Forensic Analysis Using Guidance Softwares EnCase V61

Forensic analysis of digital evidence is never performed in a vacuum its necessity arises out of a course of events whether in a criminal investigation, civil litigation or a policy violation in the corporate environment. In this case, your firm of private forensic consultants has been retained by the law firm of Fleece, Fraude and Robbe, LLC to investigate a disturbing situation that has arisen with two of the prominent families whose legal affairs they manage: The Dewersc and Detsiwt families have been receiving ransom demands threatening to kidnap their daughters unless substantial sums are paid. F. F. & R. through their own investigators have obtained an image of a possible suspects laptop in a clandestine manner (the fewer questions asked, the better). They have stressed repeatedly that this is to be a private investigation with the results disclosed solely to them. To protect yourselves, your firm has insisted that the investigation be handled as an attorney work-product which grants you some legal protection from the normal duty to disclose criminal activities to the proper authorities. F. F. & R. desires that you examine the information to gather any evidence regarding the threats and the individuals involved. Even though law enforcement may or may not be involved with this case, you must treat the evidence with same care and diligence as a criminal investigator because the results of your investigation might be turned over to law enforcement if the families decide to pursue criminal prosecution of the suspects. NOTE EnCase is a powerful product but with that power comes a certain complexity. Be sure to READ and UNDERSTAND the directions before performing steps in this lab. Record your answers to the numbered questions on the matching line of the answer sheet found as the last page of the lab instructions. This lab uses a demo version of EnCase Forensic Edition graciously provided by Guidance Software. This is a fully functional version of the product that is restricted to only open the evidence file supplied with the demo. Thus, the New Case and Add Evidence functionality is disabled in this version.

EnCase is a very capable product and this lab will provide a brief tour of some of its capabilities to give you an appreciation for the types of things this platform can perform. This lab will in no wise equip you to perform an actual forensic analysis with the tool.

Forensic Analysis Using EnCase

Preparation
Open a command window and create a directory structure for the case using the following commands: md cd md md EnCaseLab EnCaseLab Export Temp

Starting EnCase V6
Start the EnCaseDemo application and the following screen will appear.

The V6 Briefings Manual is a PDF file that describes the new features in EnCase version 6. Another document of interest is the Legal Journal which is a periodic publication covering important legal issues in forensic practice. To proceed with the lab click on the gold circle next to Run EnCase Demo.

Forensic Analysis Using EnCase

The first step is to add the two evidence files to the case. Since this is a demo version, the files will be added using drag and drop from Windows Explorer. Using Explorer, drag the Hunter XP.E01 file into the Cases pane of EnCase and drop it.

Forensic Analysis Using EnCase

A Case Options dialog will immediately open. Fill in your name as the Investigator Name and set the Default Export Folder and Temporary Folder to the folders you created earlier. Click on finish.

Drag the MS EMAIL Files.E01 onto the case pane and drop it to add it to the case. Your case display should now look like this.

Click on File on the menu bar and save the case file into the EnCaseLab directory. From this point on, you can open the case file without having to re-add the evidence.

Forensic Analysis Using EnCase

The EnCase main screen is divided into a series of panes that help organize the information displayed. The left top pane is the tree pane and shows a tree-like view of the evidence in the case. The top right pane is the table pane and will display a tablelike view of information as the program operates. The bottom left pane is the view pane and will typically display a view of the item currently selected in the Table Pane. The bottom right pane is the filter pane and will not be covered in this lab.

EMAIL
In the case summary provided by your client, it was revealed that the ransom demands have all been made via EMAIL using HOTMAIL and other anonymous EMAIL services. Version 6 of EnCase provides substantial support for handling common types of EMAIL such as: AOL 6.0, 7.0, 8.0, 9.0 Outlook Express (.DBX/MBX extension) Outlook (.PST extension) Hotmail Yahoo! Netscape web mail Mbox Lotus Notes (NSF data stores) Microsoft Exchange EMAIL Server (EDB files)

Retrieving EMAIL is one of the functions of the Search dialog. Click on on the main toolbar to open the search dialog. The EMAIL options are located on the right side of the dialog.

Forensic Analysis Using EnCase

Click in the box beside Search for EMAIL to check it and then click in each of the boxes under that choice. Clear the checkbox next to Verify file signatures to reduce the processing time and then click Start.

