EnCase Version 6.12 Modules Manual
Copyright © 1997‐2008 Guidance Software, Inc. All rights reserved. EnCase®, EnScript®, FastBloc®, Guidance Software® and EnCE® are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation into the owners' benefit, without intent to infringe. No part of this document may be copied or reproduced without the written permission of Guidance Software, Inc. Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation into the owners' benefit, without intent to infringe. Any use and duplication of this material is subject to the terms of the license agreement between you and Guidance Software, Inc. Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise. Product manuals and documentation are specific to the software versions for which they are written. For previous or outdated manuals, product release information, contact Guidance Software, Inc. at: http://www.guidancesoftware.com. Specifications and information contained in this manual are furnished for informational use only, and are subject to change at any time without notice.
Contents CHAPTER 1 Introduction
3
Introduction ....................................................................................................................................................... 4 Minimum Recommended Requirements .......................................................................................................... 4 Installing the EnCase Modules........................................................................................................................... 5 EnCase Decryption Suite Module ...................................................................................................................... 7 EnCase Physical Disk Emulator Module ............................................................................................................. 7 EnCase Virtual File System Module ................................................................................................................... 8 FastBloc SE Module............................................................................................................................................ 9 CD/DVD Module ................................................................................................................................................ 9
CHAPTER 2 EnCase Decryption Suite
11
Overview.......................................................................................................................................................... 12 EDS Features .................................................................................................................................................... 12 Product Matrix................................................................................................................................................. 13 Using EDS ......................................................................................................................................................... 14 Secure Storage Tab .......................................................................................................................................... 17 Secure Storage Items ....................................................................................................................................... 23 SafeBoot Encryption Support (Disk Encryption) .............................................................................................. 23 Utimaco SafeGuard Easy Encryption Support.................................................................................................. 26 BitLocker Encryption Support (Volume Encryption) ........................................................................................ 32 WinMagic SecureDoc Encryption Support....................................................................................................... 34 GuardianEdge Hard Disk Encryption Known Limitation................................................................................... 37 CREDANT Encryption Support (File‐Based Encryption).................................................................................... 37 CREDANT Encryption Support (Offline Scenario)............................................................................................. 41 S/MIME Encryption Support ............................................................................................................................ 43 NSF Encryption Support................................................................................................................................... 49 Lotus Notes Local Encryption Support............................................................................................................. 51 Windows Key Architecture .............................................................................................................................. 56 Dictionary Attack ............................................................................................................................................. 56
CHAPTER 3 Physical Disk Emulator
61
What is the Physical Disk Emulator?................................................................................................................ 62 Using Physical Disk Emulator ........................................................................................................................... 62 Third‐Party Tools.............................................................................................................................................. 67 Boot Evidence Files and Live Systems with VMware ....................................................................................... 68 VMware/EnCase PDE FAQs.............................................................................................................................. 72 PDE Troubleshooting ....................................................................................................................................... 73
CHAPTER 4 Virtual File System
75
What is VFS? .................................................................................................................................................... 76 Mounting Evidence with VFS ........................................................................................................................... 76 Dismount the Network Share .......................................................................................................................... 84 Accessing the Share ......................................................................................................................................... 85
Third‐Party Tools.............................................................................................................................................. 86 VFS Server ........................................................................................................................................................ 89 Troubleshooting............................................................................................................................................... 93
CHAPTER 5 FastBloc SE Module
95
What is the FastBloc SE Module? .................................................................................................................... 96 Background Information.................................................................................................................................. 96 Installing the FastBloc SE Module.................................................................................................................... 97 Using the FastBloc SE Module ......................................................................................................................... 98 Disk Caching................................................................................................................................................... 103 Troubleshooting............................................................................................................................................. 103
CHAPTER 6 CD/DVD Module
107
What is the CD/DVD Module? ....................................................................................................................... 108 Burning Evidence Files During Acquisition..................................................................................................... 108 Burning Logical Evidence Files During Acquisition......................................................................................... 110 Burning Files and Reports .............................................................................................................................. 110 Burning Existing Evidence and Logical Evidence Files.................................................................................... 114
Guidance Software
117
Legal Notification........................................................................................................................................... 117 Support .......................................................................................................................................................... 117 Customer Service ........................................................................................................................................... 122 Message Boards............................................................................................................................................. 123 Downloads ..................................................................................................................................................... 123 Training .......................................................................................................................................................... 123 Professional Services ..................................................................................................................................... 123
Index
125
CHAPTER 1
Introduction In This Chapter
Introduction
Minimum Recommended Requirements
Installing the EnCase Modules
EnCase Decryption Suite Module
EnCase Physical Disk Emulator Module
EnCase Virtual File System Module
FastBloc SE Module
CD/DVD Module
4
EnCase Version 6.12 Modules Manual
Introduction Since version 4 of EnCase® software, Guidance Software® has provided a variety of software modules that put powerful investigative tools at the disposal of forensic investigators. These modules are add‐ons to the software, and require purchasing certificates from www.guidancesoftware.com to activate them. The following modules are available for version 6.01:
EnCase Decryption Suite (EDS)
Physical Disk Emulator (PDE)
Virtual File Server (VFS)
FastBloc® Software Edition (SE)
CD‐DVD Module
A brief description of the modules follows; for more information on how to configure and use each of the modules, please refer to the respective chapters of this document.
