Tải bản đầy đủ (.pdf) (21 trang)

Báo cáo tìm hiểu công cụ forensics

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.13 MB, 21 trang )

Posts and Telecommunications Institute of Technology

TPHCM,10-2017


TABLE OF CONTENTS
OSFORENSICS FEATURES: ......................... 1
ACCESS DATA FTK FEATURES: ..................... 9
PRODISCOVER BASIC FEATURES: ................... 13
GUIDANCE SOFTWARE ENCASE FORENSIC FEAUTURES:... 17


OSFORENSICS
OSForensics is a new digital investigation tool which lets you
extract forensic data or uncover hidden information from computers.
OSForensics has a number of unique features which make the discovery
of relevant forensic data even faster, such as high-performance deep
file searching and indexing, e-mail and e-mail archive searching and
the ability to analyze recent system activity and active memory...

OSFORENSICS FEATURES:
 Case Management:
In the case management window can be used to create and manage
cases. Cases are used to group together findings ( file, note,
evindence photo,device...) from other functions into a single
location that can be exported or saved for later analysis.
 Generate Report:
OSForensics generates reports as HTML web pages, which allows
the style, layout and appearance to be modified with any web authoring
application of your choice (or you can directly edit the HTML and
CSS). Customizable elements include fonts, colors, and page layout.


 File name Search:
OSForensics provides one of the fastest and most powerful ways
to locate files on a Windows computer. You can search by filename,
size, creation and modified dates, and other criteria. Results are
returned and made available in several different useful views. This
includes the Timeline View which allows you to sift through the
matches on a timeline, making evident the pattern of user activity on
the machine.
The File Name Search Configuration Window allows for setting
advanced options for the File Name Search ( Search for Folder Names ,
Search in Sub Folders, File Size Limits...).
 Recent Activity:
The Recent Activity module scans the system for evidence of
recent activity, such as accessed websites, installed programs, USB
drives, wireless networks, and recent downloads. This is especially
useful for identifying trends and patterns of the user, and any
material that had been accessed recently.

NGUYEN HOAN NAM DUONG – N14DCAT032

1


 Recover Deleted Files:
OSForensics allows you to recover and search deleted files, even
after they have been removed from the Recycle Bin. This allows you to
review the files that the user may have attempted to destroy.
 Memory Viewer:
The Memory Viewer module allows the user to perform memory
forensics analysis on a live system or a static memory dump. There are

2 types of memory analysis that can be performed:
•Live Analysis
•Static Analysis
 Web Browser:
The Web Browser module provides a basic web viewer from within
OSForensics. This module add the ability to load web pages from the
web and save screen captures of web pages to the current opened case.
 Password Recovery & Decryption
With OSForensics you can recovery browser passwords from Chrome,
Edge, IE, Firefox, and Opera. This can be done on the live machine or
from an image of a harddrive. Data recovered includes, the URL of the
website (usually HTTPS), the login username, the site's password, the
browser used to access the site & the Window's user name. Blacklisted
URLs are also reported, showing the user has visited the site but
elected not to store a password in the browser.










OSForensics also recovers the following:
Outlook and Windows Live Mail passwords
Saved Wifi passwords
Windows autologon password
Windows 7, 8, and 10 product keys

Microsoft Office & Visual Studio product keys
Ports (Serial/Parallel)
Network adapters
Physical and Optical Drives
Bitlocker detection

Decryption & password recovery of office documents. The method
is for older documents that use 40bit encryption (old XLS, DOC & PDF

NGUYEN HOAN NAM DUONG – N14DCAT032

2


files). For these documents is it possible to try all possible keys to
decrypt the document, with the output being an unencrypted file.


Signatures

Signatures allow users to identify changes in a directory
structure between two points in time. Generating a signature creates a
snapshot of the directory structure, which includes information about
the contained files' path, size and attributes. Changes to a directory
structure such as files that were created, modified and deleted can be
identified by comparing two signatures. These differences can quickly
identify potential files of interest on a suspected machine, such as
newly installed software or deleted evidence files. Signatures differ
from Hash Sets in the following ways:
OSForensics provides the following File Signature Analysis

functionality:

Create Signature: Module that handles all aspects of generating
a signature.