Time estimate

During the search process, EnCase will display an estimate of the remaining time in the lower right of the display as shown above.

When the search completes, which may take over an hour, you can begin to examine the EMAIL messages that were identified. From the dialog box that appears after the search is complete answer the following question: 1. How long did it take EnCase to search the case for EMAIL messages? Click OK to close the dialog box. To view the identified EMAILs, use the scroll control on the menu bar under Cases to scroll right to Records and click on it. Scroll Control

In the tree pane, click on Hunter XP and then MS Email Files to update the table view and view the findings.

Forensic Analysis Using EnCase

As you can see, EnCase identified a large amount of EMAIL in the disk images. To get you started, in the tree pane, expand the Hunter XP tree by clicking on the + sign next to it. Then expand chaser1191, Chaser1191 again, then Mail, then click on Mail Youve Sent to produce the following display.

Here

NOT here!!!

To view the EMAILs in a more natural format, switch the View pane to Report mode by clicking on the Report tab. From the contents of the Name column, it appears that some interesting items of evidence have been discovered. By inspecting the From and To addresses of the EMAILs, try to identify the EMAIL address used by the owner of this computer.

3. What are the first names of the fathers whose daughters are being threatened? 4. What is the EMAIL address of a co-conspirator in the ransom plot?

Forensic Analysis Using EnCase

2. What EMAIL address appears to belong to the owner of this computer?

Attachments
EnCase makes it very easy to view the attachments of EMAIL messages in their native format. Expand the Billy.dbx tree by clicking on it in the tree pane and then click on Web Site under Billy.dbx.

The attachments to the EMAIL are displayed in the Table pane and the selected attachment appears in the View pane. 5. How many files are attached to this EMAIL?

Click on the final photograph in table view and click on Picture in the view pane. 6. Why would this picture be of particular interest to your client?

As you analyze the evidence, EnCase provides a way for you to document your findings as you proceed through the use of Bookmarks. Rather like placing bookmarks in a book while reading it, these flag findings of particular interest that can be included in the report.

Forensic Analysis Using EnCase

Bookmarks

As the attachment identified earlier is a particularly interesting piece of evidence, right click on this image in the gallery and select Bookmark Data from the pop-up window. This will display another dialog box that allows you to associate a comment with the bookmark and even to organize the bookmarks into folders. For now, just type a descriptive comment in the box and click OK.

Since the photographer is visible as a reflection in the image, it would be particularly helpful if the conspirators had noticed this reflection and commented on it in an EMAIL as it would tie the image to one of sender/receiver of the EMAIL. Examine the contents of each EMAIL by highlighting them in the Table pane and reading their contents in the View pane (switching the view pane to Report view will make the EMAILs easier to read). Notice that in one of the EMAILs, that Bob tells Billy that he appears in the reflection of the picture. This is a very important EMAIL because it links a conspirators name to the image in the photograph. Right click this EMAIL, select Bookmark Data, and add a descriptive comment for this bookmark. 7. What is the subject of this EMAIL?

Reporting
If an investigator is diligent in book marking items, adding notes, etc, during the analysis, the report on an analysis can be generated almost automatically. Click on Bookmarks in the Tree pane and then click on the Report in the Table pane to view the report on the items you have Bookmarked. The report can be exported as a rich-text format file by right clicking on it and selecting Export.

Forensic Analysis Using EnCase

There is a report view in each section of EnCase. If the items carved from the paging file were of interest in the report, you could export a report from that section by returning to its display by clicking on it in the Tree pane and then selecting the Report view. The final report on a case would be constructed by exporting this different reports and then consolidating them into the overall report. 8. Do you feel that your investigation has uncovered evidence supporting the allegation that the owner of this laptop might have been involved in the plot to extort money from the two families under threat of kidnapping their daughters? 9. If your firm had not insisted on this investigation being treated as an attorney work product, how comfortable would you feel at this point with the clients desire to keep your findings confidential?

10

Forensic Analysis Using EnCase

Name

Date

EnCase Lab Answer Sheet

1. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 2. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 3. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 4. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 5. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 6. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 7. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 8. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________ 9. __________________________________________________________________ __________________________________________________________________ __________________________________________________________________

11

Forensic Analysis Using EnCase