Minimum Recommended Requirements To ensure acceptable performance, machines using the EnCase modules should fulfill the following minimum specifications:
Current version of the EnCase software (updates are available from the Web site at http://www.guidancesoftware.com)
Pentium IV 1.4 GHz processor
1 GB of RAM
Windows 2000, XP Professional or 2003 Server
At least 100 MB of free hard drive space
VFS Module Specific Requirements
At least 100Mb/s network infrastructure for VFS
FastBloc SE Module Specific Requirements One of the following IDE controller cards (Write‐blocking on‐board IDE devices are not supported with the FastBloc SE module):
Promise Ultra133 TX2
Promise SATA150 TX2plus (only the SATA adapters are supported)
Promise Ultra100 TX2
SIIG Ultra ATA/133 PCI
SIIG Ultra ATA 100 PCI RAID
Tekram Ultra ATA 100 RAID
To write‐block SCSI ports, Guidance Software has tested and recommends the following hardware:
Introduction
5
StarTech DRW150SCSIBK SCSI drive bay
Adaptec 29160 controller card
CD-DVD Module Specific Requirements A CD/DVD burner must be installed on the forensic machine. These burners are supported:
AOPEN
Plextor 712A
ASUS 0402P
Sony RU‐710A
Memorex DVD double
Toshiba R5372layer 16X w/ USB bus
Pioneer DVR‐108
Installing the EnCase Modules In order to activate one of the EnCase modules, you must have a licensed copy of the EnCase software and purchase the appropriate modules from Guidance Software. Installing the modules is completed through one of two ways:
Certificates programmed on the Security key
Certificate files for your Security key
Certificates Programmed on the Security Key If you ordered EnCase software at the same time that you ordered the modules, then your security key will be programmed with the appropriate certificates, and no other files are needed.
Certificate Files for Your Security Key If you ordered modules after you have received your v6 security key, then you will receive certificate files that are matched with your security key. The certificate activates the module within the EnCase software by comparing the security key serial number with the ID contained in the certificate. Since a certificate can contain more than one security ID, an organization may submit the IDs for several security keys, and receive a single certificate per module for all investigators to use. Before you order a certificate, determine the security key ID numbers as follows:
1.
With a security key in place, open the EnCase program
2.
On the top menu bar, click Help and select About EnCase
3.
The security key ID (Dongle ID) is listed at the bottom of the left pane
6
EnCase Version 6.12 Modules Manual
This is the number that you will need to give to Customer Service when you order your modules.
4.
When you receive the cert file from Customer Service, save the cert file to C:\Program Files\EnCase6\Certs
Verifying the Modules are Installed To verify the modules that are installed, perform the following: 1.
From the Help menu, select About EnCase.
2.
All installed modules are listed in the right pane:
Introduction
7
64-bit Module Limitations When using the 64‐bit version of the EnCase software, there are some important limitations to functionality:
EDS is not supported
PDE is not supported
VFS is not supported
The FastBloc SE module is supported, however only USB acquisitions are supported
If you have a 64‐bit computer, you may install a 32‐bit operating system and the 32‐bit version of the EnCase software to remedy the limitations.