Compare Signature: Module that allows the user to compare
previously generated signatures. A summary of any changes between the
signatures are displayed to the user.
 Forensic Imaging:
The disk imaging functionality allows the investigator to create
and restore disk image files, which are bit-by-bit copies of a
partition, physical disk or volume. Disk imaging is essential in
securing an exact copy of a storage device, so it can be used for
forensics analysis without risking the integrity of the original data.
Conversely, an image file can be restored back to a disk on the
system.
 System Inforation:
-

The System Information module displays detailed information about

the core components of the system including but not limited to:









CPU, Motherboard and Memory
BIOS
Video card/Display devices
USB controllers and devices
Ports (Serial/Parallel)
Network adapters
Physical and Optical Drives

NGUYEN HOAN NAM DUONG – N14DCAT032

3






Bitlocker detection

Registry Activity:


Most Recently Used (MRU) Lists

OSForensics can retrieve data about recently accessed applications,
documents, media and network shares by scanning locations in the
registry which store a user's Most Recently Used (MRU) lists. The data
which can be tracked by OSForensics includes (but isn't limited to)
files accessed in Microsoft Office applications, Microsoft Wordpad,
Microsoft Paint, Microsoft Media Player, Windows Search, Connected

Network Drives and the Windows Run command.


Connected USB Devices

OSForensics can display the details of USB devices which have been
recently connected to the computer, providing information about the
last connection date and device information such as Manufacturer Name,
Product ID and Serial Number. The types of devices which can be detected
include USB Flash Drives (UFDs), Portable Hard Disk Drives and external
USB-connected devices such as DVD-ROM drives.


Wireless Network Connections

OSForensics can list the MAC address of wireless networks connected
using the Windows Zero Config Service. This feature is available on
machines running Windows XP only.
 Event Log:
OSForensics will scan the Windows logs for system activity such
as the following events:





Security Log Events such as account login attempts, logouts and
password changes.
System Log Events such as Windows update attempts, system
boot/shutdown, and driver installations.

Application Log Events such as application installation attempts
Microsoft Office user interaction events (OAlerts).

 OS X Artifacts
OSForensics uncovers the following OS X artefacts on Mac drives:

NGUYEN HOAN NAM DUONG – N14DCAT032

4










Safari history, bookmarks, downloads, and cookies
Most Recently Used (MRU) items, network locations, documents,
multimedia
Installed Programs
USB connected iOS devices
Mounted Volumes
WiFi
Mobile backups for iOS devices.

 Hidden Disk Areas - HPA/DCO
OSForensics™ can discover and expose the HPA and DCO hidden

areas of a hard disk, which can used for malicious intent including
hiding illegal data. The Host Protected Area (HPA) and Device
Configuration Overlay (DCO) are features for hiding sectors of a hard
disk from being accessible to the end user.


Detecting

OSForensics will first attempt to detect and display the
size of the HPA/DCO hidden areas. If successfully found, they
can be removed or imaged, exposing the hidden data.


Removing

Once the HPA and/or DCO hidden areas have been successfully
detected, they can be removed so that the data hidden in those
sectors can be accessed and analyzed by Raw Disk Viewer and
other OSForensics modules.


Imaging

Alternatively, the HPA/DCO hidden areas can be preserved by
creating an image of the hidden sectors and saving it into a
file. This file can then be analyzed by other OSForensics
modules such as th built-in file viewer.
 Verify and Match Files
OSForensics makes use of number of a advanced hashing algorithms
to create a unique, digital fingerprint that can be used to identify a

file.


Hash Set Lookup

OSForensics makes use of hash sets to quickly identify known safe
or known suspected files to reduce the need for further time-consuming
analysis. A hash set consists of a collection of hash values of these
files in order to search a storage media for particular files of
interest. In particular, files that are known to be safe or trusted

NGUYEN HOAN NAM DUONG – N14DCAT032

5


can be eliminated from file searches. Hash sets can also be used to
identify the presence of malicious, contraband, or incriminating
files such as bootleg software, pornography, viruses and evidence
files.


