EnCase
Starting a New Case
Adding a Device
Creating a Boot Disk
Keyword Search
Bookmarking
File Signatures
Exporting Files/Report
File Viewers
Navigating Encase
 Tree Pane, Table Pane, Bottom Pane and Filter Pane



Highlighting a folder
Home plate > Select the polygon to the left of the folder name.
Blue check mark > Select the square to the left of the folder name
– Used for keyword search
New Case
 Encase – New case





Select the “New” icon
Name – case1
Examiner Name – Your
name
Export Folder –
c:\cases\case1\export
Temporary Folder –
c:\cases\case1\temp
Saving a Case
 Save the Case



Select the “Save” icon
Select your folder
Change case name to lower case and remove any
space
Global Settings
 Tools > Options > Global





Auto save - set it to 5,
increase to 30+ if making a
long running search.
Enable picture viewer, art
and png image display
Invalid picture timeout leave
at 12 sec
Date and Time –
MM/DD/YY and 12:00
Show Yes / No
Preview Device
(HD, Floppy, Thumb Drive, etc)
 Select the “Add
Device” button.
 Next select the
appropriate device.


Generally you will
select “Local Drives”
For DOS acquisition
select Network
Crossover.
Preview Device
(HD, Floppy, Thumb Drive, etc)
 Select the drive letter which represents the device to be
imaged.


Floppy – Generally select the A drive.
USB and Firewire acquisitions – Select drive E, F, etc.
Preview Device
(HD, Floppy, Thumb Drive, etc)
 Adding evidence number and name.


Right click on the drive letter.
Select > Edit
Preview Device
(HD, Floppy, Thumb Drive, etc)
 Enter an evidence number:

Such as (070418-0010)

Year 07, month 04 day 18,
evidence number 0010.
 Enter evidence name.


It’s a good idea to add device
type in name i.e., desktop,
floppy, laptop, etc.
Example: smithdesktopHD1,
smithdesktopHD2,
smithfloppy1, etc.
Acquiring Previewed Device
 If a previewed device
warrants acquisition:
Right click on the
device and select
Acquire.
Acquiring Previewed Device
 Select - Replace source
device

This will replace the
preview item.
 Note! Search, Hash
and Signature Analysis

Ensure that it is not
selected – Acquisition
will proceed faster.
Acquiring Previewed Device
 Set the following:





File segment size - 640
Compression - None
Password – Leave
blank!!!!
Generate image hash
Output path – Check to
ensure the correct one is
selected.
Adding Previously Acquired
Evidence (HD, Floppy, etc.)
 Create a new case or open an existing case.
 Select > Add Device
Adding Previously Acquired
Evidence (HD, Floppy, etc.)
 Select the appropriate folder i.e., “Local” and then the appropriate file,
or
Adding Previously Acquired
Evidence (HD, Floppy, etc.)
 Right click on the
“Evidence Files”
folder and then
select New to
create a new path.
Adding Previously Acquired
Evidence (HD, Floppy, etc.)
 Browse the file system
until you find that
location of the
previously acquired
evidence.

For example:

f:\cases\data
Boot Disk Creation
Tools > Create Boot Disk
Boot Disk Creation
 Test diskette by
rebooting from
diskette.
 Run EnCase DOS
program “en”
Boot Disk Creation
 ENBD – EnCase Network Boot Disk

Save the ENBD file to your desktop.





http://www.guidancesoftware.com/support/downloads.
aspx
Insert floppy in drive.
Run ENBD setup file.
When finished add the en.exe file.
Do not write protect the ENBD disk.
Boot Disk Creation
Boot Disk Creation
 Add the en.exe file.