EnCase Decryption Suite Module The EnCase Decryption Suite module allows investigators to decrypt files and folders protected by several methods:
Microsoft® Encrypting File System (EFS)
Microsoft Outlook Password‐Protected PST Files
Encrypted Windows Registry Information
PC Guardian® Encryption
SafeBoot Encryption
Utimaco SafeGuard Easy Encryption
BitLocker Encryption
WinMagic SecureDoc Encryption
GuardianEdge Hard Disk Encryption
CREDANT Encryption
S/MIME Encryption
NSF Encryption
Lotus Notes Local Encryption
The EDS module supports locally and domain authenticated users with the Microsoft EFS. The module works with the operating systems capable of encrypting data with EFS, including Windows 2000 Professional, Windows 2000 Server, Windows XP Professional, and Windows 2003 Server. For Window 2000 operating system, the EFS files and folders can be decrypted automatically if properly configured on a domain.
EnCase Physical Disk Emulator Module The Physical Disk Emulator can mount any EnCase‐supported evidence as an emulated physical device. For a list of the formats supported, please see your EnCase User Manual. Any Windows‐ supported file system can be examined in Windows as a physical device connected to the machine. If the file system is not compatible with Windows (such as ext2) the device will still appear in disk management.
8
EnCase Version 6.12 Modules Manual
PDE can be used in conjunction with VMware Workstation to boot EnCase images of hard drives mounted with PDE. This also provides investigators with the capability of sharing evidence files that have been accessed remotely. Once mounted, the read‐only media is available to native applications, Windows Explorer, or any third‐party Windows utility or computer forensic tool that recognizes local devices. Some of the functionality provided using additional software includes the following: • File carving utilities
• Steganography detectors
•Virus scan software
• Word Indexers
• Spyware detectors
• ʺUndeleteʺ software
• Trojan detectors
• Encryption detection software
EnCase Virtual File System Module The EnCase Virtual File System module allows investigators to mount computer evidence as a read‐ only offline network drive for examination through Windows Explorer. Most notably, this allows investigators many options in their examinations, including the use of third‐party tools with evidence served by the EnCase program. VFS allows the investigator to view files in Windows Explorer that would not normally be accessed by the operating system, such as mounted, deleted and file system‐level artifacts. All computer evidence and image file formats supported by the EnCase software can be mounted with VFS. For the formats supported, please see your EnCase User Manual. Live computer forensic evidence supported by VFS includes
Local machine preview of removable media
Local machine preview through the FastBloc SE module
Local machine preview through FastBloc Classic, FE, and LE hardware blockers
Cross‐over network cable preview
Local Palm Pilot preview
EnCase Enterprise Edition and Field Intelligence Model live network preview
The VFS Server feature allows investigators to serve the mounted virtual drive to other investigators, case agents, attorneys, etc., on the local area network for review in Windows Explorer.
Introduction
9
FastBloc SE Module FastBloc Software Edition provides a collection of disk controller utilities such as the same safe subject media preview and acquisition in Windows to an EnCase evidence file currently available from FastBloc hardware, and wiping and restoring of drives attached to the PCI controller card. IDE, SCSI, USB and FireWire drives attached to supported PCI controller cards are write‐blocked when configured as such by the module. Wiping and restoring of drives attached to the controller is also possible, with the logical restore retaining the same hash value as the original drive. The FastBloc SE module also allows access to HPA and DCO areas of a suspect drive in Windows (this functionality is not available using a hardware write‐blocker with the EnCase program in Windows).
CD/DVD Module With this module the user can write entries, reports and other selected data to a CD or DVD. This includes the ability to select and burn EnCase Evidence files and Logical Evidence Files, or to write them to media at acquisition.
