Do not use PDE to mount drives in an evidence file or preview of the local computer. Windows, particularly XP, will
blue screen if it detects multiple instances of the same drive. Use only evidence files of other machines.
New Virtual Machine Wizard
To boot evidence files using VMware:
1.
After you have gathered the needed information, launch VMware.
2.
Select New Virtual Machine from the File menu.
3.
At the New Virtual Machine Wizard screen, click Next.
Physical Disk Emulator
4.
4. Select Custom, then click Next.
5.
Select the appropriate Guest Operating System radio button.
6.
Select an operating system from the Version drop‐down menu to identify the operating
system version installed on the evidence file, then Next.
7.
In the Name the Virtual Machine dialog, enter a virtual machine name.
69
As an option, you can click Browse to change the location for VMwareʹs configuration files.
8.
Click Next.
70
EnCase Version 6.12 Modules Manual
9.
Assign the amount of memory for VMware to use, then click Next.
10. Select the type of network to use, then click Next.
Selecting Do not use a network connection is recommended in the event that there is some
type of malware installed on the machine the evidence file was created from.
11. Accept the default setting in the Select I/O Adapter Types dialog, then click Next.
12. Select Use a physical disk (for advanced users).
Ignore any subsequent warning messages.
13. Select the disk that represents the mounted drive using PDE.
14. Accept the default setting of Use Entire Disk, then Click Next.
15. Use the default disk file specified in the Specify Disk File dialog, then click Finish.
Physical Disk Emulator
71
If the disk file is not recognized as a Virtual machine, you can change the name of the file
(taking care to leave the .vmdk extension).
VMware returns to the main screen, showing the newly created virtual machine.
Boot the Virtual Machine
Boot the virtual machine by starting VMware and performing the following:
1.
Click the link for Start this virtual machine next to the green arrow.
The evidence file is write protected by the EnCase program, but PDE enables a write cache
that interacts with VMware as if it were mounting a disk in read/write mode.
When the virtual machine starts, the operating system is shown as if the forensic machine
was booting the drive. It boots in the same manner as the native machine.
2.
As with booting restored hard drives, the virtual machine may require a user name and
password to proceed.
3.
Since pop‐ups (such as AOL Instant Messenger) may cause driver problems, save the state
of the virtual machine regularly.
72
EnCase Version 6.12 Modules Manual
VMware/EnCase PDE FAQs
Can live evidence be booted with VMware?
Live computer evidence (network nodes in the EnCase Enterprise program and local CDs) can be
mounted with PDE but cannot be booted with VMware.
What version of VMware should be used with EnCase PDE?
PDE/VMware integration is with VMware version 4.5 and higher.
Why won't VMware recognize an emulated (mounted) disk?
You must launch VMware after emulating the disk with PDE, as VMware will not recognize a
physical drive that has been added since it was started. In addition, VMware will not successfully
boot evidence files which contain Windows with a non‐default IDE driver. This is a known issue.
Additional information is available at
http://www.vmware.com/support/kb/enduser/std_adp?p_faqid=36.
What do I do if I see the message "The file specified is not a virtual disk" after running the New Virtual
Machine wizard?
Occasionally after completion of the new virtual machine wizard in VMware, an error message
(ʺThe file specified is not a virtual disk.ʺ) may be encountered. This issue is with VMware, not the
EnCase program. Running the New Virtual Machine Wizard again usually resolves this issue.
How do I start a VMware machine with my saved EnCase Differential File?
Mount the disk using the existing cache file.
Why does VMware not recognize some physical disks?
If your evidence is successfully mounted, but VMware states that the physical disk that the image is
mounted on is not a valid Physical Disk, it may be a result of a non‐IDE device on a lower Physical
Device than the emulated disk.
Windows XP keeps popping up windows about installing drivers when I boot.
The EnCase PDE Module installs GSI‐specific IDE drivers to be loaded in order to emulate the disk
as a drive within Windows with an assigned drive letter. A virtual IDE controller is created that can
be seen in Device Manager. If Windows is allowed to load default IDE drivers, the module will not
work properly. You can prevent this by canceling the attempt from the pop‐up window. Once you
have bypassed this message, you can save the state so that the next time the system is rebooted,
Windows will not attempt to load the drivers again.
Physical Disk Emulator
73
How do I restart a VMware session from a saved state?
VMwareʹs suspend and resume feature allows you to save the current state of your virtual machine,
then resume later with the virtual machine in the same state it was when you stopped it. Once you
resume and do additional work in the virtual machine, there is no way to return to the state the
virtual machine was in at the time you suspended it. To preserve the state of the virtual machine so
that you can return to the same state repeatedly, you would need to take a snapshot. Instructions
for using the snapshot are available at VMwareʹs web site at http://www.vmware.com/support/
ws45/doc/preserve_snapshot_ws.html. The speed of the suspend and resume operations depends
on how much data has changed while the virtual machine has been running. In general, the first
suspend operation takes a bit longer than later suspend operations do. When you suspend a virtual
machine, a file with a .vmss extension is created. This file contains the entire state of the virtual
machine. When you resume the virtual machine, its state is restored from the .vmss file.
To suspend a virtual machine:
1.
If your virtual machine is running in full screen mode, return to window mode by pressing
Ctrl + Alt.
2.
Click Suspend on the VMware Workstation toolbar.
3.
When VMware Workstation has completed the suspend operation, it is safe to exit VMware
Workstation (Exit from the File menu).
Resume a virtual machine as follows:
1.
Start VMware Workstation and choose a virtual machine you have suspended.
2.
Click Resume on the VMware Workstation toolbar.
Note that any applications you were running at the time you suspended the virtual
machine are running and the content is the same as it was when you suspended the virtual
machine.
Additional VMware troubleshooting is available from their knowledge base at
http://www.vmware.com/support/kb/enduser/std_alp.php?
PDE Troubleshooting
Physical Disk Emulator is not listed under modules when accessing About EnCase from the Help
menu
If you are using cert files, check to see that the PDE certificate is located in the Cert
directory (typically C:\Program Files\EnCase6\Certs).
Make sure the security key is installed and working properly (check the title bar to ensure
that the program is not in Acquisition mode).
If you are using cert files, check the security key ID to ensure that it is the correct one for
which the certificate was issued.
I can mount a device locally, but cannot set up a local server
Although menus exist for PDE Server operation, it is not currently functional.
74
EnCase Version 6.12 Modules Manual
A message is encountered stating that PDE cannot remove the device when attempting to dismount
the device mounted
The error message may occur if Windows is accessing a file on the mounted device (e.g., the
directory is opened in Windows Explorer or a file is opened in a third‐party application).
To resolve the issue, close all Windows applications accessing the mounted device, then
click OK.
An error message is encountered stating that you need to reboot your machine, followed by a
"Rejected connection" message
This issue is due to the device driver not being released properly. The only way to resolve
this issue is to close all applications (including the EnCase application) and reboot the
forensic machine. You should not encounter the error again when the machine is rebooted.
If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical
Services.
CHAPTER 4
Virtual File System
In This Chapter
ƒ
What is VFS?
ƒ
Mounting Evidence with VFS
ƒ
Dismount the Network Share
ƒ
Accessing the Share
ƒ
Third-Party Tools
ƒ
VFS Server
ƒ
Troubleshooting
76
EnCase Version 6.12 Modules Manual
What is VFS?
The Virtual File System (VFS) module allows investigators to mount computer evidence as a read‐
only, off‐line network drive for examination through Windows Explorer. The value of this feature is
that it allows investigators multiple examination options, including the use of third‐party tools with
evidence served by the EnCase® program.
We are committed to the concept of providing an integrated product to our customers. Third‐party
tools will continue to be developed to complement the core functions and features of the EnCase
program, and we encourage their creation and use. VFS allows third‐party access to all computer
evidence and file system formats supported by the software.
For our customers using the EnCase Forensic program, the VFS module has the added power of
enabling use of third‐party tools against hard drives previewed through a FastBloc® device or a
crossover cable, including deleted files. For customers using the EnCase Enterprise program, VFS
allows use of third‐party tools against live machines on the network using best practices, since the
operating system is bypassed.
