EnCE v6 Study Guide

EnCE Study Guide Version 6
EnCE Study Guide
Certification Background
The EnCase Certified Examiner program was created to meet the requests of EnCase users as well as to provide a recognized level of competency for the examiner. While many different certifications exist, the EnCE provides an additional level of certification and offers a measure of professional advancement and qualifications. Certain qualifications must be met to enter the certification process. An application and a detailed explanation can be found at:
http://www.guidancesoftware.com/computer-forensics-training-ence-certification.htm
The cost is USD 200.00 US and Canada, and USD 225.00 International payable by credit card, check, or purchase order. The certification program does not generate profits for Guidance Software; the testing fee covers the cost of the written test provided by ExamBuilder. Once payment has been received and processed, the certification coordinator will email testing instructions to you. The certification process addresses both EnCase software (EnCase) and general areas of computer forensics. It involves a written test consisting of 180 questions (174 for international candidates; no legal questions). Two hours are provided to complete the written exam, which is true/false and multiple choice. Once the Phase I results are received, the certification coordinator will ship the Phase II exam to you at the address you provided on your application. You will be notified via email when your package has been shipped. If you fail the Phase I test, you will be required to wait two (2) months from the date the test was taken to be issued a new voucher and re-test. In your Phase II package you will receive a compact disc that has a certification version of EnCase Forensic, evidence files, and objectives or issues you must address. You must work the case, compile your report, and then send the report to Guidance Software for review and grading within 60 days. If you do not finish the Phase II in the time allotted, you will be required to wait two (2) months from the date that the test was due and restart from the beginning.
Copyright 2011 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.
EnCE Study Guide

Those who fail the EnCE Phase II exam must wait two (2) months prior to retesting. We will not provide feedback on what was missed on the exam. If after resubmitting Phase II you fail again, you must begin the retesting process from Phase I.
Beginning the Certification Process

The first step toward certification is to review the qualifications and complete the application available at:
http://www.guidancesoftware.com/computer-forensics-training-ence-certification.htm
Submit the completed application to the EnCE certification coordinator at the address provided. Once your application has been received and accepted, you will be provided with a voucher to enroll in Phase I of the testing process.
Phase I Testing Options
ExamBuilder
o o
ExamBuilder provides online testing services available at all times. Once you receive email instructions from the certification coordinator, visit the ExamBuilder website at https://testing.exambuilder.com/ to enroll in the Phase I testing process. Follow the instructions for log in and complete the enrollment form. If you have questions about the enrollment process, contact the Guidance Software certification coordinator at (626) 229-9191, ext. 513 or certification@guidancesoftware.com
EnCE Prep Course

o
This course is designed for EnCase users preparing for certification. The certification is based upon the skills and knowledge presented in Guidance Softwares EnCase Computer Forensic I and EnCase Computer Forensic II courses. The EnCE Prep course is not intended to be a replacement for these two classes; instead it is a thorough but accelerated review of the covered subjects. Students cannot waive or substitute the prerequisite attendance of Guidance Softwares EnCase Computer Forensics II course when applying to attend the EnCE Preparation course. The Phase I written examination will be administered on the final afternoon of the course in a monitored, timed environment.
EnCE Study Guide

o
The examination will be administered only at Guidance-owned sites in Los Angeles, Chicago, Houston, Washington DC, and London; Authorized Training Partners cannot conduct the test as part of this course. Complete details for this course can be found at:
http://www.guidancesoftware.com/computer-forensics-training-encase-ence.htm
CEIC
o o
Registered attendees at our annual CEIC conference may elect to take the Phase I test at no additional charge during the conference. All requirements must be met prior to attending CEIC. Anyone interested in taking the Phase I test at CEIC must fill out an application and return it to the certification coordinator via fax, email, or mail one (1) month prior to the conference. Only those who have preregistered and been approved will be admitted to take the Phase I test at CEIC. Please visit www.ceicconference.com for more information.
Maintaining Your Certification