Create and Verify Hash Values

Create a unique, digital identifier for a file or disk volume by
calculating its hash value using the Verify/Create Hash module in
OSForensics. Choose from a number of cryptographic algorithms to
create a hash, such as SHA-1, MD5 and SHA-256. Hash values uniquely
identify the contents of a file and can be used to discover other
files with the same content, regardless of differing file name or

file extension.
 Find Misnamed Files
OSForensics™ can identify files whose contents do not match their
file extension. Uncover a user's attempt at concealing photos,
documents or other evidence (also known as "dark data") by using the
Mismatch File Search!
The Mismatch File Search module analyzes the content of files and
identifies any files whose raw bytes are not consistent with their
file extension. Configure the file search to include inaccessible
files, or use your own customized file filter!
 Search Emails
OSForensics™ allows you to perform full-text searches within email
archives used by many popular e-mail programs such as Microsoft Outlook,
Mozilla Thunderbird, Outlook Express and more.
-

Supported Email File Types

.pst, .ost (Outlook),.mbox, .mbx, .eml, .msf (Mozilla, Thunderbird,
Eudora, Unix mail, and more),.msg (Outlook),.eml (Outlook Express),.dbx
(Outlook Express)
Note that OSForensics can index these formats without needing the
corresponding e-mail client to be installed.Additionally the indexing
process is not limited to just emails, but can also index other files
such as Word Documents and PDFs also making their contents available
for searching.


ESE Database Viewer


OSForensics™ includes an ESE database (ESEDB) viewer for databases
stored in the Extensible Storage Engine (ESE) file format, including

NGUYEN HOAN NAM DUONG – N14DCAT032

6


the new Win10 database structure. The ESEDB format, in particular, is
used by several Microsoft applications that store data with potential
forensics value, including the following:





Windows (Desktop) Search
Windows Live Mail
Microsoft Exchange Server
Internet Explorer

The ESE database viewer allows the user to search for database records
that match a specified criteria, including text phrases, date ranges
and numerical values.
 SQLite Database Browser
OSForensics™ includes an SQLite database viewer for databases
stored in the SQLite file format. The SQLite database format is used by
several platforms, such as the iPhone, Firefox and Chrome.
 Prefetch Viewer
OSForensics™ includes a Prefetch viewer for viewing application

execution metrics stored by the operating system's Prefetcher. The
Prefetcher is a component that improves the performance of the system
by pre-caching applications and its associated files into RAM, reducing
disk access. To facilitate this, the Prefetcher collects application
usage details such as:
-

Application run count
Last run time
Files/disks that the application uses while executing

Using this information, forensics investigators can determine a
suspect's application usage patterns (eg. "Cleaner" software used
recently) and files that have been opened (eg. documents).
 Thumbnail Cache Viewer
OSForensics™ provides a viewer capable of displaying image
thumbnails stored in the Window's thumbnail cache database. When a user
opens Windows Explorer to browse the contents of folders, Windows
automatically saves a thumbnail of the files in the thumbnail cache
database for quick viewing at a later time. This can be useful for
forensics purposes especially for cases where even though the user has
deleted the original image file, the thumbnail of the image still remains
in the thumbnail cache.
The Thumbnail Cache Viewer is capable of displaying thumbnails stored
in the following files:

NGUYEN HOAN NAM DUONG – N14DCAT032

7



- thumbcache_idx.db,thumbcache_16.db,thumbcache_32.db,thumbcache_4
8.db,thumbcache_96.db,thumbcache_256.db,thumbcache_1024.db,thumbcache
_1600.db,iconcache_idx.db, iconcache_16.db...
 Rebuild RAID
OSForensics™ can rebuild a single RAID image from a set of physical
disk images belonging to a RAID array. Being able to properly image
systems with RAID configurations for forensics analysis is sometimes
challenging, due to the fact that having access to the RAID parameters
(such as the RAID level and stripe size) that were used may not be
possible. The following RAID levels are supported: RAID 0,RAID 1, RAID
3,RAID 4, RAID 5,RAID 0+1, RAID 1+0..
-