Evidence File Formats Supported by VFS
ƒ
VFS supports mounting any data that is visible in a case. All image file formats and file
systems that are supported by the EnCase software can be mounted with VFS.
Mounting Evidence with VFS
The VFS Module is able to mount computer evidence supported by the EnCase program as an
offline read‐only network drive in Windows Explorer. You can mount evidence at one of four
levels; however, only one mounting point can be designated at a time. If you want to change the
mounting point, you need to dismount the evidence and mount at a new level to include the
desired devices.
The levels where you can mount evidence are:
ƒ
Case level: Mounting from case‐level is not supported by VFS
ƒ
Disk/Device level: Mounts a single physical disk or device, with access to all volumes on
the disk or device
ƒ
Volume level: Mounts a single volume/partition on a physical disk
ƒ
Folder level: The lowest level you can mount is at the folder level
This mount level is helpful to examine files in paths that exceed the Windows limit of 264
characters in the full path and name of a file
Using the Server extension, you can also mount evidence to be shared with other investigators
through the local area network. The Virtual File System Server is discussed later in this manual.
Mounting a Single Drive, Device, Volume, or Folder
Only one mount point can be designated at a time; to include other data, a mount point must be
selected that is in a parent relationship to both areas of data to be mounted.
Virtual File System
77
To mount a single drive or device in a case file or a single volume or folder on a drive, right‐click
the drive or device, and select Mount as Network Share:
Mount Network Share Options
On the Server Info tab of the Mount as Network Share window, most of the server info is disabled
when establishing a local server. The only exception is the local port. VFS defaults to establishing a
local server, which is the option used when using VFS on the local machine.
Since VFS is mounting the evidence as a network shared drive, a local port must be assigned. To
allow recovery from errors in Windows, such as a crash while using third‐party tools as described
later in this manual, the VFS service runs for the life of the Windows session. This means that the
port number can be assigned the first time the VFS service is run to mount evidence. Afterwards the
port number is grayed out with the assigned port number unchangeable:
1.
On the Server Info tab, set the local port or use the default setting.
2.
Adjust the Max. clients allowed, up to the maximum number of clients purchased for VFS.
To assign a new port number, the Windows session must be closed, such as through a reboot.
3.
Click the Client Info tab to set the volume letter to be assigned to the network share in
Windows Explorer.
4.
The default setting allows Windows Explorer to assign the next available volume letter, or
you can set any other letter that is currently not assigned.
Assigning a specific volume letter can be useful when attempting to virtually reconstruct a
mapped network drive, such as for a database:
78
EnCase Version 6.12 Modules Manual
If you currently have mapped networked drives or if you let Windows assign the drive
letter, it takes a few seconds to query the system to find an available drive letter
If you specified a volume letter, and it is available, the mounting is virtually
instantaneous
A confirmation popup window informs you that the mount was successful, with the volume letter.
The ʺshared handʺ icon appears at the level you designated as the mount point for the shared drive.
Compound Files
Many compound files, including Microsoft Word, Excel, Outlook Express, and Outlook files, can be
mounted in the EnCase interface. To do this:
1.
Right‐click the file.
2.
Select View File Structure.
In the example below, a Microsoft Word .doc file is mounted. The device is then mounted
with VFS at the device level.
3.
Mount the case, drive, volume, or folder with VFS as for a single case, drive, etc. by right‐
clicking and selecting Mount as Network Share, as described above for single items.
Virtual File System
4.
79
View the mounted file as a folder in Windows Explorer, where the compound file structure
can be browsed.
VFS is a dynamic engine and will serve the data as it is presented by the EnCase software.
To view the original Word document file:
1.
Close the mounted compound file.
2.
In Windows Explorer, refresh the screen using the F5 key.
If you have currently selected data within the compound file, an error message reports that
the data is no longer available, since it was closed inside of the EnCase program.
3.
Select the parent folder of the file to view and open the file.
Encrypting File System
Decrypted files can be viewed within Windows when you use VFS in conjunction with the EnCase
Decryption Suite (EDS) module. The evidence containing the decrypted files and folders can be
mounted with VFS for viewing the decrypted data within Windows Explorer, and with third‐party
tools.
For information on using the EDS Module to decrypt EFS protected files and folders, see the EDS
Module chapter of this document.
RAIDs
RAIDs mounted inside the EnCase program can be browsed in Windows Explorer. In the example
below, a software RAID 5 comprised of three drives was mounted and then made available for
browsing in Windows Explorer with VFS.
Deleted Files
The VFS module allows investigators to view deleted and overwritten files in Windows Explorer.
80
EnCase Version 6.12 Modules Manual
An investigator may locate a file in Windows Explorer to view or analyze, but finds that it is not
possible to open it. If a file does not open, review the original data in the EnCase interface to see if
the file is indeed valid and is not corrupted or partially overwritten.
Internal Files and File System Files
The EnCase application organizes some data on devices into virtual logical files to allow for better
organization and searching. Examples include Unallocated Clusters and Volume Slack on a volume,
and Unused Disk Area on a physical drive. Hidden file system files are also available, such as the
$MFT, FAT, or Inode Table directories on NFTS, FAT, and *nix file systems.
RAM and Disk Slack
VFS serves the actual logical files on devices along with virtual logical files it organizes for
investigators. The physical files are not served, as Windows Explorer would not interact with the
file data correctly if the entire physical file was served. For investigators, this means the RAM
(sector) slack and drive (file cluster) slack are not available to third‐party tools through VFS in
Windows Explorer as a single file. There are, however, two ways to access the data in slack with
third‐party tools:
The first method is to load a device without parsing the file system:
1.
Launch the EnCase application.
2.
Open a new case.
3.
Load the device by clicking Add Devices.
4.
Right‐click the device and select Edit.
5.
In the Device Attributes window, clear the check from the Read File System box.
Virtual File System
81
When the device is loaded into the EnCase program, the partition and file system are not read and
interpreted. The entire device can then be mounted with VFS and be available for examination in
Windows Explorer as Unused Disk Area, including slack space.
1.
Another option is to copy only slack area from evidence to the examination computer as a
logical file:
2.
Select the device(s) where you want to examine the slack space.
3.
Right‐click the file and select Copy/UnErase.
4.
Select the All selected files radio button under From, and the Merge into one file radio
button under To, then click Next.
5.
In the Copy section of the Options screen, select RAM and Disk Slack to copy the RAM
slack (also known as sector slack) and the Disk Slack (also known as cluster slack).
6.
Select the appropriate Character Mask option for non‐ASCII characters, or leave the default
and click Next.
82
EnCase Version 6.12 Modules Manual
7.
Set the destination path and the name of the file to contain the slack, then click Next.
8.
Click OK in the Copying files dialog that displays at the end of the copying process.
The file containing the slack from the evidence is now available for examination by third‐party
utilities on the local examination machine. In the example below, a file is open in WordPad.
Virtual File System
83
Other File Systems
VFS can mount file systems other than those natively support by Windows. Below is an example of
a Macintosh OS/X drive mounted with VFS.
Below is the Windows representation of a Palm volume mounted in VFS.
ext2, ext3, UFS, and Other File Systems
Unix, Linux and BSD devices can be mounted in Windows Explorer with VFS. One limitation is the
forward slash (/) used in *nix file systems. The forward slash is an invalid character in Windows
and cannot be displayed in the full path for Windows Explorer. For this reason, the forward slash is
represented by the high‐dot (∙).
In the example below, the /(root) partition is represented by the high‐dot. The /home partition
is represented by ·home.
84
EnCase Version 6.12 Modules Manual
In this example, the / (root) partition of a Solaris workstation is mounted and the parent folder
name (the partition name) is displayed as the high‐dot.
Windows has a limit of 264 characters in a full path and file name. This limitation may impact some examinations in
Windows Explorer, especially for Unix and Linux devices. In this situation, the investigator may need to mount at the
partition or folder level.
Dismount the Network Share
To dismount the network share, do the following:
1.
Double‐click the thread bar at the bottom right of the interface that reads Virtual File
System, then click Yes.