CHAPTER 2
EnCase Decryption Suite In This Chapter
Overview
EDS Features
Product Matrix
Using EDS
Secure Storage Tab
Secure Storage Items
SafeBoot Encryption Support (Disk Encryption)
Utimaco SafeGuard Easy Encryption Support
BitLocker Encryption Support (Volume Encryption)
WinMagic SecureDoc Encryption Support
GuardianEdge Hard Disk Encryption Known Limitation
CREDANT Encryption Support (File-Based Encryption)
CREDANT Encryption Support (Offline Scenario)
S/MIME Encryption Support
NSF Encryption Support
Lotus Notes Local Encryption Support
Windows Key Architecture
Dictionary Attack
12
EnCase Version 6.12 Modules Manual
Overview EnCase Decryption Suite (EDS) enables decryption of encrypted files and folders by domain users and local users, including:
Disk and volume encryption Microsoft BitLocker GuardianEdge Encryption Anywhere GuardianEdge Plus Utimaco SafeGuard Easy McAfee SafeBoot
File based encryption Microsoft Encrypting File System (EFS) CREDANT Mobile Guardian
Mounted files PST (Microsoft Outlook) S/MIME encrypted email in PST files NSF (Lotus Notes) Protected storage (ntuser.dat) Security hive Active Directory 2003 (ntds.dit)
EDS Features Disk and Volume Encryption When an Evidence File (.E01) or a new physical disk is added to a new case, the Master Boot Record (MBR) is checked against known signatures to determine whether the respective disk is encrypted. If the disk is encrypted, EnCase asks for user credentials (see the Product Matrix on page 13 for a table listing required credentials for supported encryption products). If the correct credentials are entered, EnCase decrypts the disk. No password attacks are supported. EDS supports these disk/volume encryption products:
Microsoft BitLocker
GuardianEdge Encryption Anywhere
Utimaco SafeGuard Easy
McAfee SafeBoot
EnCase Decryption Suite
13
File Based Encryption Encryption can be applied at the file or folder level. If files or folders are encrypted, EnCase asks for credentials (see Product Matrix on page 13 for a table listing required credentials for supported encryption products). If the correct credentials are entered, EnCase decrypts the files or folders. EDS supports these file based encryption products:
Microsoft Encrypting File System (EFS)
CREDANT Mobile Guardian
Mounted Files EnCase can review mounted files and search for encrypted data. If mounted files are encrypted, EnCase asks for user credentials (see Product Matrix on page 13 for a table listing required credentials for supported encryption products). If the correct credentials are entered, EnCase decrypts the mounted files. These types of mounted files are supported:
PST (Microsoft Outlook)
NSF (Lotus Notes)
Protected storage (ntuser.dat)
Security hive
Active Directory 2003 (ntds.dit)
Product Matrix The table below shows encryption products supported by EDS and credentials you need to provide in order to use them with EnCase. Product
Password
User
GuardianEdge Encryption Plus
X
X
GuardianEdge Encryption Anywhere
X
X
Utimaco SafeGuard Easy
X
X
McAfee SafeBoot Online
X
X
SafeBoot Offline
Domain
Machine
Server
Path
Other
X
X
X
X
Algorithm
X
Algorithm
14
EnCase Version 6.12 Modules Manual
CREDANT Mobile Guardian Online
X
X
Machine CREDANT ID
X
Shield CREDANT ID
Mobile Guardian Offline
X
Microsoft BitLocker
X
Key
Microsoft Encrypting File System (EFS)
X
Keys
ZIP
X
Lotus Mail
X
ID File
S/MIME
X
PFX
X
Using EDS Analyze EFS This command scans a volume for data and processes it. You can also run Analyze EFS from the secure storage; in that instance, it runs consecutively on all volumes in a case.
EnCase Decryption Suite
15
1.
Right click the volume you want to analyze, then click Analyze EFS from the dropdown menu.
2.
The first Analyze EFS dialog displays. Click Next.
16
EnCase Version 6.12 Modules Manual
3.
The second Analyze EFS dialog displays with the Documents and Settings Path and Registry Path fields populated by default. For unusual system configurations, data disks, and other operating systems these values will be blank. You can modify them to point to the user profile folders and/or the registry path.
4.
Click Next to begin the scan.
5.
When the scan is complete, the EFS Status dialog shows statistical information on keys found and decrypted and registry passwords recovered.
EnCase Decryption Suite
17
6.
When you are done reviewing the EFS status, click Finish. Note: Analyze EFS can also pop up the Syskey and Password Recovery Disk screens.
EFS Files and Logical Evidence (L01) Files To decrypt an encrypted EFS file you need the following: 1.
The EnCase EDS module
2.
The matching $EFS stream. This is essential, since it contains the decryption key.
3.
A matching unencrypted private key. This can be the recovery agentʹs key or a userʹs key.
4.