As of November 1, 2008 EnCase Certified Examiners are required to achieve one of the following items prior to their expiration date in order to renew. For those who have been certified prior to November 1, 2008, the current expiration date will remain the same, but the new requirements listed below will now apply. Once renewed, the expiration date will be changed to a three-year cycle (for example if renewing in 2009, the next renewal date will not be until 2012, and then every 3 years from then on).
Attend a minimum of thirty-two (32) credit hours of documented continuing education in computer forensics or incident response to maintain the certification: *
o
The training should either be from Guidance, your agency, or an accredited source. Training should be either in a classroom lab setting or online. Proof of attendance should be provided via a certificate, transcript, or official letter. Earn one (1) credit hour for each classroom hour of training and 1/2 credit hour for each one hour of instruction as a computer forensics or incident response curriculum instructor.
Achieve a computer forensics or incident response related certification within the renewal period. A certificate of completion must be submitted as documentation.
Training and teaching hours may be combined to reach the total 32 hours required. Documentation may be a certificate of completion, official letter from the provider, or transcript.
3
EnCE Study Guide
Attend one CEIC conference within the renewal period. Your certification must be current at the time of the conference and you must attend at least 10 sessions to fulfill the requirement to renew your EnCE. Register online at http://www.ceicconference.com/Default.aspx. Renewal forms will be available at the registration desk during the conference. Please check the box on the renewal form, and registration will be on file with Guidance Software, Inc. Guidelines for submitting renewal credit for attendance at any other computer forensic conference other than CEIC are:
o o o
Only labs count (seminars or product demos are not considered) Calculate one (1) CPE for every hour in a lab To submit credits please send a copy the conference agenda and indicate the labs attended and how many CPE each one is worth
Please do not submit your renewal documents separately. Keep all certificates together and only send them when you have the requirement fulfilled. When you are ready, send the attached form and any certificates/letters/documents via fax, email, or regular mail. The requirements need to have been met within the renewal period. (i.e., if the renewal date is June 1, 2009, the requirements must have been achieved between June 1, 2007 and June 1, 2009.)
Should your certification expire, you will be required to restart the EnCE process from Phase I. Extensions will not be granted. If you are unsure of your expiration date, please email: certification@guidancesoftware.com Complete renewal details are available at:
http://www.guidancesoftware.com/computer-forensics-training-encep-programapplication.htm
EnCE Study Guide

Other Study Material
This Study Guide highlights the topics contained in the EnCE test, including good forensic practices, legal issues, computer knowledge, knowledge of EnCase, evidence discovery techniques, and understanding file system artifacts. If you need reference materials to prepare for a specific topic or portion of the exam, some recommended study materials are listed below: EnCase Computer Forensics I manual by Guidance Software EnCase Computer Forensics II manual by Guidance Software EnCase Legal Journal by John Patzakis EnCase User's Manual by Guidance Software Handbook of Computer Crime by Eoghan Casey How Computers Work by Ron White EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide by Steve Bunting, Second Edition
EnCE Study Guide

EnCase Environment All lab media should maintain a unique volume label and a unique directory to receive the evidence file(s). All lab media should be forensically sterile wiped of all data, verified to be absent of any data, freshly partitioned, and formatted. Upon starting a new case, default Export and Temp directories should be defined. These folders will provide a default location for exported data as well as a specific folder to contain files that are created through the use of external viewers. Both of these folders are case specific and can be modified as to location at any time. When an examiner double-clicks on a file, the data is copied to the defined Temp directory, and the associated viewer is then called to display the file data. When EnCase is properly shut down, EnCase will delete the files from the Temp folder.
E01 File Bit-stream image of the source media written to a file(s). Contains case information as first block. Header is always compressed and is verified through the use of the compression algorithm used. No alteration to case information block can be made. There is no limit to the EnCase evidence file segment size. Content of the evidence file cannot be changed data cannot be added to an existing evidence file.
EnCE Study Guide

Case File Contains your work search results, bookmarks, and report. It is simply a text file containing information specific to a single case/investigation. There is no limit to the number of evidence files that can be added to a single case 8 hdds, 200 diskettes, 24 CDRs as example. Case file is updated by utilizing the SAVE button or selecting SAVE from the <File> menu. This only affects the .case file. Evidence file verification results are stored within the .case file.
Backup File (.CBAK) Is created at preset intervals if auto save is enabled and not set to 0 Captures current state of the case
EnCase Configuration Files Contain global changes to the EnCase environment external viewers, hash sets/libraries, signature table. This global environment dictates information/tools available for all cases not case specific. Example EnCase configuration .ini files: o FileSignatures.ini File Signature Table o FileTypes.ini organizes files into groups by extension; determines which viewer to use o Keywords.ini global keywords list o Filters available filters o Viewers.ini installed external viewers File Types table dictates the action that will occur if a user double-clicks on a specific file. External viewers are associated with file extensions through the File Types.
EnCE Study Guide

Verification of E01 A CRC (32 bit) is computed for every 64 sectors of an uncompressed evidence file. The decompression algorithm is used to verify the evidence file when the evidence file is compressed. MD5 (128 bit) computed during acquisition and placed at the end of the evidence file. SHA1 hashing verification option. To fully verify an uncompressed evidence file, all CRCs as well as the hash value(s) must validate and verify. For a compressed evidence file the decompression algorithm as well as the hash value(s) must validate and verify. If any changes occur to an evidence file, the CRC for the affected block(s) will no longer verify, and EnCase will display an error when any data within the block is accessed. EnCase will also indicate an error if the evidence file is verified again. Three (3) aspects of an existent evidence file can be changed/altered:
o o
Password +/-, compression, and evidence file segment size The applied filename of the evidence file can be changed, and/or the evidence file(s) can be moved to another location; however EnCase will prompt you to locate the renamed evidence file if it is changed after it is added to a case Individual segments of an evidence file can be verified (Tools Verify Single Evidence File)
Compression does not have an impact on the verification of an evidence file; hash value will remain constant.
EnCE Study Guide