C:\program
files\encase\en.exe
Keyword Search
 Global keywords


These words are made
available to all your cases.
View > Keywords
 Case specific keywords


These words are only
available in this case.
View > Cases Sub-Tabs >
Keywords
Keyword Search
 Keyword Sources

Investigating officer





Search warrant
HR
Attorney
Management
Contract, Internet, Previous cases
Keyword Search
 Keyword Folder



Right-click on Keyword
folder
Select > New Folder
Add Folder Name
 Examples



Email addresses
IP addresses
Phone numbers
Keyword Search
 To add a single Keyword






Right-click on Keyword Folder >
Select New
Search Expression – word, phrase,
GREP expression.
Case sensitive – Check to make
case sensitive.
GREP – Limits false hits.
Active Code Page – Allows
foreign languages
Unicode – Foreign language char.
Check to locate both ASCII and
Unicode.
Keyword Search
 To add a list of
keywords


Right-click on Keyword
Folder > Select Add
Keyword List
Enter words
Keyword Search
 Before beginning a search you must select the word or
group of words you want EnCase to find.
 To do so, place a blue check next to the word or folder
containing the words EnCase should locate.
 To begin a search, click on the Search button.
Keyword Search
 Search each file – Must be checked to
activate a keyword search.
 Verify file sign – Don’t check
 Compute hash value - File hash
analysis.
 Search file slack – Search space
between logical file and physical file.
 Undelete files – Logical undelete.
Search between starting cluster &
following unallocated cluster.
 Search with known hashes – will not
search known hashes.
 Selected keywords only – Unless
selected, all keywords are searched.
Search Results
 Search Hits – To view search results.
 View > Cases > Search Hits
 Refresh - Use during a search to display current
results.
Search Results

{·0·9·7·F·7·3·7·E·-·1·6·1·B·-·1·1·D·4··A·8·7·5·-·0·0·6·0·9·7·2·0·4·6·2·B·}

{·7·0·7·B·B·5·4·A·-·B·F·2·F·-·1·1·D·3··9·6·F·E·-·0·0·0·8·C·7·0·C·8·4·9·8·}

{·7·E·8·E·2·E·A·A·-·C·6·1·0·-·1·1·D·3··9·6·F·E·-·0·0·0·8·C·7·0·C·8·4·9·8·}

{·7·1·D·1·9·1·F·2·-·6·5·0·4·-·1·1·D·2··8·3·5·4·-·B·A·6·5·C·F·5·A·6·A·0·1·}

{·7·1·D·1·9·1·F·4·-·6·5·0·4·-·1·1·D·2··8·3·5·4·-·B·A·6·5·C·F·5·A·6·A·0·1·}

{·7·1·D·1·9·1·F·6·-·6·5·0·4·-·1·1·D·2··8·3·5·4·-·B·A·6·5·C·F·5·A·6·A·0·1·}
Search Results
 Exclude – The item is not
deleted from the case. Red
highlight.
 Export – Creates a tabdelimitated text file which can
be imported in to Excel.
 Tag File – Will place a blue
check on the file to identify it in
Home view
Bookmarking
 Sweeping Bookmarks
 Files
 Notes
 File Group
Bookmarking – Sweeping
Bookmarks
 Sweeping bookmark – Used to capture notable data.
 Highlight the item >Right click > Select Bookmarks
Bookmarking - Sweeping
Bookmarks
Bookmarking - Sweeping
Bookmarks
 Destination folder – Select a folder (i.e., Floppy) or create a new folder by right
clicking on Bookmarks > New Folder > Enter new folder name.
 Add Comment – i.e., “Bad stuff doc appears to be created on suspects machine.”
 Data type – Select Style > ISO Latin > ISO Latin @ 100
 View results - Select Bookmarks button > Report button
Bookmarking – Files
 Used to flag files that
contain important case
information.
 Right click on a file.
 Select Bookmark Files
Bookmarking – Files
 Add the bookmarked item
to a folder by selecting an
existing folder, or
 Select “Create new
bookmark folder” and enter
the name.
 View Bookmarks

Select Bookmarks button >
Bookmarks Home plate >
Report button
Bookmarking – Notes
 Allows you to add a note to a bookmarked item.

i.e., add a note to a bookmarked file.
 Formatting includes bold, italic, font size and text indent.

However, only text indent is worth using.
Bookmarking – Notes
 To add a note to a
bookmarked file/item.