File slack might be needed if the file size is not a multiple of 16. This is because files are decrypted in 16‐byte chunks. Note: For example, a 17-byte file needs 15 bytes of slack in order to decrypt the last chunk. Otherwise, only multiples of 16 are decrypted.
In EnCase version 6.11, the scenarios for logical evidence files are different from prior versions of EnCase: 1.
The file is encrypted and the $EFS stream is missing from the same folder within the L01: the file cannot be decrypted.
2.
The file is encrypted and the $EFS stream is in the same folder: the file can be decrypted (except for the remainder of the file, if any).
3.
The file is decrypted and the $EFS stream is missing: the file remains decrypted.
4.
The file is decrypted and the $EFS stream is in the same folder: the file will be decrypted twice. Note: The workaround in case 4 is to disable EFS or delete the private key from the secure storage.
From version 6.11 on, all the scenarios above are handled gracefully, because the $EFS stream is added internally.
If the file is encrypted, the $EFS stream is automatically stored with the file as metadata.
If the file is decrypted, the $EFS stream is not automatically stored, as it is not needed. This does not prevent you from storing the stream by specifically saving it to the LEF. Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.
Secure Storage Tab To organize security data gathered using Analyze EFS, EnCase includes a Secure Storage tab which displays passwords, keys, and other items parsed from the system files and registry. Although the tab is always present in the interface, you must install the EDS module to enable most of the functionality.
Secure Storage Tab and EFS To populate the Secure Storage tab:
18
EnCase Version 6.12 Modules Manual
1.
Run Analyze EFS (see page 14).
2.
Select the Secure Storage tab.
3.
Click an item in the Secure Storage tree to view its contents.
Enter Items Enter Syskey You can enter Syskey information before running the Analyze EFS wizard, or afterwards if the wizard is already completed. 1.
Right click the root entry of Secure Storage.
2.
Select Enter Items from the dropdown list, then select the Enter Syskey tab.
3.
Select the location of the Syskey (for example, a file path or a floppy disk) or enter the password manually.
4.
Click OK.
EnCase Decryption Suite
19
User Password If you know the userʹs password: 1.
Right click the root entry of Secure Storage.
2.
Select Enter Items from the dropdown list, then select the User Password tab.
3.
Enter the password.
4.
Click OK.
If the Syskey is protected and you do not know the password, an attack on the SAM file for user passwords will not be successful. This is a rare situation. Most Windows machines will not have a protected Syskey. EDS includes a dictionary attack option to get past a protected Syskey. You can obtain dictionary files from a number of sources. To access setup, right click the root of Secure Storage and select Dictionary Attack. During the Analyze EFS scanning of the registry, EnCase alerts you if the Syskey is password protected or has been exported to a floppy disk. In these cases, the Analyze EFS wizard prompts you to enter the Syskey password and/or insert the floppy disk containing the Syskey or browse to the Syskey file location. The Syskey file is called startkey.key, and you should examine any floppy disks collected at a scene for the presence of this file. If the Syskey file is recovered on a floppy disk, it can be copied/unerased from EnCase to the examination machine, and you can browse to the startkey.key location. This process is the same as when you use the Password Recovery Disk.
Password Recovery Disk Windows XP and 2003 Server enable local users to create a recovery disk containing their encrypted password. The disk is designed to allow users to reset their password if they forget it, without losing all of their EFS encrypted files and other important security credentials. The file is called userkey.psw, and you should examine floppy diskettes recovered at the scene for the presence of this file. 1.
With the floppy disk inserted, or the file copied to a hard drive, right click the root entry of Secure Storage.
20
EnCase Version 6.12 Modules Manual
2.
Select Enter Items from the dropdown list, then select the Password Recovery Disk tab.
3.
Click the option button, File or Floppy, where the file is located.
4.
Enter the path or browse to it, then click OK.
Private Key File If the logon password is unavailable, you can obtain the Domain Administratorʹs private key (PFX). This also works for the userʹs key. To export and use the key: 1.
As Domain Administrator, double click C:\Windows\system32\certmgr.msc to launch the Microsoft Management Console.
2.
Locate the Certificates folder containing the Domain Administratorʹs certificate.
3.
Right click the certificate.
4.
From the All Tasks menu, click Export.
5.
In the Certificate Export Wizard, click Next.
6.
Click Yes, export the private key, then click Next.
7.