Searches General Information Searches within the Windows environment are both physical and logical. Within the EnCase Windows environment, keywords that span noncontiguous clusters will still be located within logical files. No searching tool will find keywords spanning noncontiguous clusters in unallocated space. Searches in unallocated space are physical only as no logical definitions exist in this area.
GREP Most Commonly Used Symbols [ ] Square brackets form a set, and the included values within the set have to match a single character [1-9] will match any single numeric value from 1 to 9. Denotes a range such as above.
^ States not [^a-z] = no alpha characters from a to z. + States to repeat the preceding character or set any number of times, but at least once. * States to repeat the preceding character or set any number of times, including zero times.
\x Indicates that the following value is to be treated as a hexadecimal value - \xFF\xD8\xFF ? Means or not joh?n will yield both JOHN and JON You must indicate via the check box that the created expression is a GREP term.
Unicode Selecting Unicode will cause EnCase to search for the keyword in both ASCII and Unicode. Unicode uses two bytes for each character allowing the representation of 65,536 characters.
EnCE Study Guide

File Signatures Simply compares the displayed extension with the files header/signature. Four possible results will be obtained: !Bad Signature - The extension is in the File Signature table but the header is incorrect, and the header is not in the File Signature table. * [Alias] - The header is in the table and the extension is incorrect. This indicates a file with a renamed extension. MATCH - The header matches the extension. If the extension has no header in the File Signature table, then EnCase will return a Match as long as the header of the file does not match any header in the File Signature table. UNKNOWN - Indicates that neither the header/signature nor the extension is listed in the table. If either the header/signature or the extension is listed in the table, you will not obtain a value of UNKNOWN. To examine the results of the File Signature effort, sort on the File Signature column. Remember that the Gallery view will not display supported image files that maintain extensions inconsistent with image files until and unless the Signature Analysis has been run. The Signature Table can be edited and/or added to by accessing the table and choosing right-click New.
10
EnCE Study Guide

Hash Analysis Hash sets can be created from selected files, and the set(s) can then be added to the library. The hash value computed for a given file is based upon the logical file content only not the slack area of the file. File names are maintained within the folder/directory and have no bearing on the computed hash value of a given file. EnCase will compute a hash value of each file in the case and then compare these computed values to the values present in the library. Hash analysis allows the examiner to identify files that are known either as innocuous files that can be ignored or as files that are evidentiary in content. Hash sets contain only the computed hash values of the files not the file content. A file cannot be created from the computed hash value.
ASCII and Binary ASCII table is a 7-bit table, and the acronym stands for the American Standard Code for Information Interchange. The resultant 128 values represent alpha/numeric values, common punctuation, and other values. Hexadecimal notation employs two characters to represent one byte. A single byte (8 bits) can represent one of 256 possible values; a nibble (4 bits) can represent one of 16 possible values. The LE indicator within EnCase indicates the number of bytes that have been selected/swept/highlighted. Nibble = 4 bits Byte = 8 bits Word = 2 bytes = 16 Bits Dword = 4 bytes = 32 Bits
11
EnCE Study Guide

File Systems FAT file systems (FAT12, 16, 32) group one or more sectors in powers of 2 into clusters. The number of clusters that the file system can manage is determined by the available bits employed by the FAT. FAT16 (2/16) allows 65,536 clusters. FAT32 (2/28) allows 268,435,456 clusters. The FAT maintains information regarding the status of all the clusters on the volume (available -0, in use), indicated cluster number, containing the end of a file (EOF), and containing one or more defective sectors (BAD). The FAT also tracks file fragmentation. Directory entries maintain the file name, logical file size, and starting cluster. FAT is read to begin locating the files data. Each FAT volume maintains two copies of the FAT FAT1 and FAT2. Each sector contains 512 data bytes, and this size is consistent across different media types. (ZIP disks, floppies, HDD, etc.) Logical file size is the actual number of bytes that the file contains. Physical file size is the amount of actual media space allocated to the file. Only one file can occupy a cluster at one time no two files can occupy the same cluster.
Slack Displayed in EnCase as red text. It is the data from the end of the logical file to the end of the physical file. EnCase also displays FAT directory entries in red text because neither slack nor FAT directories have any logical file size
12
EnCE Study Guide

Deleted Files Two actions occur when a file is deleted from a FAT system the first character of the directory entry(s) pertaining to the file is/are changed to E5h, and the values within the FAT that pertain to this file are reset to 0 (available). Deleting a file has no effect on the actual data in FAT or NTFS. EnCase reads the directory entry for a deleted file and will obtain the starting extent. It then will determine the number of clusters the file requires by dividing the logical file size by the bytes per cluster. EnCase reads the FAT to determine if the indicated starting extent (cluster) is in use by any other file. If the indicated starting extent (cluster) is in use by another file, EnCase deems this file to be overwritten.
Computer Hardware and Systems BIOS Basic Input Output System The BIOS is responsible for the initial checking of the system components and initial configuration of the system once power is turned on. Examiners should access the BIOS and determine the boot sequence as well as the indicated date/time. Depending on the settings, the computer system may or may not attempt to boot from a diskette drive. The BIOS is typically contained within a chip located on the system motherboard, which is the main circuit board within a computer system. Add-in cards video controller, SCSI controller, NIC, etc. SCSI host adapters manage SCSI devices and make them accessible to the OS. RAM Random Access Memory stores data temporarily and is accessible immediately to the OS.
13
EnCE Study Guide