Select Bookmarks button
Select Table button
In Table View - Rt click
on the appropriate file
Select Add Note.
 Add your notes and
indent text as needed.
Bookmarking – File Group
 In Tree view select (with a blue checkmark) the
folder containing the files you want to bookmark.
 Rt click on the folder and select Bookmark Data.
 Ensure that “Bookmark Selected Items” is checked.
 Select “ok”
 View Bookmarks

Select Bookmarks button > Bookmarks Home plate >
Report button.
Bookmarking – File Group
Bookmarking - Report
Evidence File
 Restoring a drive
 Compression


To compress data files once the HD has been
acquired.
Rt click on device > Select Acquire > Replace
Source Device > Compression - Best
File Signatures
 View > File Signatures

Used to compare file headers with file extensions
File Signatures
 To Start: Click on Search
button.
 Ensure that only the
“Verify file signatures”
option is selected.
 Click on the Start button.
The process will run in the
background.
 Click on Save - Once the
process is done.
File Signatures
 _ Deleted
 X – Deleted, overwritten file
 Starting cluster is occupied by
another file.
 O – Undeleted by EnCase.
 O – Directory entry with a file name
but no starting cluster.
File Signatures
 Signature Analysis


Select the case / device
“home plate”
Table View - Sort order



Signature
File Ext
Name
 Secondary sorts

Shift > double-click
File Signatures
 *Alias



The header and the extension don’t agree
The header exists in the Signature table
Generally renamed extension – Encase displays file type.
 !Bad Signature



The header and the extension don’t agree
The extension exists in the Signature table
The header does not exist in the Signature table
 Match - Header & extension agree.
 Unknown –Header & extension do not exist in Signature table.
Exporting Files
 Use the blue checkmark to select files to export.
 Right click in the table view.
 Select > Copy/UnErase.
Exporting Files
Exporting Files
Exporting Report
 Select Report button
 In Table View




Right Click on report
Select Export
Select Format
Input path
Windows Artifacts – INFO2
 Sort by name – Double click on the “Name”.
 Click on the first file, under name, in the Table View.
 Type “info” real fast.
Windows Artifacts – INFO2
 Highlight text starting with C:\Documents and end with .doc
 Right click > Bookmark Data
Windows Artifacts – INFO2
 Note that the SID
number (S-1-5- . . .1003) ends with 1003.
 Under Data Type,
Select Windows >
Win2000 Info File
Record
Windows Artifacts – INFO2
 Deleted - Note the date & time, is it relevant?
 Path – Note the files location and what was deleted.
Windows Artifacts – Link Files
 Shortcut files – Record creation, access and last
written dates.





Provides insight to how a computer was configured at a
given point in time.
May indicate when an application was installed.
When created after application install it supports the
allegation that the user had knowledge of a file or
application.
Contains the fully qualified path to the file referenced.
Provides evidence of the existence of an application
which is no longer installed.
Windows Artifacts – Link Files



Sort by file type – Double click on the “File Ext” column.
Then sort by name – Press on the Shirt key and Double click on the “Name” column.
Click on the first file, under “File Ext” and type “lnk” real fast.
Windows Artifacts – Link Files
 Note, you should now be at the start of the lnk files.
 Click on the first link file, under “Name” and type “art” real fast.
Windows Artifacts – Link Files
Windows Artifacts – Link Files
 Select the Hex button.
 FO28 - Start at byte offset 28
 LE24 - Highlight the next 24 bytes.
Windows Artifacts – Link Files
 Right click on your selection and select Bookmark
Data.
Windows Artifacts – Link Files
 Select Dates > Windows Date/Time
Windows Artifacts – Link Files
 Note, the date and time associated with this link file.
Windows Artifacts
Volume Serial Number
 To associate the link file with the current volume.
 Select file > In text mode select the path > select Hex mode.
Windows Artifacts
Volume Serial Number
 Allocate the Hex value 10 that appears before the path selection.
 Note the value of the four bytes prior to the hex 10.
Windows Artifacts
Volume Serial Number
 Select “Entries” in the Tree Pane and the drive in the Table Pane.
 Next, select the Report button in the Bottom Pane.
 Allocate the volume serial number.
Windows Artifacts
Volume
Windows Artifacts
Application Data
 Outlook Express – Email storage location.
 Documents & Settings > User Name > Local Settings > Application Data
> Identities > GUID number > Microsoft > Outlook Express.
Windows Artifacts
Root Folder
 Named after the user login name.
 Ntuser.dat – Last written time represents the users last logout
time.
Windows Artifacts
Recent Folder