Detect RAID parameters

When the member disk images are added, OSForensics will try to
automatically configure the RAID parameters. These RAID parameters
are obtained from the metadata that is stored in the disk image,
which can also be viewed in OSForensics. The following RAID metadata
formats may be detectable by OSForensics:
Intel Matrix RAID, Linux mdadm RAID, SNIA DDFv1, Highpoint v2
RocketRAID, Highpoint v3 RocketRAID, Adaptec HostRAID, Integrated
Technology Express RAID, JMIcron RAID ...
 Plist Viewer
View the contents stored in the Plist files which are typically
used by OSX and iOS to store settings and properties
OSForensics™ includes an Plist viewer to view the contents of
Plist (property list) files which are commonly used by MacOS, OSX
and iOS to store settings and properties. Plist files typically have

the extension of ".plist". The Plist Viewer within OSForensics is
able to display both binaries and XML formatted plist files.
The Plist viewer allows the user to search within key and values
that match a specified text phrase.

NGUYEN HOAN NAM DUONG – N14DCAT032

8


ACCESS DATA FTK
FTK quickly locates evidence and forensically collects and
analyzes any digital device or system producing, transmitting or
storing data by using a single application from multiple devices.
Known for its intuitive interface, email analysis, customizable data
views, processing speeds and stability, FTK also lays the framework so
your solution can grow with your organization’s needs for a smooth
expansion.
FTK supports the following filesystems:DVD (UDF), CD (ISO,
Joliet, and CDFS),FAT (12, 16, and 32),exFAT,VXFS,EXT (2, 3, and 4),
NTFS (and NTFS compressed),HFS, HFS+, and HFSX.

ACCESS DATA FTK FEATURES:


Remote Machine Analysis
With the single-node enterprise, users can preview, acquire
and analyze evidence remotely from computers on your network.




Capturing an Image:

FTK Imager is designed for viewing evidence disks and disk-toimage files created from other proprietary formats. FTK Imager can
read AccessData .ad1, Expert Witness (EnCase) .e01,SafeBack (up to
version 2.0), SMART .s01, and raw format files. In addition to disk
media, FTK Imager can read CD and DVD file systems. ).


Reading file with text mode, hex mode or automatic mode

Text mode allows you to preview a file’s contents as ASCII or
Unicode characters, even if the file is not a text file.This mode can
be useful for viewing text and binary data that is not visible when a
file is viewed in its native application.
Hex mode allows you to view every byte of data in a file as
hexadecimal code. You can use the Hex Value Interpreter to interpret
hexadecimal values as decimal integers and possible time and date
values.
Automatic mode automatically chooses the best method for
previewing a file’s contents, according to the file type.

NGUYEN HOAN NAM DUONG – N14DCAT032

9




Image Mounting/UnMouting


Image Mounting allows forensic images to be mounted as a drive
or physical device, for read-only viewing. This action opens the image
as a drive and allows you to browse the content in Windows and other
applications. Supported types are RAW/dd images, E01, S01, AFF, AD1,
and L01. Full disk images RAW/dd, E01, and S01 can be mounted
Physically.


View and recovery an deleted file

Exporting or copying files from an evidence item allows you to
print, e-mail, salvage files, or organize files as needed, without
altering the original evidence.


AD (ACCESS DATA) Encryption and EFS Encryption

AD Encryption is enabled for E01, S01, and raw/dd disk images,
and for AD1 images.
The user interface in FTK and Imager currently do not allow the
user to specify the key and hash algorithms, so the defaults of AES256 and SHA-512 are always used.
AD encryption supports either a password or cert ( *.p12, *.pfx
,*.pem ...).
EFS Encryption: You can check for encrypted data on a physical
drive or an image with FTK Imager.


Exporting File Hash Lists Hashing


the process of generating a unique value based on a file’s
contents. This value can then be used to prove that a copy of a file
has not been altered in any way from the original file. It is
computationally infeasible for an altered file to generate the same
hash number as the original version of that file. The Export File Hash
List feature in FTK Imager uses the MD5 and SHA1 hash algorithms to
generate hash numbers for files.


Verifying Drives and Images

NGUYEN HOAN NAM DUONG – N14DCAT032

10


FTK Imager allows you to calculate MD5 and SHA1 hash values for
entire drives and images to verify that copies of evidence items have
not been altered in any way from the originals.