ROM Read Only Memory CPU the actual processor chip not the whole computer. POST Power On Self Test first activity following the application of power to the computer system. The POST activity includes the testing of identified attached devices on the system bus, including the HDD(s), diskette drives, installed memory, etc. Drive letters are assigned by the OS during the boot process, but are not recorded to the media involved. Bootable media must maintain a bootable partition/volume, which in the case of HDDs, must be set as active.
HDDs IDE drives are set for Master/Slave/Cable. Select through jumper pinning on the physical drive. SCSI drives do not maintain Master/Slave settings; rather they are assigned ID numbers, again usually through jumper settings. When employing CHS geometry, the formula for determining the HDD capacity is CxHxSx512. The first sector on every HDD contains the Master Boot Record, and the partition table for the drive is located within this sector for Windows and Linux offset 446-509. The partition table within the MBR can maintain 4 entries, each 16 bytes in length. Each defined partition on a physical HDD will contain a Volume Boot Record as the first sector within the partition. Selecting the Volume Boot sector, right-clicking and choosing Add Partition can recover deleted partitions.
14
EnCE Study Guide

First Response Systems will either be on or off if they are on, they must be shut down. Review recommendations regarding the different file systems and shutdown options. Preview options FastBloc, network cable Boot Disks must have the OS system files, and these system files must be altered to prevent access to the fixed disk drive(s). EnCase will create the forensic boot disk, make the proper alterations to IO.SYS and Command.COM, and delete DRVSPACE.BIN. This must be done to prevent writes to any attached HDDs and prevent the mounting of a compressed volume file. A forensically sound bootable CD that includes the LinEn utility may be used. Procedures
o
Photograph, external inspection, label connections, internal inspection, disconnect power/data cables from HDD(s), boot with EnCase boot disk or a forensically sound CD with the LinEn utility, and access the BIOS note boot sequence and date/time. Allow boot to continue to confirm drive and diskette function. Power down, attach target and destination (lab) HDDs, and reboot with boot disk. Using an EnCase boot disk will start the computer to the DOS OS. Logical partitions under NT, Linux (EXT2/3), UNIX, and Mac HFS will not be seen as DOS does not understand those file systems. Obtain a physical disk evidence file, and EnCase will resolve the file structure once the E01 file is added to the case.
15
EnCE Study Guide

Restoring E01 Files Evidence files can be restored to media of equal or greater size. The hash value of a properly restored evidence file will match the value maintained within the evidence file, which is the value computed against the original source media. Restoring evidence files of physical media must be made to a physical drive, logical evidence files to a defined logical partition. Logical restores must be made to a created partition equal to or larger than the evidence file partition, and must be of the same file system FAT16/32. Restored drives are validated by the MD5 value.
OS Artifacts Review Recycle Bin functions DC0.TXT, DC1.JPG, etc. On Windows XP/2003 and below, the date/time deleted stems from the INFO record within the Recycle Bin. FAT directory entries in DOS/Windows are 32 bytes in length. Review directory structure parent/child relationships. Review Windows XP/2000 artifact locations: C\Windows\Recent, Desktop, Send To, and Temporary Internet Files. Review LNK files linking a diskette to the computer that wrote to it embedded date/time as well as full path and file name of the target file. Review EMF files, SPL, and SHD files definition and content. BASE64 encoding common to email attachments. Windows 2000 and XP have user personal folders stored under C:\Documents and Settings.
16
EnCE Study Guide

Legal Every printed document from a computer is considered an original. Any printout or other output readable by sight shown to accurately reflect the data stored in a computer system is considered an original. Compression of the evidence file has no bearing on the validity or admissibility of the data. Courts have ruled that the manner in which data is maintained while in storage is not relevant, as long as the data is accurately portrayed when accessed and presented in a printout or other output, readable by sight. The EnCase evidence file may be considered the best evidence, depending on the events and circumstances of the case. Daubert legal test employed by US courts to determine if a scientific or technical process is acceptable.
o o o
Has the process been tested and subjected to peer review? Does the process/application maintain general acceptance within the related community? Can the findings be duplicated/repeated?
17
EnCE Study Guide
EnCase Certified Examiner Preparation Training

Certification@GuidanceSoftware.com
2011 Guidance Software, Inc. All Rights Reserved.
EnCE Preparation Training

P A G E 1
Examining computer-based evidence with EnCase software (EnCase) Computer Knowledge Good Forensic Practices Legal
18
EnCE Study Guide
Examining computer-based evidence