Recently accessed files – Great place to start investigating a case.
Start > All Programs > My Recent Documents – Represent link files.
Documents & Settings > User Name > Recent
While windows only displays the last 15 documents, the Recent folder could
contain hundreds of link file names, which may be of value.
 A shortcut may refer to a volume that wasn’t present when evidence was collected.
Windows Artifacts
Desktop Folder
 Documents & Settings > User Name > Desktop.
 Desktop items may be the result of the following four
sources; the users Desktop folder, Registry, All Users
desktop folder and Domain Group policy.
Windows Artifacts
My Documents
 Documents & Settings > User Name > My
Documents.
 Windows will generally store files in this folder.
Windows Artifacts
Sent To Folder
 Contains only those items added by the user.
 Drive letters for attached media can be found here.
Windows Artifacts
Temp Folder
 Documents & Settings > User Name > Local Settings > Temp
 Note, this folder is specific to the user.
 May contain evidence of application installation.
Windows Artifacts
Thumb Files
 Sort by file type – Double click on
the “File Ext” column.
 Then sort by name – Press on the
Shirt key and Double click on the
“Name” column.
 Click on the first file, under “File
Ext” and type “db” real fast. Next,
click on the first db file, under
“Name” and type “thu” real fast.
 Right click on thumbs.db > View
File Structure.
 Root Entry folder will contain
images.
Windows Artifacts
Favorites Folder
 Documents & Settings > User Name > Favorites
 .url - Users Internet Explorer & Windows Explorer favorites settings.
 Note the unique header – It can be used to local deleted shortcuts.
Windows Artifacts
Cookies Folder




Documents & Settings > User Name > Cookie.
Small text files which may provide insight into sites visited by the user.
The index.dat file contains data about each cookie.
Use an external viewer.
Windows Artifacts
History Folder
 Documents & Settings > User Name > Local Settings > History.
 Contains all the history for 20 days – the default period.
 .IE5 folder – Contains
Windows Artifacts
Temporary Internet Files
 Documents & Settings > User Name > Local Settings > Temporary Internet Files
> Content.IE5
 Internet e-mail is stored here.
Windows Artifacts
Swap File
 Pagefile.sys – Represents windows virtual RAM.
 Search with the Unicode option enabled.
Windows Artifacts
Hibernation File
 In order for a machine to enter sleep mode the contents of RAM must be
written to hiberfil.sys
 The contents reflects the last time the machine entered hibernation.
Windows Artifacts
Print Spooling




Windows > System32 > spool > printers.
Two files are created shadow (SHD) and spool (SPL).
SHD – contains username, file name, printer & print mode.
SPL - contains print data.
Windows Artifacts
Print Spooling
 Rarely find in allocated space.

Generally, found in unallocated space, page file, hibernation file and slack
space.
 Search String:

\x01\x00\x00\x00..\x00.{34,34}EMF
Windows Artifacts
Print Spooling
 Right click on selected data > Bookmark Data
 EMF will generally provide positive results, while emf0 will not.
Windows Artifacts
Print Spooling
 Under Data Type, select:

Picture > Picture.
Windows Artifacts – Time
Windows Artifacts – Time
Windows Artifacts – Time
File Viewers
 View > File Viewers
 Right Click > File
Viewer
 Select New
 Enter program name
 Enter path to
program.exe
File Viewers
 View > File Types
 Select File Types >
Home plate
 Table view > Sort by
extension
File Viewers
 Right click on
extension
 Select Installed Viewer
 Select appropriate File
Viewer
Conclusion
 Starting a New Case
 Adding a Device
 Creating a Boot Disk
 Keyword Search
 Bookmarking
 File Signatures
 Exporting Files/Report
 File Viewers