2.
In the confirmation that the evidence was successfully dismounted, select any status saving
options and click OK.
Changing the Mount Point
You can only view one mount point at a time. To change the location of the mount point, you must
close the current mount point and open a new one.
Be sure to dismount evidence that is served through VFS before closing the EnCase program. A reminder message
appears if the case or the EnCase program is attempted to be closed while evidence is mounted with VFS.
Virtual File System
85
Accessing the Share
Using the EnCase Interface
Unique Name Column
A Unique Name column displays in Table view for the VFS Module. The column identifies the file
name given to a file served from the EnCase program and displayed in Windows Explorer through
VFS. The unique name overcomes the Windows limitation of not allowing multiple files to share
the same file name as siblings in the same parent folder. The column is empty when the evidence is
first mounted with VFS, but is populated when the share is accessed in Windows Explorer.
When an investigator selects a folder in Windows Explorer, the data is served by the EnCase
program and displayed in Windows Explorer. As the directories are browsed in Windows Explorer,
the file names are populated in the Unique Name column, so an investigator can determine which
file he or she is examining. The EnCase program appends a pound sign (#) to the end of duplicate
file names within the same folder in Windows Explorer.
Using Windows Explorer
After mounting the shared network drive with VFS, open Windows Explorer. The new share is
represented with a network drive icon and assigned the appropriate volume letter. The name of the
share is gsisvr (for Guidance Software®, Inc. Server).
Several operations are then possible, including the following:
86
EnCase Version 6.12 Modules Manual
ƒ
Browse the mounted case and associated devices in Windows Explorer
ƒ
Open hidden and deleted files if Show hidden files and folders is enabled in Windows
Explorer using the Folder Options in the Tools menu
ƒ
Use the thumbnail viewer in Windows Explorer to view images in the manner seen by the
original user
Third-Party Tools
Using VFS, investigators can examine evidence outside the EnCase program by utilizing third‐party
tools capable of requesting and interpreting data from Windows Explorer. However, Guidance
Software does not certify the performance or accuracy of results obtained through any tools not
developed by Guidance Software.
Malware Scanning
A common use for VFS is to mount computer evidence to scan for viruses, Trojans, and other
malware programs:
1.
Mount the evidence through VFS either locally on the examination machine, or remotely
through VFS Server.
You can mount the evidence at the device, volume, or folder levels as described previously.
The ʺshared handʺ icon indicates the level of the virtual file system mount.
Virtual File System
2.
In Windows Explorer, select the gsisvr offline network drive.
3.
Use antivirus software to scan the file.
87
In the example below, the Scan for Viruses option from Symantec AntiVirus is run by right‐
clicking the drive.
The antivirus software can read the Virtual File System presented to Windows Explorer. The
requested data is served by the EnCase program to Windows Explorer, and then to the program for
scanning. In this case, the MyDoom virus was found on the computer evidence mounted with VFS.
The examination reports and logs generated by the third‐party tools can then be reviewed and
included in the investigatorʹs investigative report.
Other Tools and Viewers
The third‐party tools and viewers available to the investigator for forensic examination are now
greatly expanded with VFS. To use them, do the following:
Double‐click a file served by VFS to open the data with the assigned program according to the
file extension.
Assigning File Extension to a Program
To assign an associated program to an extension:
1.
Select Folder Options from the Windows Explorer Tools menu.
88
EnCase Version 6.12 Modules Manual
2.
In the Folder Options window, click the File Types tab.
3.
Select the desired extension, and the Details for section lists the program designated for
that extension.
In this example, JPEG files open with Adobe Photoshop CS.
4.
Click the Change button.
Select or browse to the new program.
Unix or Linux Files
Some files, like those in Unix and Linux, do not have file extensions. To view them:
1.
Right‐click the file and select Open.
2.
In the Open With window, select the desired application from the Programs list and click
OK.
3.
If the application is not listed, click Browse to find the application executable, or allow
Windows to search the Internet (if connected).
4.
Click Other if the appropriate application is not available.
Virtual File System
89
WordPad can open most text‐based files to allow you to view the contents. In the example
below, a Linux file is opened with WordPad in Windows Explorer from an evidence file
mounted with VFS.
QuickView Plus
Another popular viewing program, QuickView Plus, can be used to view dozens of file formats,
without the native applications installed on the examination machine.
Temporary Files Reminder
The EnCase program allows investigators to redirect temporary files to a Temp/Trash folder on a
secondary hard drive for faster cleanup after an examination, and to prevent confidential or
contraband materials from being redirected by Windows to the investigatorʹs own temp folder on
the operating system drive.
When a file mounted with VFS in Windows Explorer is opened with a third‐party tool, the
Windows operating system controls the temporary file creation on the operating system drive.
Remember to check the Windows Temp folder to perform any necessary post‐examination cleanup.
VFS Server
The VFS Module has a server extension so that investigators can share the mounted evidence with
other investigators on the local area network/intranet through VFS. The extension enables a number
of clients to mount the network share served by the VFS Server through a network connection
under these conditions:
ƒ
Only the machine that is running the VFS Server needs a security key inserted
A security key is not required to connect to the VFS Server and access the served data in
Windows Explorer.
ƒ
The client machine(s) must have the EnCase program installed to access the VFS client
drivers but can run in Acquisition mode
The number of clients that can connect to the VFS Server depends upon the number of VFS
Server connections purchased. This information is contained in the VFS Certificate or
programmed into the security key.
To determine if the VFS Server is enabled and to view the number of available client connections,
do the following:
90
EnCase Version 6.12 Modules Manual
Select About EnCase from the Help menu.
If the VFS module is not listed, or the number of clients is not sufficient, contact Customer
Service to purchase additional clients.
Configuring the Server
Configure the server as follows:
1.
On the VFS Server machine (with the security key inserted), open the EnCase program.
2.
Open the case file(s).
3.
Select the appropriate VFS mount point level:
Case
Drive/device
Volume
Folder
4.
Right‐click the mount point and select Mount as Network Share.
You have the option of creating a network share from any of the cases, drives, or folders
within it. This allows you to share only what is necessary to others, while still having access
to cases and devices that you do not want to share.
5.
Since this is the VFS Server machine, select Establish local server for the location on the
Server Info tab.
6.
Enter a Port number or use the default of 8177. The Server IP Address is grayed out since
the serverʹs IP address is the one assigned to the machine where the mount is taking place.
7.
Note the server machineʹs IP address for use with the client.
8.
Set the maximum number of clients who can connect to the server, with the default being
the maximum allowed by your VFS Server certificate.
Since VFS is mounting the evidence as a networked shared drive, the serving port must be
assigned. To allow recovery from errors in Windows, such as a crash while using third‐party tools
as described previously, the VFS service runs for the life of the Windows session from that port.
The VFS Server can also serve the data locally to the investigatorʹs machine. Be aware that it uses
one of the server connections.
Virtual File System
91
Restrict Access by IP Address
By default, VFS Server is configured to allow access from all IP addresses. However, the preferred
method is to restrict access by IP address. To specify a range of machines, do the following:
1.
Select Allow IP Range and specify the high and low IP values.
2.
Select Allow specific IPs.
3.
Right‐click in the Allowed IPs box.
4.
Select New and enter the IP addresses.
Enter multiple IP addresses by repeating this action. You can also edit or delete existing IP
addresses by right‐clicking Allowed IPs.
5.
Select the Client Info tab.
To also mount and view the shared drive locally, leave the Mount share locally box
checked and input a Volume Letter.
92
EnCase Version 6.12 Modules Manual
By default, the volume letter field has an asterisk in it, signifying that the next available
drive letter will be used. Mounting the share locally uses one of your VFS Server
connections.
If you are only serving the share to remote clients, clear Mount share locally, and the
Volume Letter grays out, as the share is mounted on remote client(s).
The VFS Server mounts the share and allows connections on the assigned port. The shared hand
icon appears at the VFS mount point. You can continue your examination while it is being shared.
Performance depends on the size and type of the examined evidence, processing power of the
server and client machines, and the bandwidth of the network.
Connecting the Clients
To connect the clients:
1.