P A G E 2
The EnCase Evidence File EnCase Concepts The EnCase Environment Searching File Signature and Hash Analysis
The EnCase Evidence File

P A G E 3
Bit stream image of evidence written to a file Header Case information CRCs (Cyclical Redundancy Check) Data Blocks
19
EnCE Study Guide

P A G E 4
Header Case Information Header is always compressed and is verified through the use of the compression algorithm used Can not be changed after evidence file is created Contains: Case number Examiner name Evidence number Unique description Date/time of computer system clock Acquisition notes Serial number of physical hard drive

P A G E 5
Cyclical Redundancy Check 32-bit CRC for (by default) 64 sectors (32 KB) of data If no compression is used Calculated when evidence file is added to case and rechecked every time the data block is accessed Message Digest 5 Hash 128-bit digital signature of all data in evidence file Optional
20
EnCE Study Guide

P A G E 6
Logical file that can be renamed and moved Can be broken into multiple segments with a maximum segment size dependent on the file system to which the evidence file is written Can be compressed during acquisition and/or reacquired with compression for archival without changing the hash value Can be password protected and can be reacquired to remove or change password Individual segments can be verified by the CRCs when compression is not used. If compression is used the decompression algorithm is used

P A G E 7
Block size can be adjusted to range from 64 to 32768 sectors Error granularity is often used to adjust the writing of data to an evidence file when a read error of the subject media occurs Quick reacquisition is used on an existing evidence file to quickly change file segment size, password +/-, and/or the applied name of the evidence file.
21
EnCE Study Guide

P A G E 8
Evidence File Verification Data in the entire evidence file is verified by Verification hash compared to the Acquisition hash value of the original evidence Data in each data block is verified by a CRC when no compression is used Both the MD5 hash and CRCs must match for the evidence file to be verified If any compression is used, the compression algorithm is used to
verify data blocks
EnCase Concepts
P A G E 9
The Case File - .case Text file containing:

Pointers to evidence files locations on forensic workstation Results of searches and analysis (file signature and hash) Bookmarks Investigators notes
A case file can contain any number of hard drives or removable media A backup file (.cbak) is updated by default every 10 minutes
Save the case file regularly during an examination
The case file should be archived with the evidence files as it contains all of the investigators notes
22
EnCE Study Guide
EnCase Concepts
P A G E 10
The Configuration .ini Files Contain Global Options used for all cases Some configuration .ini files:

FileSignatures.ini File Signature Table FileTypes.ini organizes files into groups by extension; determines which viewer to use Keywords.ini global keywords list Filters.ini available filters Viewers.ini installed external viewers
The EnCase Environment

P A G E 11
The EnCase Methodology Case Management
Separate folders for each case is recommended; use unique directory names Use large capacity, high RPM (revolutions per minute) hard drives with single partition for evidence files Wipe the drive to eliminate any claims or arguments of crosscontamination Give the hard drive a unique label prior to acquisitions to differentiate your drives from the suspects Create default Evidence, Export, and Temp folders for each case
23
EnCE Study Guide
The EnCase Environment

P A G E 12
The EnCase Methodology Export Folder

Create a separate Export folder for each case The name and location of the Export folder can be changed at any time Used by many EnScript programs for exporting files Selected by EnCase as starting folder when using Copy/Unerase

Temporary Folder
Used to receive files sent to an external viewer Redirect files away from the examiners operating system drive Files in the Temporary folder are deleted when EnCase is shut down properly

Searching
P A G E 13
EnCase for Windows Physical searching is conducted on logical files and the unallocated areas of the physical disk. Logical search will find a word fragmented between two noncontiguous clusters, whereas a physical search will miss the fragmented word.
24
EnCE Study Guide
Searching
P A G E 14
Adding Keywords Case Sensitive
Not set by default. Selecting will limit hits to exact case of words entered. Can be used with GREP and Unicode. Box must be selected for EnCase to use GREP expression, otherwise EnCase will search for the literal entered characters. Can be used with Case Sensitive and Unicode. Selecting this box will enable EnCase to search for keywords in both ANSI and Unicode. Recommended to be selected for most searches. Can be used with GREP and Case Sensitive. Unicode uses two bytes for each character allowing the representation of 65,536 characters.
GREP
Unicode
Searching
P A G E 15
Global Regular Expression and Print (GREP)
.
\xFFA
A period matches any single character Character represented by its ASCII value in hex. \x09 is a tab. \x0A is a line feed. Both hex digits should be present even if they are 0.
\wFFFF Unicode 16 bit character ?

