< Back

 

Digital Forensic Tool: Encase

 

 Lecture PDF Download  Ʒ ȭǥ: 1 

 Suspect USB IMG Download  Ʒ ȭǥ: 1 

 

Table of Contents

-         Digital Forensics

-         Introduction of Encase

-         Tool Description

-         Exercise) Simple Case Image

 

 

Digital Forensics

 

Forensics science is the scientific method of gathering and examining information about the past. This is especially important in law enforcement where forensics is done in relation to criminal or civil law, but forensics are also carried out in other fields, such as astronomy, archaeology, biology and geology to investigate ancient times.

http://en.wikipedia.org/wiki/Forensic_science

As digital devices grow rapidly and take part in peoples daily lives, law enforcements found that evidence might exist in digital devices and begin investigating digital devices. We call this kind of forensic science, Digital Forensics.

Like its name, Digital Forensics is to gather, examine, and analyze information about the past in digital devices and has fields for each of investing target. So Digital Forensics consists Disk Forensics, Live Forensics, Network Forensics, Mobile Forensics, Cloud Forensics, etc.

Since digital information is made up of 0s and 1s, it can be modified very easily. Small action could change the data into entirely different information. So investigators are necessary to concern about integrity of the data. They need to be extra careful and use trusted tools for collection and analysis in order to get that data for evidence. FTK(Forensic Tool Kit), Encase, Final Data, etc. are considered as trusted forensic investigation tools.

 

What is Encase

 

 EnCase is the shared technology within a suite of digital investigations products by Guidance Software. The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. The company also offers EnCase training and certification. Data recovered by EnCase has been used successfully in various court systems around the world, such as in the cases of the BTK Killer and the murder of Danielle van Dam.

http://en.wikipedia.org/wiki/EnCase

In short, Encase is one of the most famous, well-known tool for Computer Forensics investigation & analysis. This Tool has various features like Evidence Collecting(Imaging), Deleted File Browsing & Recovery, Live forensics, and Advanced Forensic Analysis.

o Product Line

 - Encase Forensic : Basic analysis tool for hard disks in local computest

 - Field Intelligence Model(FIM) : Investigating tool used by investigators which collects evidence images.

 - Encase Enterprise : Used for enterprise monitoring. Reduces time for Incident response.

 

o Supporting File System

 - FAT12, FAT16, FAT32 / NTFS / EXT2, EXT3 / CDFS / HFS, HFS+ / PALM / UFS

 

Tool Description

Default Display

As figure above, Encase has 3 panes( Tree / Table / View). Tree Pane shows users tree structured directories. Table Pane displays list of files from file selected at Tree Pane. View Pane displays more detail information of file selected from Table Pane.

 

Case Management

 In Encase, Case is management unit for one investigation. To create a new case, click File->New or New button in toolbar. Then Case Option will appear. Case Option collects Name of Case, Examiner Name, Default Export Folder, and Temporary Folder. Default Export Folder is where your recovered data will be saved. As for Temporary Folder, it saves temporary files as Windows Temp folder. By not setting Temporary Folder to Windows Temp folder, influence on target system could be minimized.

 

Add Device

 After creating case, we need to add target device that we want to analyze. To add a device, click File->AddDevice or Add Device button in toolbar.

 


 

Make Image File of Device

Select Disk you want to make image and right click the disk -> Acquire.

 

 

Keyword Search

 Registering Keywords

  #1. In Tree Pane, use to search Keywords tab.

 

#2. Right click to Keywords icon, you can see New Keyword window.

 

   #3. Set up keywords expression, name, and options

 

#4. Check whether the keyword is rightfully registered

 

Using Keywords in Search

#1. Check the directories that contain files you want to search in Tree Pane

#2. Then select files you want to search through in Table Pane

 

#3. After selecting files, go to Tools(from menu) > Search. Then Search Window will pop up.

 

#4. Set up the search options and use Start button to initiate the search feature

 

#5. Wait for the Search to be finished. There will be process status on the right-bottom corner of the window.

 

#6. When searching is finished, Searching window will pop up telling you that searching is completed

 

And you will be able to find results in Search Hits tab in Tree Pane

 

Gallary & Picture

Pictures can be very useful in some cases. EnCase supports Picture feature which is image viewer that helps users see what picture the file is. Also EnCase provide Gallery feature which displays all image files(jpeg, png, gif, etc.) in checked Folders.

             *In some cases, you should run keyword search beforehand to use these features.

 

Recovering Deleted Files

As you can see, EnCases displays some files that browser doesnt show.

 

These files includes Deleted files, Damaged files, Deleted Folders, Hard Link files. With encase, we can recover some of them.

 

Extracting Normal/Deleted files (Only  types of files)

#1. Select Files that you want to unerase. And select Copy/UnErase menu.

 

#2. And proceed the Copy/UnErase feature.

 

 #3. In the path that you set as extraction destination, you will find the file that you recovered.

 

 

 References

 

 Encasehttps://en.wikipedia.org/wiki/EnCase

Forensic Sicence, http://en.wikipedia.org/wiki/Forensic_science

 

 

Copyright © 2014 ICS Lab. Ajou Univ. All rights reserved.