Install the EnCase program on the client.
2.
Reboot the machine after installation for Windows to access the VFS drivers.
When launching the EnCase program, it is not necessary to have a security key present.
3.
Click Tools→Mount as Network Share.
4.
On the Server Info tab, enter the Server IP Address for the VFS Server machine, and enter
the port number the server is listening on.
5.
On the Client Info tab, select the Volume Letter to assign the share, or accept the next
available letter.
The confirmation message displays.
On the client machine, the share is available in Windows Explorer as gsisvr with the assigned
drive letter. The shared computer evidence can be examined as previously described.
Closing the Connection
When an investigator using a client machine has completed the examination of the shared drive, or
another investigator needs to use the connection, double‐click the progress bar at the lower right
and select Yes.
A confirmation window reports that the evidence is dismounted and the connection closed, and the
ʺshared handʺ icon is removed, indicating that Windows Explorer has removed the shared drive.
The EnCase program can be closed on the client computer.
On the VFS Server machine, when all clients are finished and have dismounted the share, close the
VFS Server by double‐clicking on the flashing Virtual File System bar in the lower right corner of
the EnCase application window. You will be prompted to dismount the evidence file, after which
you can close the EnCase program.
Virtual File System
93
Troubleshooting
Virtual File System is not listed under Modules
If you are using cert files, check to see that the VFS certificate is located in the proper Certs
directory (typically C:\Program Files\EnCase6\Certs).
Make sure the security key is installed and working properly (check the title bar to ensure that the
software is not in Acquisition mode). You do not need to have the security key installed on a
machine connecting to a remote VFS Server.
If you are using cert files, the certificate file is issued for a specific security key; check the security
key ID to ensure that it is the correct one for which the certificate was issued.
I can mount a device locally, but cannot set up a local server
Select About EnCase from the Tools menu and ensure that Virtual File System Server is listed
under Modules. If the Server is not displayed, you may have the wrong cert installed, or you do not
have access to the Server edition.
I cannot connect to a device mounted on a remote VFS server
Confirm the IP address and port number of the Remote Server. If the IP address is correct, ping the
address to ensure connectivity.
Make sure the device is still mounted on the remote server.
Check to see how many machines are connected to the server, and determine how many clients are
permitted to connect to a VFS Server by selecting About EnCase from the Tools menu on the
machine running the VFS Server. Determine the number of allowed clients by looking at the
number listed next to the Virtual File System Server module.
If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.
CHAPTER 5
FastBloc SE Module
In This Chapter
ƒ
What is the FastBloc SE Module?
ƒ
Background Information
ƒ
Installing the FastBloc SE Module
ƒ
Using the FastBloc SE Module
ƒ
Disk Caching
ƒ
Troubleshooting
96
EnCase Version 6.12 Modules Manual
What is the FastBloc SE Module?
The FastBloc® SE (Software Edition) module is a collection of drive controller tools designed to
control reads and writes to a drive attached to a computer through USB, FireWire, SCSI, IDE, and
SATA controller cards in order to enable the safe acquisition of subject media from Windows to an
EnCase® evidence file. In addition, an investigator can wipe devices attached to a controller card
that is controlled by the FastBloc SE module, or restore them while maintaining the hash value of
the logical file.
When FastBloc SE moduleʹs write blocking capability is enabled, it ensures that no data are written
to or modified on a write blocked device. The Write‐block USB, FireWire, SCSI Devices option is
used to write block and protect attached drives.
In the past, conducting a forensic, non‐invasive acquisition of a hard disk drive was performed in
DOS, or through a write protecting hardware device. This was done to control writes by the
operating system to the subject drive. The FastBloc SE module eliminates the need to have a
hardware write blocker installed on the forensic machine in order to acquire EnCase evidence files
in a forensically sound manner through Windows.
Background Information
HPA and DCO Configured Disks
Host Protected Area
Hard disks can be configured with a Host Protected Area (HPA). It is designed to allow vendors to
store data safe from user access, diagnostics or MS Windows backup tools. If present, the data
stored in this area is inaccessible by the operating system, BIOS or the disk itself.
Knowledge of this area and the ability to access it are important, as there is the potential for a
sophisticated user to hide data in the HPA. The FastBloc SE module sees the HPA if it is present,
and the content hidden there displays. Disk integrity remains intact when previewing and
acquiring disks with HPAs.
Device Configuration Overlay
The Device Configuration Overlay (DCO), sometimes called the Disk Configuration Overlay, is
similar to the HPA discussed above. It is an optional feature within the ATA et seq. standard, and is
supported by most hard disks. Like the HPA, it can also be used to segment off a portion of the
hard disk drive capacity from view by the OS or file system, usually for diagnostic or restoration
purposes.
Contents of the DCO can control behavior of the drive, and one of the DCO fields controls the
max_sectors drive data. It can thus be used to artificially restrict access to the full drive.
Architecture
Both the HPA and the DCO are typically located at the ends of the hard disk. If present, the HPA
area is placed on the drive after the DCO is configured. This gives the drive three types of storage
that are laid out one after another on the drive:
FastBloc SE Module
ƒ
Normal
ƒ
HPA protected
ƒ
DCO protected
97
Overriding HPA and DCO Settings
The write blocking functionality of the FastBloc SE module is designed to prevent writes to a
suspect hard drive while previewing, examining or acquiring the device for forensic purposes. The
FastBloc SE module allows EnCase software to recognize disks with HPA and DCO regions.
The FastBloc SE module automatically overrides HPA settings, which makes the HPA area of the
hard disk visible to the investigator. To do this, it temporarily removes the HPA settings and then
replaces them, so no permanent disk alterations are made.
If only a DCO is present, it is removed to allow the EnCase software to view the data. If both HPA
and DCO are present in an area simultaneously, the FastBloc SE module first removes the HPA
setting, then the DCO setting. The HPA is removed only if an HPA and DCO area exist
simultaneously.
ALERT! When the EnCase software encounters a hard drive with a defined DCO, or DCO and HPA, it must
permanently remove both overlays to image the entire drive. Based on the design and published specifications of DCO
and HPA, there is no known way to access the entire data area without making this change. Investigators must note that
although this change does not affect the data contained on the drive, it is a permanent change to the drive controller that
is not affected by powering down the drive. Investigators may wish to account for this anomaly in their documentation.
Installing the FastBloc SE Module
The process for installing the module involves a few more steps than the other modules.
1.
Install the FastBloc SE module as listed in Installing the EnCase Modules on page 5.
2.
Shut down the forensic machine.
3.
Insert one of the IDE controllers listed in FastBloc SE Module Specific Requirements on
page 4.
4.
Turn on the computer.
Install the drivers that came with the IDE controller.
Consistent with sound computer forensic practices, test the FastBloc SE module with non-evidence media to verify the
write blocking capability prior to using the device with actual evidence.
98
EnCase Version 6.12 Modules Manual
Using the FastBloc SE Module
Write Blocking IDE and SATA Controller Cards
The FastBloc SE module write blocks PCI IDE and SATA controller cards. See FastBloc SE Module
Specific Requirements on page 4 for a listing of supported PCI IDE controller cards. To successfully
prevent writes or modifications to an IDE device, the controller channel is write blocked before the
device is attached to the PC. When the channel is protected with the GSI driver, shut down the
machine and attach the device. On reboot, Windowsʹ write permissions are revoked.
To write block an IDE controller:
1.
Launch the EnCase Program and select Write‐Block IDE channel from the Tools menu.
2.
In the list of available IDE channels, blue‐check the channel to write block and click OK.
3.
A popup window may display saying that the software has not passed Windows LOGO
testing.
4.
Click Continue Anyway to replace the installed driver with the GSI driver.
FastBloc SE Module
5.
Shut down the forensic machine.
6.
Attach the suspectʹs hard disk to the controller selected in step 2.
7.
Restart the forensic computer.
99
The selected channel is write blocked on system startup.
Turning Off IDE Write Block Protection
To turn off the write block protection:
1.
Shut down the forensic computer.
2.
Remove the suspectʹs hard disk.
3.