Obtaining Protected Registry Files

The Windows operating system does not allow you to copy or save
live Registry files. Without FTK Imager, users have had to image their
hard drive and then extract the Registry files, or boot their computer
from a boot disk and copy the Registry files from the inactive
operating system on the drive. FTK Imager provides a much easier
solution. It circumvents the Windows operating system and its file
locks, thus allowing you to copy the live Registry files.

Password recovery and all Registry files: Retrieves Users,
System, SAM, NTUSER.DAT, Default, Security, Software, and Userdiff
files from which you can recover account information and possible
passwords to other files. This list can also be imported to the
AccessData password recovery tools, such as PRTK, and DNA.


Evidence Item Information

When creating or exporting a forensic image, you can enter
information and notes about the evidence contained in the image you
are creating. This information is saved to the same location as the
image file, with the same name, but with a .TXT extension.


Malware Triage & Analysis

Available as an option to FTK, Cerberus is an automated malware
triage platform solution designed to integrate with FTK. It’s a first
layer of defense against the risk of imaging unknown devices and
allows you to identify risky files after processing your data in FTK.
Then you can see which files are potentially infected and can avoid
exporting them. Cerberus is one tool in your malware arsenal and
helps you identify potentially malicious files. It can:
• Determine both the behavior and intent of security breaches
sooner by providing complex analysis prior to a full-blown malware
attack.
• Strengthen security defenses and prevent malicious software
from running with state-of-the-art technology called whitelisting.


NGUYEN HOAN NAM DUONG – N14DCAT032

11


• Take action sooner when security breaches occur; unlike other
competitors Cerberus doesn’t rely on a sandbox or signature-based
solutions.



Password Cracking and Recovery

Unlock files when you don’t know the password with marketleading decryption password cracking and recovery.


Visualization

Automatically construct timelines and graphically illustrate
relationships among parties of interest in a case. With Email, Social
and File Visualization you can view data in multiple display formats,
including timelines, cluster graphs, pie charts, geolocations and
more, to help you determine relationships and find key pieces of
information. Then generate reports that are easily consumed by
attorneys, CIOs or other investigators.



Advanced volatile and memory analysis


Volatile data is information that changes frequently and is
often lost upon powering down the computer. The acquisition of this
type of information should be made with the equipment powered on,
which is known as live acquisition.
Volatile data will include information about the running
process, network connections, clipboard contents, and data in memory.
This information may be critical to the discovery of the cause of an
incident or to understand a specific behavior.
The FTK imager can help in the collection of this data,
specifically memory acquisition. Once collected, you can do a deeper
analysis using the platform FTK.

NGUYEN HOAN NAM DUONG – N14DCAT032

12


PRODISCOVER BASIC
You can use it to acquire and analyze data from several different file
systems, such as Microsoft FAT and NTFS, Linux Ext2 and Ext3, and other UNIX
file systems....

PRODISCOVER BASIC FEATURES:


Capture an image

Disk imaging is essential in securing an exact copy of a storage
device, so it can be used for forensics analysis without risking the
integrity of the original data.



View and Recovery a Deleted File



Analysis of "dd" images on supported file systems

To create physical or logical images.
UNIX style "dd" images can be added to projects. If the "dd"
image is split into several images they should be numbered
sequentially and all contain a .000, .001 sequence or any other
desired file extension if the user intends to use a split
configuration control file (.pds) .


Convert image file:

The tool has the ability to convert an image from either the native
ProDiscover format or the dd format to an ISO format. ProDiscover also
has the ability to create files needed to boot the image in VMware.
Convert ProDiscover Image to "DD"...
Convert ProDiscover Image to "ISO"...
Convert "DD" Image to "ISO"...
VMWare Support for "DD" Images...
Convert Expert Witness Image (E01) to DD...


Search for key words in image file or disk (RAW Mode).




Detecting file systems within the HPA (Hardware Protected Area)

ProDiscover creates cryptographic checksums of “interesting
files” in popular SHA1 and MD5 algorithms. These checksums can then be
compared to known file checksums maintained in the National Drug
Intelligence Center (NDIC) Hashkeeper database.