The question mark says repeat the preceding character (or set) one or zero times.
25
EnCE Study Guide
Searching
P A G E 16
GREP
* An asterisk after a character matches any number of occurrences of that character, including zero. For example, john,*smith would match john,smith, john,,smith, and johnsmith. + A plus sign after a character matches any number of occurrences of that character except zero. For example john,+smith would match john,smith or john,,smith, but would NOT match johnsmith. A pound / hash sign matches any numeric character [0-9]. For example ###-#### matches any phone number in the form 327-4323.
(ab) The parentheses allows the examiner to group individual characters together as an AND statement. {m,4} The curly braces state number of times to repeat, i.e. m four times | The pipe is an OR statement and can be used with the parentheses, i.e., (com)|(net)|(org) for the end of an email address.
Searching
P A G E 17
GREP
[]
Characters in brackets match any one character that appears in the brackets. For example smit[hy] would match smith and smity. A circumflex at the start of the string in brackets means NOT. Hence [^hy] matches any characters except h and y.
[^]
[-] A dash within the brackets signifies a range of characters. For example, [a-e] matches any character from a through e, inclusive. \ A backslash before a character indicates that the character is to be treated literally and not as a GREP character.
26
EnCE Study Guide
File Signature and Hash Analysis

P A G E 18
File Signature Table Stored in the EnCase configuration file, FileSignatures.ini File signatures can be added manually The terms file signature and file header mean the same thing, the standard hex characters at the beginning of a certain file type

P A G E 19
File Signature Table Viewers EnCase uses the Viewers.ini file to store external viewer information and the FileTypes.ini file to associate file extensions with external viewers. When the examiner double-clicks on a file, EnCase will copy the file to the Temporary folder and launch the Windows-associated viewer or user-defined external viewer to read the file. The examiner can also right-click on a file and use the Send To feature to send the file to an external viewer.
27
EnCE Study Guide

P A G E 20
File Signature Analysis

Signature Table Analysis Explained
Signature / Header
LISTED NOT LISTED NOT LISTED LISTED
Extension
LISTED NOT LISTED LISTED LISTED
Comparison
CORRECT N/A INCORRECT INCORRECT
Results Displayed
MATCH UNKNOWN ! BAD SIGNATURE * FILE ALIAS

P A G E 21
Hash Sets and Hash Library Hash sets can be built with one file or any number of selected files. The sets contain the hash values of the file(s) in the set. The hash value of a file is computed only from the logical file independent of the file name, time/date stamps, and the slack space of the physical file. The Hash Library is built from selected hash sets. The examiner can exclude specific hash sets to remain within the scope of the examination.
28
EnCE Study Guide

P A G E 22
Signature and Hash Analysis File extensions are compared to the file signature (header) according to the File Signature Table. The hash value of each logical file is computed and compared with the Hash Library composed of the selected hash sets. Both analyses can be used to help identify suspect files and/or exclude known or benign files. The results of both analyses are viewed in the Table view.
Computer Knowledge
P A G E 23
Understanding Data and Binary The BIOS Computer Boot Sequence File Systems Computer Hardware Concepts
29
EnCE Study Guide
Understanding Data and Binary

P A G E 24
Bits and Bytes Bit 1 4 8 16 32 64 = = = = = = Name Bit Nibble Byte Word Dword Qword Binary 1 0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 0000-0000 You get the idea
Understanding Data and Binary

P A G E 25
ASCII and Unicode

The ASCII table (American Standard Code for Information Interchange) is based on an 7-bit system. The first 128 characters make up the ASCII table. The remaining 128 characters are called high-bit characters and represent alpha/numeric values common punctuation and other values. Together 256 characters can be addressed.
Decimal 0 1 2 Hexadecimal 00 01 02 Character NUL SOH STX [1] Binary Code 0000-0000 0000-0001 0000-0010
Selecting Unicode will cause EnCase to search for the keyword in both ASCII and Unicode. Unicode uses two bytes for each character, allowing the representation of 65,536 characters.
30
EnCE Study Guide
The BIOS
P A G E 26
Basic Input/Output System The BIOS checks and configures the computer system after power is turned on. The BIOS chip is usually found on the motherboard. The BIOS should be checked during each examination of a computer to check the boot sequence and settings of the internal clock.
Computer Boot Sequence

P A G E 27
Power Button
Add-in cards such as SCSI drive controller cards can have a BIOS on the card that loads at this time. These BIOS normally detect devices and load information into the BIOS data area in RAM.
The BIOS immediately runs POST and then prepares the system for the first program to run.
BIOS
POST
POST (Power On Self Test) checks the system board, memory (RAM), keyboard, floppy disk, hard disk, etc., for presence and reliability.
BIOS FROM ADD-IN CARDS
LOAD RAM WITH BIOS DATA
A special RAM BIOS data area of 256 bytes contains the results of the system check identifying the location of attached devices.
Boot Sequence?
31
EnCE Study Guide
Computer Boot Sequence

P A G E 28
A:
Boot Sequence?
C:
Master Boot Record
Present?
No May display error or shift to boot another device Other Devices