Repeat steps 1 and 2 above, deselecting the write protected controller in step 2.
4.
Reboot the forensic machine.
5.
The GSI driver is replaced with the original default Windows driver.
Write Blocking a USB, FireWire, or SCSI Device
To write block a USB, FireWire, or SCSI device, the EnCase software intercepts the signal sent to
Windows when a device is attached to the computer. It then filters the driver for that device,
enabling write protection.
When using the Fastbloc SE module on a USB, FireWire or SCSI device, there are two modes, which
both protect the device from being modified or written to:
ƒ
Write Blocked: A write blocked device is protected against writing to or modifying files
when the device is attached to a PC.
Files deleted from or added to the device appear in Windows as modified, but the
modifications are saved in a local cache, not on the device itself. This mode does not
prompt errors when attempting to write to the drive.
ƒ
Write Protected: A write protected device is protected against writes or modifications when
the device is attached to a PC.
If writes or modifications to the device are attempted, Windows responds with an error
message.
Removing write protection takes effect on all devices that are or have been connected to the
PC.
To write block a USB, FireWire, or SCSI device:
1.
Make sure no devices are attached.
2.
Select Write‐block USB, Firewire, SCSI drive from the Tools menu.
100
EnCase Version 6.12 Modules Manual
3.
Select Write‐Blocked in the dialog.
4.
Insert the USB, FireWire, or SCSI device.
Because some SCSI devices are not initially hot swappable, you may want to use a hot swappable
carrier to protect the device, such as the StarTech DRW150SCSIBK SCSI drive bay.
5.
A confirmation window displays when the device is successfully blocked.
6.
Click Finish.
Verify Write Block
You can confirm successful write‐blocking of the device when previewing the device in the EnCase
program:
1.
Click the New icon on the top toolbar to open a new case and complete the required
information.
2.
Click the Add Device icon.
3.
Blue check Local Drives in the right pane, then click Next.
In the Choose Devices window, the device and volume (if present) on the write‐blocked
channel have a green box around the icon in the Name column, and a bullet appears in the
Write Blocked column for each.
Removing Write Block from a USB, FireWire, or SCSI Device
Removing the USB, FireWire, or SCSI Device
To remove a USB, FireWire or SCSI device:
1.
Use the hardware removal tool in the System Tray in the lower right corner of the task bar
to remove the device.
FastBloc SE Module
101
In Windows 2000, this tool is named Unplug or Eject Hardware; in Windows XP, Safely
Remove Hardware.
2.
Remove the device physically when the wizard has confirmed safe removal.
Removing Write-Block
1.
Select Write‐block USB, FireWire, SCSI drive from the Tools dropdown menu.
2.
Click Clear All in the window that opens.
3.
Click Yes on the prompt to confirm the removal of all USB, FireWire, and SCSI write‐
blocked devices.
Selecting Clear All removes write blocking and write protection on all USB, FireWire, and SCSI
devices previously protected by the FastBloc SE module.
4.
A confirmation window displays when write block is successfully removed.
102
EnCase Version 6.12 Modules Manual
5.
Click OK to finalize write block removal.
Previewing a Write Blocked Device
To preview a write blocked device:
1.
Write block or write protect the appropriate device following the steps outlined previously
in this manual.
2.
Create a new case in the EnCase program.
3.
Click Add Device.
In the Choose Devices dialog, a bullet in the Write Blocked column indicates the subject
media is write blocked. Devices write blocked by the FastBloc SE module also have a green
square around the icon ( ).
4.
Blue check a write blocked device or volume, then click Next.
5.
Click Finish in the Preview Devices screen to begin previewing subject media.
Wiping
The FastBloc SE module allows wiping a device attached to one of the supported PCI IDE controller
cards mentioned in FastBloc SE Module Specific Requirements on page 4. Wiping is done in the
same manner as for drives attached directly to the motherboard. See the Using EnCase Tools
chapter of the EnCase Enterprise Userʹs Guide for instructions on wiping a drive using the EnCase
interface.
Restoring
The FastBloc SE module also allows the restoration of an evidence file to a device of similar size or
larger attached to one of the supported PCI IDE controller cards previously mentioned. Restore a
device in the same manner as with drives attached directly to the motherboard. See the Using
EnCase Tools chapter of the EnCase Enterprise Userʹs Guide for details.
FastBloc SE Module
103
Disk Caching
When the FastBloc SE module is set to write block, the writes are actually being cached to the
investigatorʹs hard drive. This does not occur with write protect, since Windows generates an error
rather than allowing the appearance of the write to take place.
Write Block Validation Testing and Disk Caching
Do not use evidence hard drives to perform write blocking capability tests. Although Windows
may appear to allow modifications of the write blocked subject media, this does not actually occur.
Disk Caching and Flushing the Cache
To flush the write cache, reboot the computer or remove the media that is write blocked. Preview
the drive with the EnCase interface or browse using Windows Explorer to verify that the cache
emptied.
Troubleshooting
The Write Block option does not appear in the Tools menu
Make sure the module was installed as described in Installing the EnCase Modules on page 5.
Select About EnCase from the Help menu to verify that the FastBloc SE module is listed in the
window.
Check that the security key is in the machine. If the security key is out, or not functioning properly,
the EnCase program will be in Acquisition mode.
If you are using cert files, the cert file may be tied to a different security key. Consult an
administrator to determine the associated security key and cert file.
Windows and the EnCase program do not recognize the attached device
Check all power and data connections to the device.
Check to see if the subject hard drive is spinning. If the device is connected via an external drive
bay, shut down the computer and try connecting the power connector (not the data connector) to a
Molex® power cable directly from the computer. Restart the computer. If the drive starts spinning,
shut down the computer again and swap cables.
If the subject drive does not spin, or is making unusual sounds (whirring, clicking, etc.), the drive
may be defective and you may not be able to acquire it by normal methods.
If the subject drive is spinning, check the data cables. You may want to try using a 40‐wire cable if
you are using an 80‐wire cable.
Check the USB or FireWire port to ensure proper functioning by inserting a known good device.
Make sure the port is recognized in Device Manager.
104
EnCase Version 6.12 Modules Manual
Windows sees the subject drive, but the EnCase program does not
If you can see the physical drive but cannot see the contents of the drive, the EnCase interface may
be in acquisition mode. This may indicate that the security key is not installed or (if you are using
cert files) is not tied to the cert file. Refer to the EnCase Userʹs Guide for instructions on how to
install the security key drivers.
You may have a corrupt version of the EnCase program. If you are using cert files, make a backup
of all your cert files. Download and reinstall the newest version of the EnCase software.
Be sure to select Local Devices instead of Evidence Files when you begin the preview process.
If at all possible, try to acquire on a completely different machine. This helps pinpoint the problem,
as it may be a hardware or operating system conflict. If you are using cert files, be sure to use a
security key tied to the cert file.
Acquisition takes too long
If the acquisition started out at a normal speed, and then rapidly decreased later in the acquisition,
there is a good chance that the EnCase program has encountered bad sectors on the subject drive.
Because the software will make multiple attempts at reading bad sectors, acquisition time may
increase.
Enabling compression dramatically increases acquisition time.
A completely slow acquisition may be the result of slower equipment.
If you are acquiring to external media (i.e., the storage media is an external hard drive) the transfer
rates will be significantly slower than with a directly connected hard drive.
If the subject drive is an older or slower model, the acquisition speed is limited.
If the forensic machine has an older or slower storage drive, the acquisition is slowed by the driveʹs
slow write speed.
If you are acquiring a newer drive, try an 80‐wire cable, as this allows faster throughput. Ensure the
FireWire/USB cable is securely connected at both ends.
If FireWire is not available, use a USB 2.0 connection (USB 2.0 is up to 40 times faster than USB 1.0).
In addition, when using USB, limit any other CPU‐intensive tasks during the acquisition, since
these contribute to a loss of transfer speed.
Use FireWire ports whenever possible, since the interface is faster than USB.
Acquisition and verification hashes do not match
There may be a data integrity issue with the cable. Try using a 40‐wire cable if you are using a 80‐
wire cable, a shorter IDE cable, and/or a shielded IDE cable if possible.