NGUYEN HOAN NAM DUONG – N14DCAT032

13




Recover a group of clusters

On many occasions an examiner will want to recover unallocated
clusters or disk slack from evidence disk to a specified location.
Recovering a cluster or group of clusters from Cluster.


Detecting Disk or Image Installed OS

Information about the installed operating system of an evidence
disk or image is sometimes critical to an investigation. To search an
evidence disk or image for this information and add the data to a
projects report.



View Image EXIF Meta Data

The Tag tables in EXIF meta data provide a tremendous amount of
potentially useful information if contained in the EXIF section of a
JPEG file.


View Windows Registry

The registry viewer allows investigators to browse the registry
of a Windows system and select individual registry keys as evidence of
interest. To process the windows registry ProDiscover needs to read
several files on the disk in addition to individual registry files
themselves.


Match File Signatures and File Extensions

On a windows systems a file signature identifying the type of
file is normally contained in the first 20 bytes of the file.


Search The Windows Registry



Creating Hash Database Files

ProDiscover allows users to export file names and hash values of

items selected as evidence of interest in the Hashkeeper *.HSH format
for later use in hash comparison, filtering and the "Find Suspect
Files" function found in ProDiscover Incident Response.


Viewing the Windows Event Logs

NGUYEN HOAN NAM DUONG – N14DCAT032

14


ProDiscover allows users to add the Windows Event Logs to a
project form images or directly connected disks. Once the event logs
are added to a current project, users can review individual log
entires and select as evidence of interest if needed.


Capturing Physical Memory

When connecting to remote systems using ProDiscover Incident
Response or Investigator users may find it useful to capture the live
volatile physical memory of the suspect system. Collection of physical
memory images allows the investigator to conduct searches of the
physical memory image to find indications of compromise or passwords
cached in memory. Passwords cached in memory may be useful to
investigators later in the analysis of encrypted documents.


Extracting Internet History


Information about a users Internet Web surfing habits is often
crucial to investigations. ProDiscover allows investigators to quickly
search for, and extract information from Internet history files (IE,
Chrome, and FireFox). Once the information is extracted it is
automatically added to the project report.


View Email Items

ProDiscover allows users to add the Windows email client
databases to a project form images or directly connected disks.
Supported formats include all current versions of Microsoft Outlook
PST and OST databases as well as Outlook Express DBX format. Once the
email databases are added to a current project, users can review
individual email items including calendar, notes, tasks, and contacts,
then select as evidence of interest if needed.
 Create MD5 or SHA1 hash of images and files
Prodiscover allows you to create and calculate MD5 and SHA1 hash
values for entire drives and images to verify that copies of evidence
items have not been altered in any way from the originals.
 Detect operating system installed.
 Project file is XML formatted.
 Analyze file header signatures to file extensions and detect
mismatches.

NGUYEN HOAN NAM DUONG – N14DCAT032

15



 Bates number and batch transfer evidence of interest
Bates number : place identifying numbers and/or date/time-marks
on images and documents as they are scanned or processed -> provides
identification, protection and automatic consecutive numbering of
the images.
 I/O error reporting.
 Extensive search capability
PD can search any type of files, data, information of the data,…
 Recover deleted files contained in slack space
 Each Windows disk contains a hidden folder named Recycled
(FAT/FAT32), or Recycler (NTFS). This folder is where Windows 9x and
Windows NT/2000 keeps deleted files.
 Slack space: is not normally seen ,refers to the storage
area of a hard drive from the end of a stored file to the end of the
file cluster in the hard drive.
 Secure Wipe Disk
Secure Wipe Disk allows the user to image to a target drive that
is "Forensically Clean" giving you confidence that your case work
will not be jeopardized.

NGUYEN HOAN NAM DUONG – N14DCAT032

16


GUIDANCE SOFTWARE ENCASE FORENSIC
EnCase Forensic provides investigators with a single tool capable of
conducting large-scale and complex investigations from beginning to end. It
features an intuitive GUI, superior analytics, enhanced email/Internet

support and a powerful scripting engine.