Go to Boot Partition
Yes
Boot Record
Boot Record?
No
Io.sys
Yes
Io.sys Msdos.sys Optional Config.sys Command.Com Autoexec.bat
Msdos.sys
Config.sys
Command.Com
Autoexec.bat
File Systems
P A G E 29
File Allocation Table FAT tracks File fragmentation All of the addressable clusters in the partition Clusters marked bad Directory records File name Date/time stamps (Created, Accessed, Written) Starting cluster File logical size A directory (or folder) is a file with a unique header and a logical size of zero
32
EnCE Study Guide
File Systems
P A G E 30
Name
Cluster Length Accessed Written Created
MyNote.TXT Picture1.GIF Picture2.JPG Job Search.DOC Report.DOC Personal Letter.DOC
. ..
1000 1002 1004 24888 79415 88212
952 890 5000 11000 34212 10212
8/25/00 8/25/00 8/25/00 8/25/00 8/25/00 8/25/00
8/22/00 6/15/98 7/12/99 8/25/00 7/31/00 8/25/00
8/22/00 6/15/98 7/12/99 8/1/00 6/20/00 8/25/00
Directory Entry
File Allocation Table Clusters (Allocation Units)

File Systems
P A G E 31
Directory Entry
Name MyNote.TXT Picture1.GIF Picture2.JPG Job Search.DOC Report.DOC Personal Letter.DOC Cluster 1000 1002 1004 24888 79415 88212 Length 952 890 5000 11000 34212 10212
33
EnCE Study Guide
File Systems
P A G E 32
File Allocation Table
2 EOF
3 EOF
4 EOF
5 EOF
6 EOF
7 EOF
1000 EOF
1001 0
1002 EOF
1003 0
1004 1005
1005 EOF
FAT
P A G E 33
When a file is deleted from a FAT system 1st character of directory entry changed to E5h FAT entry values change from allocated to unallocated (0) No effect on the data within the clusters When EnCase virtually undeletes a file Directory entry read
Obtains starting extent, logical size Obtains number of clusters by dividing logical size by bytes
per cluster
FAT examined to determine if starting cluster/extent is in use If starting extent is in use, EnCase deems this file to be Deleted/Overwritten
34
EnCE Study Guide
File Systems
P A G E 34
File Allocation Table FAT 16 2 ^ 16 = 65,536 total allocation units available (clusters) FAT 32 2 ^ 28 = 268,435,456 total allocation units 4 bits are reserved by Microsoft Two copies of the FAT are stored for backup purposes. A cluster is composed of multiple sectors. A sector contains 512 user addressable data bytes.
NTFS
P A G E 35
Master File Table (MFT) administratively documents all files/folders on NTFS volume MFT comprised of records 1024 bytes each MFT grows but doesnt shrink At least one MFT record is allocated to each file and folder on volume Bitmap file documents if clusters are allocated or unallocated Two types of files: Resident and Nonresident
35
EnCE Study Guide
NTFS
P A G E 36
Resident files Data resides within MFT record for file Data does not begin at the beginning of a sector/cluster Logical size = physical size Nonresident files Data not within MFT Record MFT record houses pointers to clusters storing file Pointers in the form of a data run Both types of files may be hashed as long as logical size is greater than 0
File Systems
P A G E 37
Logical and Physical File Size

My Pic.jpg
Physical File bytes (1 cluster)
Logical File 3045 Bytes
File Slack
36
EnCE Study Guide
Slack Space
P A G E 38
File slack is comprised of drive slack and RAM slack Drive Slack Data that is contained in the remaining sectors of a logical file that
are not a part of the current logical file. A logical file of 10 bytes stored in a 4-sector cluster will have 3 sectors of drive slack.
RAM Slack Data from the end of the logical file to the end of that sector. The
10-byte file from above will have 502 bytes of RAM slack in the same sector that contains the logical data.
Slack Space
P A G E 39
RAM slack is zeroed out prior to writing it to the drive in Windows 95B and newer
In Windows 95A and older RAM slack will contain actual data from RAM and it will be stored on the drive with the file
37
EnCE Study Guide
Computer Hardware Concepts

P A G E 40
The computer chassis or case is often incorrectly referred to as the CPU The CPU is the Central Processing Unit installed on the motherboard Also installed on the motherboard are the Random Access Memory, the Read Only Memory, and add-in cards such as video cards, Network Interface Cards (NIC), Small Computer System Interface (SCSI) cards Integrated Drive Electronics (IDE) hard disk drives can be attached directly to the motherboard with a ribbon cable SCSI hard disk drives require a controller card on the motherboard
Computer Hardware Concepts

P A G E 41
Geometry of hard drives Cylinder/Heads/Sectors (older drives) C x H x S x 512 bytes per sector = total bytes Logical Block Addressing Total number of sectors available x 512 bytes = total bytes Master Boot Record Volume Boot Record Partition Tables Partition Recovery
38
EnCE Study Guide
Good Forensic Practice