Try using a different USB or FireWire cable.
FastBloc SE Module
105
There are different hash values each time the drive is hashed
This indicates a failing drive. Because the number of sector errors increases each time, hash values
change. Since the first acquisition typically contains the least number of bad sectors, use that file for
analysis.
There are multiple bad sectors after acquisition
This can indicate a defective drive. Ensure that the cables are securely connected to the controller
and the drive.
If the subject drive is in an enclosure when you try to acquire it, it may become hot during the
acquisition. Try removing the drive from the enclosure to keep it cooler, which may reduce the
number of sector errors.
CHAPTER 6
CD/DVD Module
In This Chapter
ƒ
What is the CD/DVD Module?
ƒ
Burning Evidence Files During Acquisition
ƒ
Burning Logical Evidence Files During Acquisition
ƒ
Burning Files and Reports
ƒ
Burning Existing Evidence and Logical Evidence Files
108
EnCase Version 6.12 Modules Manual
What is the CD/DVD Module?
Use the CD/DVD Module to burn the following to a CD or DVD:
ƒ
Evidence and Logical Evidence Files during acquisition
ƒ
Files and folders, as well as reports from the EnCase® program
ƒ
Existing Evidence Files and Logical Evidence Files
Unless specified otherwise, files burned maintain the following properties (if available):
ƒ
Entry Name (either entry or report)
ƒ
Last Written date
ƒ
Entry Created date
ƒ
Logical size
Consistent with sound computer forensic practices, test the CD/DVD module with non-evidence media to verify proper
installation and operation prior to using it with actual evidence.
Burning Evidence Files During Acquisition
The process for burning an evidence file to removable media at the time of an acquisition starts
with a preview:
1.
Create a new case or open an existing one.
2.
Add a Device for preview as described in the EnCase Userʹs Guide.
3.
Right click the device icon in the Case tree, then select Acquire.
4.
When you get to the Options screen, select Burn Disc, then click Next.
CD/DVD Module
109
Selecting CD Information
To select CD information, choose appropriate options from the preconfigured settings in the CD
Info dialog.
Joliet: This specifies the format of the image to adhere to the Joliet standard, which allows
long entry names.
UDF: This specifies the format of the image to adhere to the UDF standard, which is used
primarily for DVDs.
Burn: This initiates the burn of the image to the disc once you click Finish. If the box is
cleared, the Archive Folder for the image is updated, but not burned until initiated by the
user in the Archive Entries tab. An ISO is also created for the user to burn at any time with
any program.
Delete ISO after Burn: This deletes the created ISO image from the temporary folder set
with the Path option once it is burned to media.
Publisher: This optional field allows you to specify the name of the person who burned the
image to disc.
Preparer: This optional field allows you to specify the name of the person who prepared
the image for burning.
Path: This field sets the path for the temporary placement of the ISO image prior to being
burned.
CD Burners: Any media burner recognized by the system appears in this window. Select
the media burner of your choice.
If a recognized burner is not listed, the burning option is disabled. The image produced
contains the ISO9660 format with Joliet selected by default. If Joliet or UDF formats are
selected, additional trees are built for those formats. ISO9660 allows only eight‐character
(old DOS 8.3) names. Names longer than eight characters are truncated to the first four
characters of the file name, followed by four random numbers.
110
EnCase Version 6.12 Modules Manual
Burning
When the initial acquisition is complete, the status screen displays and the burn to CD starts,
indicated by a blue Burning thread displayed on the EnCase programʹs task bar.
Evidence entries are burned as long as there is enough room left on the medium based on set
segment size. If there is no room left, the disc is ejected and a prompt appears instructing you to
insert another disc.
Evidence entries are verified on the removable media after they have been burned. After the entry
is burned, a status window reports the results of the write and verification.
Burning Logical Evidence Files During Acquisition
To burn a logical evidence file during acquisition:
1.
Preview the device.
2.
On the Entries tab, select the folders for the Logical Evidence File.
3.
Right click and select Create Logical Evidence File.
4.
In the Create Logical Evidence File dialog, select Burn Disc, then click Next.
5.
5. In the CD Info dialog, select options as described above.
A separate thread runs for burning the logical evidence entries while they are created. The burn to
disc occurs when the first segment finishes acquiring. To cancel the burn, double‐click the blue
Burning status message on the bottom task bar. Logical evidence, like other evidence entries, is
verified after burned. The status window at the end of the process presents the verification and
acquisition status for the burned entries. If there is no room left on a disc, the disc is ejected and a
prompt appears to insert another disc.
Burning Files and Reports
Create a New Image Session
To create a new image session:
CD/DVD Module
1.
Select Archive Files from the View dropdown menu.
2.
To create a new image session for burning data to a CD/DVD from selected entries or
reports, right‐click in the root of Archive Files and select New Image.
111
By default, the module places cached items in C:\Program Files\EnCase6\Cache. To
change the root path, right click the root item, select Change Root Path, and browse to or
create a folder.
A disc icon appears in the tree, called discimage1. Subsequent images created are named
discimage2, discimage3, etc.
3.
To rename images, right click the image folder (or press F2) and select Rename.
A cached image of this file is stored in C:\Program Files\EnCase6\Cache with the
folder name and a .cdi extension.
Preparing Entries for Burning
To prepare entries for burning:
1.
In the Entries tab, select the entries to be sent to removable media.
2.
Right click the desired folder in the tree and select Copy Folders or Copy/UnErase to open
the standard option windows for those features.
112
EnCase Version 6.12 Modules Manual
Use Copy Folders to add the selected entries to the folder, retaining the existing entries.
File sizes of selected entries retain the original logical size of the file but not the physical
size.
Use Copy/Unerase to maintain structure based on the options set in the export menu, such
as Logical File, Entire Physical File, RAM and Disk Slack, etc.
CD/DVD Module
3.
113
Right click the Archive Files icon in the Destination Folder window and select New Image.
By default, this isdiscimage1. Folders created previously are visible in the Destination
Folder window.
4.
Select the appropriate folder, then click Finish.
5.
Click OK to add the entries to the Archive Files folder.
6.
To view the added entries, navigate to the Archive Files tab and select the folder the where
you sent the entries.
7.
Right click in the table and select Update.
Preparing Reports for Burning
To prepare a report for burning:
1.
Go to Report view in either the Table Pane or View Pane.
2.
Right click in the report pane and select Export.
3.
In the Export Report dialog, select Burn to Disc.
4.
Select the appropriate output format, Document or Web Page.
5.
Enter the complete path in the Path field or browse to the export location.
6.
Select a Destination Folder.
If entries already exist in the destination folder, the selected entries are added to them.
7.
Click OK to add the report to the discimage folder.
The newly added report is stored under the Archive Files tab and saved globally so you can add to
or delete from it at any time.
114
EnCase Version 6.12 Modules Manual
Burning the Created Image folders to Disc
Prior to burning a disc image, entries and reports can be moved between volumes by dragging and
dropping them from one image to another. Each image may have its own formatting and output
options:
ƒ
To access the option window to view or edit the settings, right click a volume and select
Edit.
ƒ
To rename a volume right click and select Rename.
To burn the image to disc:
1.
Right click the image folder and select Burn Disc.
2.
In the Archive Files tab, the disc images appear with entries listed in the Table pane.
3.
Select appropriate options from the preconfigured settings in the CD Info dialog as
described above.
When the image is burned, a status window reports the results of the write.
Burning Existing Evidence and Logical Evidence Files
EnCase Evidence Files and Logical Evidence Files that are already created can be burned to media
from the EnCase interface. Exceptions to this functionality are:
Single Entries
SafeBack Images
Previewed drives
VMware images
Mounted volumes
Virtual PC images
dd images
Any other non‐evidence
files
To burn an EnCase Evidence File or Logical Evidence File to disc, it must first be added into the
case using the standard methods:
ƒ
Dragging and dropping the file into the EnCase interface
ƒ
Using Add Device
To burn an existing evidence or logical evidence file:
1.
On the Cases tab, select the Devices subtab.
2.