GUIDANCE SOFTWARE ENCASE FORENSIC FEAUTURES:


Acquiring

You can add EnCase evidence files and raw evidence files to the
case. You can reacquire raw evidence files, so that they are
translated into EnCase evidence files complete with metadata and hash
values. You can add EnCase evidence files originating in other cases
as well.
Acquiring many types, the source includes : Local drives(using a
write blocker), Palm Pilot, Network crossover (using LiEn) and Local
devices(LiEn disk-to-disk)
o LiEn : runs on the LiEn CD using Linux OS and enables the
following functions:
• Performing drive-to-drive acquisitions
• Performing crossover acquisitions


Delay loading of Internet Artifact

- Encase analyze Internet artifacts and related data as a separate
thread after the case loads. These artifacts and data include:
Internet artifact records, Selected and In Report settings, Bookmarked
Internet artifact records, Search hits for the internet artifact
records.



Hashing

You can perform hashing before or after an acquisition, so an
investigator can determine if the device should be acquired, or if the
contents have changed.



Using an MD5 algorithm to create a Hash set for file, folders
Searching for files with a particular hash value on the target
machine by using “Hash Finder”
 Hashing before or after an acquisition so an investigator can
determine if the device should be acquired, or if the contents
have changed.

NGUYEN HOAN NAM DUONG – N14DCAT032

17








When files in a case are hashed, they are compared to the
library, then the hash set and hash category columns populate.

Recovering Folders types of folders can be recovered:

 Folders on FAT volumes.
 NTFS folders.
 UFS and EXT2/3 partitions.
Recovering Partitions

Occasionally a device is formatted or even FDISKed in an attempt
to destroy evidence. Formatting and FDISKing a hard drive does not
actually delete data.
+ Formatting deletes the structure indicating where the folders
and files are on the disk.
+ FDISK deletes a drive's partition information. EnCase can
rebuild both partition information and directory and folder structure.
 Restoring Evidence
EnCase allows an investigator to restore evidence files to
prepared media. Restoring evidence files to media theoretically
permits the investigator to boot the restored media and view the
subject's computing environment without altering the original
evidence. Restoring media, however, can be challenging.


Snapshot to DB Module Set

This script takes snapshots of nodes across a network and stores the
snapshots in a SQL database. It also reads from the database to create
reports on the snapshots taken.


Keyword Finder

The Keyword Finder processing option in the File Processor module lets

you create a list of keywords for searching documents on a target
machine.


Hash Finder

The Hash Finder processing option in the File Processor module
lets you search for files with a particular hash value on the target
machine. Hash values are stored in hash sets that can be identified by
a name and category.


Reports

Source Processor stores the most recent analysis in memory in a
report, so you can view it multiple times without running the analysis

NGUYEN HOAN NAM DUONG – N14DCAT032

18


again. These results only stay active during the current session of
Source Processor


EnCase Decryption Suite (EDS) enables decryption of encrypted
files and folders by domain users and local users, including:



Disk and volume encryption

Microsoft BitLocker ,GuardianEdge Encryption Plus/Encryption
Anywhere/Hard Disk Encryption ,Utimaco SafeGuard Easy, McAfee
SafeBoot, WinMagic SecureDoc Full Disk Encryption,PGP Whole Disk
Encryption


-

File based encryption
Microsoft Encrypting File System (EFS),CREDANT Mobile Guardian



Mounted files

PST (Microsoft Outlook), S/MIME encrypted email in PST files, NSF
(Lotus Notes), Protected storage (ntuser.dat) , Security hive, Active
Directory 2003 (ntds.dit)
 The LinEn™ utility runs on the LinEn CD using the Linux operating
system and enables the following functions:



Performing drive-to-drive acquisitions
Performing crossover acquisitions

LinEn runs independently of the Linux operating system thus improving
acquisition speeds, and runs in 32-bit mode (rather than 16-bit mode).

Because Linux provides greater device support, LinEn can acquire data
from a larger set of devices.
As with other
modifications
has a feature
automatically
computer.


operating systems, to prevent inadvertent disk writes,
to the operating system need to be made. Linux typically
called autofs installed by default. This feature
mounts, and thus writes to, any medium attached to the

Physical Disk Emulator

The EnCase Physical Disk Emulator (PDE) module allows investigators to
mount computer evidence as a local drive for examination through
Windows Explorer.

NGUYEN HOAN NAM DUONG – N14DCAT032

19



×