P A G E 42
First Response Acquisition of Digital Evidence Operating System Artifacts
First Response
P A G E 43
At the Scene Photograph, take notes, sketch
Take down the system whether pull plug or shut down depends on circumstances Shut Down if UNIX/Linux or Server Pull Plug it depends on circumstances
39
EnCE Study Guide
First Response
P A G E 44
Forensic Boot Floppy/CD/Thumb Drive Appropriate applications Drivers for SCSI, NIC cards, etc. Modified files command.com io.sys drvspace.bin if not removed, will mount a compressed drive
space volume
First Response
P A G E 45
Onsite Triage FastBloc Fastest Gallery view, hash/file signature analysis, logical and physical
searches with GREP, copy/unerase, EnScript modules, etc.
Network Cable Preview Fast Gallery view, hash/file signature analysis, logical and physical
searches with GREP, copy/unerase, EnScript programs, etc.
40
EnCE Study Guide
Acquisition of Digital Evidence

P A G E 46
Computer Forensic Examiner Must be trained Must use best forensic practices available Must avoid damaging or altering evidence Should test and validate computer forensic tools and techniques prior to using them on original evidence

P A G E 47
File Systems Supported by EnCase FAT 12, 16, 32 NTFS EXT2/3 (Linux) Reiser (Linux) UFS (Solaris) CDFS (Joliet, ISO9660, UDF) DVD Macintosh HFS/HFS+, Mac OS X (BSD) HP-UX Etc
NOTE: Only FAT partitions will be viewable if booted in DOS environment.
41
EnCE Study Guide

P A G E 48
File Systems Supported by EnCase If the file system is not supported by EnCase, the examiner can still conduct a physical text search, run EnScript programs for file headers and footers, etc. The examiner can also restore the physical drive to a drive of equal or larger size. The restored drive is verified by the MD5 Hash. A volume may also be restored to a partition containing the same file system. Restored image is verified by the MD5 hash value.

P A G E 49
Laboratory Procedures Cross contamination Wipe lab examination drives Use EnCase case management methodology Chain-of-Custody Controlled access to lab area Evidence locker or depository Storage Clean, temperature-controlled environment Portable electronic devices may lose battery power erasing all data
42
EnCE Study Guide
Operating System Artifacts

P A G E 50
Recycle Bin and Info2 file FAT/NTFS Directory Entries and Structure Windows Artifacts
Recent Link Files Desktop Send To Temp Internet Explorer history, cache, favorites, cookies Enhanced MetaFiles; Print Spooler 2000/XP C:\Documents and Settings
Operating System Artifacts

P A G E 51
Windows Artifacts (continued) Registry files global and user account specific Swap file Hibernation/Standby file Thumbs.DB Restore Point
43
EnCE Study Guide
Legal Issues
P A G E 52
Best Evidence Rule A printout of data stored in a computer can be considered as an original under the Federal Rules of Evidence if it is readable by sight and accurately reflects the stored data Compression of acquired data does not affect admissibility under the Best Evidence Rule If original evidence must be returned to the owner, the forensic image could be considered the Best Evidence
Legal Issues
P A G E 53
Daubert/Frye Legal test to determine if a scientific or technical process Elements of Daubert Has the process been tested and subject to peer review? Does the process enjoy general acceptance in the related community? Can the findings be duplicated or repeated? Commercially available software has a greater opportunity for peer review, testing, and validation
44
EnCE Study Guide
45

EnCE v6 Study Guide

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

EnCE v6 Study Guide

Încărcat de

Drepturi de autor:

Formate disponibile

EnCE Study Guide Version 6

EnCE Study Guide

EnCE Study Guide

Beginning the Certification Process

Phase I Testing Options

EnCE Prep Course

EnCE Study Guide

Maintaining Your Certification

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCE Study Guide

EnCase Certified Examiner Preparation Training

2011 Guidance Software, Inc. All Rights Reserved.

EnCE Preparation Training

2011 Guidance Software, Inc. All Rights Reserved.

EnCE Study Guide

Examining computer-based evidence

2011 Guidance Software, Inc. All Rights Reserved.

The EnCase Evidence File

2011 Guidance Software, Inc. All Rights Reserved.

EnCE Study Guide

The EnCase Evidence File

2011 Guidance Software, Inc. All Rights Reserved.

The EnCase Evidence File

2011 Guidance Software, Inc. All Rights Reserved.

EnCE Study Guide

The EnCase Evidence File

The EnCase Evidence File

2011 Guidance Software, Inc. All Rights Reserved.

EnCE Study Guide

The EnCase Evidence File

The Case File - .case Text file containing:

Save the case file regularly during an examination

2011 Guidance Software, Inc. All Rights Reserved.

EnCE Study Guide

2011 Guidance Software, Inc. All Rights Reserved.

The EnCase Environment

The EnCase Methodology Case Management

2011 Guidance Software, Inc. All Rights Reserved.

EnCE Study Guide

The EnCase Environment

The EnCase Methodology Export Folder

2011 Guidance Software, Inc. All Rights Reserved.

2011 Guidance Software, Inc. All Rights Reserved.

EnCE Study Guide

Adding Keywords Case Sensitive

Global Regular Expression and Print (GREP)

\wFFFF Unicode 16 bit character ?

2011 Guidance Software, Inc. All Rights Reserved.

EnCE Study Guide

2011 Guidance Software, Inc. All Rights Reserved.