Right click in the table and select the image to be burned. Note that only the highlighted
device is burned, not selected (blue‐checked) devices.
CD/DVD Module
3.
Right click on the device and select Burn to Disc.
4.
Continue as described in Selecting CD Information on page 109.
115
Guidance Software
Legal Notification
No part of this manual, including the products and software described in it, may be reproduced,
transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or
by any means, except documentation kept by the purchaser for backup purposes, without the
express written permission of Guidance Software, Inc. (ʺGSIʺ).
GSI PROVIDES THIS MANUAL ʺAS ISʺ WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OR
CONDITIONS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO
EVENT SHALL GSI, ITS DIRECTORS, OFFICERS, EMPLOYEES OR AGENTS BE LIABLE FOR
ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING
DAMAGES FOR LOSS OF PROFITS, LOSS OF BUSINESS, LOSS OF USE OR DATA,
INTERRUPTION OF BUSINESS AND THE LIKE), EVEN IF GSI HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES ARISING FROM ANY DEFECT OR ERROR IN THIS
MANUAL OR PRODUCT.
CEIC, EnCase eDiscovery Suite, EnCase Enterprise, EnCase Enterprise AIRS, EnCase Forensic,
EnCE, EnScript, FastBloc, Guidance Software, EnCase Neutrino, Snapshot, and WaveShield are
registered trademarks or trademarks owned by GSI in the United States and other jurisdictions and
may not be used without prior written permission. All other marks and brands may be claimed as
the property of their respective owners. Products and corporate names appearing in this manual
may or may not be registered trademarks or copyrights of their respective companies, and are used
only for identification or explanation into the ownersʹ benefit, without intent to infringe.
Product Manuals and Documentation are specific to the software versions for which they are
written. For previous or outdated manuals, product release information, contact Guidance Software
at http://www.guidancesoftware.com.
Specifications and information contained in this manual are furnished for informational use only,
and are subject to change at any time without notice.
Support
Guidance Software develops solutions that search, identify, recover, and deliver digital information
in a forensically sound and cost effective manner. Since our founding in 1997, we have moved into
network enabled investigations, and enterprise wide integration with other security technologies.
This section provides information on our support for you through:
118
EnCase Version 6.12 Modules Manual
ƒ
Technical manuals and release notes
ƒ
Support portal on the Web, including access to downloads
ƒ
Technical Support Department
ƒ
Customer Service Department
ƒ
Message Boards
ƒ
Training
ƒ
Professional Services
Technical Manuals and Release Notes
Guidance Software provides printed manuals for all of our product lines, as well as PDF versions of
interim updates and release notes, describing the new features and problems fixed.
We welcome your feedback on the documentation. Please feel free to contact us at
documentation@guidancesoftware.com (mailto:documentation@guidancesoftware.com).
Technical Support
Guidance Software provides a variety of support options, including phone, email, online
submission forms, an up to date knowledge base, and a message board (technical forum).
Support is available from Sunday, 7:00 PM through Friday, 6:00 PM Pacific Time (Monday, 3:00 AM
to Saturday, 1:00 PM GMT). This excludes public holidays in the United States and the United
Kingdom during respective business hours.
Phone/Mail Support
US Contact Info:
215 North Marengo Avenue
Suite 250
Pasadena, CA 91101
Phone: 1‐626‐229‐9191, Option 4
Fax: 626‐229‐9199
UK Contact Info:
Thames Central, 5th Floor
Hatfield Road
Slough, Berkshire UK SL1 1QE
Phone: +44 (0) 1753552252, Option 4
Fax: +44 (0) 1753552232
Toll‐Free Numbers:
Germany: 0‐800‐181‐4625
China: 10‐800‐130‐0976
Australia: 1‐800‐750‐639
Hong Kong: 800‐96‐4635
New Zealand: 0‐800‐45‐0523
Japan: 00‐531‐13‐0890
Guidance Software
119
Online Support
Guidance Software offers a Support Portal to our registered users, providing technical forums, a
knowledge base, a bug tracking database, and an Online Request form. The Portal gives you access
to all support‐related issues in one site. This includes:
ƒ
User, product, beta testing, and foreign language forums (message boards)
ƒ
Knowledge Base
ƒ
Bug Tracker
ƒ
Technical Services Request form
ƒ
Downloads of previous software versions, drivers, etc.
ƒ
Other useful links
Although technical support is available by email, you will receive more thorough, quicker service
when you use the online Technical Support Request Form
(https://support.guidancesoftware.com/node/381). Note that all fields are mandatory, and filling
them out completely reduces the amount of time it takes to resolve an issue.
If you do not have access to the Support Portal, please use the Support Portal registration form
(https://support.guidancesoftware.com/forum/register.php?do=signup).
Registration
Registration requires you to choose a unique username and password. Please provide all requested
information, including dongle ID, phone, e‐mail address, organization, etc. This helps us identify
you as a registered owner of EnCase.
You will receive an email within 24 hours. You must follow the link in that email before you can
post on the forums. Until you do that, you will not have permission to post. Once you have verified
your email address, you will be added to the Registration List. Please allow 24 business hours for
your account to be approved.
Once your registration is approved, you can access the Support Portal
(https://support.guidancesoftware.com/). The Support Portal provides a tutorial that briefly
overviews the site.
120
EnCase Version 6.12 Modules Manual
User, Product, and Foreign Language Forums
To access the forums, click on the Forum Tab (https://support.guidancesoftware.com/forum/) in the
Support Portal.
The forums allow registered users to post questions, exchange information, and hold discussions
with Guidance Software and other users in the EnCase community. Different discussion groups are
available as follows:
Foreign Language Groups
ƒ
French
ƒ
Arabic
ƒ
German
ƒ
Spanish
ƒ
Japanese
ƒ
Chinese
ƒ
Korean
Forum Groups
ƒ
User Group
ƒ
Consultant and Practitioners
ƒ
Computer Forensic Hardware Issues
ƒ
EnScript Forum
Product Specific Groups
ƒ
EnCase Neutrino
ƒ
Enterprise
ƒ
FIM
ƒ
eDiscovery
These groups are only available to customers who have purchased the respective products.
Enter a group by clicking on the group name.
Posting to a Group
To create a new post, click the
Click the
post.
icon.
icon to reply to a post, or use the Quick Reply icon at the bottom of each
Guidance Software
121
Searching
The forums contain an accumulation of over ten years of information. Use
the
button to search for keywords, or click Advanced Search for more
specific search options.
Bug Tracker
Use Bug Tracker to submit and check the status and priority of submitted defect and enhancement
requests. It is broken down by product, showing the current number of bugs/enhancements and
public bugs for each product. To access the Bug Tracker, click on Bug Tracker
(https://support.guidancesoftware.com/forum/project.php) in the Support Portal.
Knowledge Base
You can find answers to frequently asked questions (FAQs) and other useful product
documentation in the Knowledge Base. You can also submit your own articles to help other EnCase
users.
To access the Knowledge Base, click on Knowledge Base
(https://support.guidancesoftware.com/directory) in the Support Portal.
From here, you can browse, search, and write Knowledge Base articles.
Online Technical Support Request Form
Please use the Request Form for assistance from a Technical Services engineer. To access the form,
click on Request Form (https://support.guidancesoftware.com/node/381) in the Support Portal.
122
EnCase Version 6.12 Modules Manual
Other Useful Links
The Support Portalʹs landing page contains a section of useful links, including:
ƒ
Guidance Software Home Page
ƒ
Download Center to download software, hardware, manuals, boot disks, support articles,
etc.
ƒ
My Account to register your dongle id to receive up to date software by email
ƒ
NVD (National Vulnerability Database) Information and Responses
ƒ
Guidance Product Version Matrix for checking compatibility of different product versions
ƒ
Hardware Recommendations for EnCase Forensic and EnCase Enterprise
ƒ
Subscribe to Public Bugs
Customer Service
The Guidance Software Customer Services Department is staffed by highly‐trained, friendly staff
capable of resolving any problem regarding your order.
Hours and contact information are listed below.
Phone: 626.229.9191
Fax: 626.229.9199
Email: customerservice@guidancesoftware.com (mailto:customerservice@guidancesoftware.com)
Internet: http://www.guidancesoftware.com/support/cs_requestform.aspx
Hours: Monday through Friday 6:00 a.m. to 5:00 p.m., Pacific Time
Guidance Software
123
Message Boards
The Guidance Software message boards are resources for the computer forensics community to
exchange ideas, ask questions, and give answers. The message boards are an invaluable resource
for the forensic investigator.
Discussions range from basic acquisition techniques to in‐depth analysis of encrypted files and
more. Thousands of experienced and skilled users are registered on the boards, reviewing posts
every day, and providing their expertise on all Guidance Software products.
More information about the message boards, including information on how to join the message
board, is located at: http://www.guidancesoftware.com/support/messageboards.asp.
Downloads
When you receive your product, register with Guidance Software to receive updates. Registration is
located at https://www.guidancesoftware.com/myaccount/registration.aspx site.
If you have any trouble registering your product, contact Customer Service (see page 122). If you
have any trouble downloading the updates once registered, contact Technical Support (see page
118).
Training
Guidance Software offers a variety of professional courses for the beginner, intermediate and
advanced user of all its applications. In addition to providing a solid grounding in our software, we
also provide our students with accepted best practices for investigation, report generation and
evidence preservation.
Guidance Software offers courses for law enforcement agencies, organizations concerned with
forensics and incident response, and advanced topics for all users.
Professional Services
The Guidance Software Professional Services Division (PSD) combines world‐leading computer
investigations experts with world‐leading forensic technology to deliver turnkey solutions to
forensic investigations.
Guidance Software has combined its industry‐leading computer investigation technology with a
team of the most highly trained and capable investigators in the world to bring you complete
turnkey solutions for your business. When you face investigative issues that go beyond your
internal capabilities, our professional services group is able to respond either remotely or by
coming on site to provide the right technology and computer investigations personnel for the job.
124
EnCase Version 6.12 Modules Manual
Internal Investigations
ƒ
Theft of intellectual property
ƒ
Intrusion reconstruction
ƒ
Wrongful termination suit
Compliance
ƒ
Sarbanes‐Oxley
ƒ
PII risk assessment
ƒ
California SB 1386
eDiscovery
ƒ
Pending litigation
ƒ
Responsive production
ƒ
Forensic preservation
Information Security
ƒ
Compromise of system integrity
ƒ
Policy review
ƒ
Unauthorized use
ƒ
Forensic lab implementation
Index
A
D
Accessing the Local Disk in Windows Explorer •
65
Accessing the Share • 85
Analyze EFS • 14, 18
Associate Selected • 21
Decrypted Block • 53
Decrypting S/MIME Emails in an Evidence File
Created in Windows Vista • 49
Deleted Files • 79
Determining Local Mailbox Encryption • 51
Dictionary Attack • 56
Disk and Volume Encryption • 12
Disk Caching • 103
Disk Caching and Flushing the Cache • 103
Dismount the Network Share • 84
Downloads • 123
B
Background Information • 96
BitLocker Encryption Support (Volume
Encryption) • 32
Boot Evidence Files and Live Systems with
VMware • 68
Boot the Virtual Machine • 71
Built‐in Attack • 57
Burning • 110
Burning Evidence Files During Acquisition • 108
Burning Existing Evidence and Logical Evidence
Files • 114
Burning Files and Reports • 110
Burning Logical Evidence Files During Acquisition
• 110
Burning the Created Image folders to Disc • 114
C
CD/DVD Module • 9, 107
CD‐DVD Module Specific Requirements • 5
Certificate Files for Your Security Key • 5
Certificates Programmed on the Security Key • 5
Changing the Mount Point • 84
Closing and Changing the Emulated Disk • 67
Closing the Connection • 92
Compound Files • 78
Configuring the PDE Client • 63
Configuring the Server • 90
Connecting the Clients • 92
Create a New Image Session • 110
CREDANT Encryption Support (File‐Based
Encryption) • 37
CREDANT Encryption Support (Offline Scenario) •
41
CREDANT Files and Logical Evidence (L01) Files •
42
Customer Service • 122, 123
E
EDS Features • 12
EFS Files and Logical Evidence (L01) Files • 17
EnCase Decryption Suite • 11
EnCase Decryption Suite Module • 7
EnCase Physical Disk Emulator Module • 7
EnCase Virtual File System Module • 8
Encrypted Block • 52
Encrypting File System • 79
Enter Items • 18
Evidence File Formats Supported by EnCase PDE •
62
Evidence File Formats Supported by VFS • 76
ext2, ext3, UFS, and Other File Systems • 83
F
FastBloc SE Module • 9, 95
FastBloc SE Module Specific Requirements • 4,
97, 98, 102
File Based Encryption • 13
G
GuardianEdge Hard Disk Encryption Known
Limitation • 37
Guidance Software • 117
H
HPA and DCO Configured Disks • 96
I
Initial Preparation • 68
Installing the EnCase Modules • 5, 97, 103
Installing the FastBloc SE Module • 97
Internal Files and File System Files • 80
Introduction • 3, 4
L
Legal Notification • 117
Locally Encrypted NSF Parsing Results • 54
Lotus Notes Local Encryption Support • 51
M
Malware Scanning • 86
Message Boards • 123
Minimum Recommended Requirements • 4
Mount Network Share Options • 77
Mounted Files • 13
Mounting a Single Drive, Device, Volume, or
Folder • 76
Mounting Evidence with VFS • 76
Mounting Non‐Windows Devices • 65
N
New Virtual Machine Wizard • 68
NSF Encryption Support • 49
O
Other File Systems • 83
Other Tools and Viewers • 87
Overriding HPA and DCO Settings • 97
Overview • 12
P
Parsing a Locally Encrypted Mailbox • 51
PDE Troubleshooting • 73
Physical Disk Emulator • 61
Preparing Entries for Burning • 111
Preparing Reports for Burning • 113
Previewing a Write Blocked Device • 102
Product Matrix • 12, 13
Professional Services • 123
R
RAIDs • 79
RAM and Disk Slack • 80
Recovering NSF Passwords • 49
Removing Write Block from a USB, FireWire, or
SCSI Device • 100
Restoring • 102
Restrict Access by IP Address • 91
S
S/MIME Encryption Support • 43
SafeBoot Encryption Support (Disk Encryption) •
23
Saving and Dismounting the Emulated Disk • 65
Secure Storage Items • 23
Secure Storage Tab • 17
Secure Storage Tab and EFS • 17
Selecting CD Information • 109, 115
Starting Physical Disk Emulator • 62
Support • 117
Supported CREDANT Encryption Algorithms • 41
Supported SafeBoot Encryption Algorithms • 26
Supported Utimaco SafeGuard Easy Encryption
Algorithms • 26
T
Technical Manuals and Release Notes • 118
Technical Support • 118, 123
Temporary Files Reminder • 67, 89
Third‐Party Tools • 67, 86
Training • 123
Troubleshooting • 93, 103
Troubleshooting a Failed S/MIME Decryption • 47
Turning Off IDE Write Block Protection • 99
U
Using EDS • 14
Using Physical Disk Emulator • 62
Using the EnCase Interface • 85
Using the FastBloc SE Module • 98
Using Third‐Party Tools • 67
Using Windows Explorer • 85
Utimaco Challenge/Response Support • 26, 27
Utimaco SafeGuard Easy Encryption Known
Limitation • 32
Utimaco SafeGuard Easy Encryption Support • 26
V
Verifying the Modules are Installed • 6
VFS Module Specific Requirements • 4
VFS Server • 89
Virtual File System • 75
VMware/EnCase PDE FAQs • 72
W
What is the CD/DVD Module? • 108
What is the FastBloc SE Module? • 96
What is the Physical Disk Emulator? • 62
What is VFS? • 76
Windows Key Architecture • 56
WinMagic SecureDoc Encryption Support • 34
Wiping • 102
Write Block Validation Testing and Disk Caching •
103
Write Blocking a USB, FireWire, or SCSI Device •
99
Write Blocking IDE and SATA Controller Cards •
98
Download