Accept the default for the export file format, then click Next.
8.
Select a path and name the key (this assigns a .PFX extension), then click Next.
9.
When prompted, note the password entered.
Note: The password cannot be left blank. It is needed when using the key.
10. Click Next. A confirmation window shows details about the export. 11. Click Finish to complete the export. 12. Right click the root entry of Secure Storage. 13. Select Enter Items from the dropdown list, then select the Private Key File tab.
EnCase Decryption Suite
21
14. Enter the path or browse to it.
15. Enter the Password in the next prompt, then click OK. A status screen confirms successful completion and the Private Key displays in the Secure Storage tab.
Enter Mail Certificate You can enter a .PFX certificate to use for decrypting S/MIME‐encrypted emails found in PST files. 1.
Right click the root entry of Secure Storage.
2.
Select Enter Items from the dropdown list, then select the Enter Mail Certificate tab.
3.
Enter the path to the .PFX certificate and the password.
4.
Click OK.
5.
The .PFX cert is decrypted and stored in Secure Storage.
Associate Selected To associate *nix users with volumes:
1.
Select the Secure Storage tab.
2.
Click the check box next to the item or items you want to associate.
3.
Right click a checked item.
22
EnCase Version 6.12 Modules Manual
4.
Select Associate Selected from the dropdown list.
5.
The Associate dialog displays.
6.
Expand the Volumes tree and select the volumes you want to associate.
7.
Click OK.
EnCase Decryption Suite
23
Secure Storage Items In the Report tab of the View pane you can see details about the currently selected item in the secure storage. The Text and Hex views show the raw data. These items have the following properties:
Name
Encrypted
Type
Subtype
Password
Password Type
The following items are of interest: Aliases: These are Security Identifiers (SIDs) that point to one or more SID entities. They have a name and a comment. Groups: SIDs that point to one or more SID entities. They have a name and a comment. These are defined groups such as Administrators and Guests. SAM Users: These are Local Users. The details are listed in the report tab of the View pane. Passwords: Found and examiner added passwords appear here. Net Logons: These are Local Users. The details are listed in the report tab of the View pane. Nix User/Group: Unix users/groups Lotus: Lotus Notes Email Certificates: These are used for S/MIME decryption and signature verification. Disk Credentials: Persistent key cache for disk/volume encryption products Master Keys: Every user with a private key has a master key that protects it. The master key itself is encrypted with a hash of the user’s Windows password. Private Keys: Used in the decryption of EFS files Internet Explorer (IE) Passwords: Passwords from IE 6 Policy Secrets: These are LSA secrets. They include the default password and passwords for services. Some of these secrets are not passwords but binary data placed there by the system and applications. SAM Keys/Policy Keys/Dpapi/CERT: For internal use
SafeBoot Encryption Support (Disk Encryption) EnCase provides a way for you to view SafeBoot encrypted hard drives during an investigation. This feature is only available to a user with an EDS cert enabled. Note: If no EDS cert is found or the integration Dlls are not properly installed, the physical device will mount, but the encrypted file structure cannot be parsed. Since SafeBoot overwrites the original MBR only for the boot disk, always preview the boot disk first and then any other disk in a multi-disk machine configuration.
1.
Use the Add Device Wizard to add the physical device.
24
EnCase Version 6.12 Modules Manual
2.
When prompted, select the appropriate encryption algorithm from the list, then enter a user name, server name, machine name, and password when in online mode.
The SafeBoot encrypted drive is parsed. The offline dialog is similar. The Online check box is blank and only the Machine Name, Transfer Database field, and Algorithm are available:
3.
Save the case once a successful decryption is complete. The credentials entered in the dialog are stored in Secure Storage, eliminating the need to enter them again.
EnCase Decryption Suite
25
This illustration shows results of a successful decryption. The Tree pane shows a SafeBoot folder, the Table pane contains a list of decrypted files while the Text pane shows contents of a decrypted file.
4.
The next figure shows the same files as they appear encrypted.
26
EnCase Version 6.12 Modules Manual
Supported SafeBoot Encryption Algorithms EnCaseʹs SafeBoot decryption feature supports these encryption algorithms:
AES256 FIPS
AES256
DES
RC5 ‐ 12 Rounds
RC5 ‐ 18 Rounds
Utimaco SafeGuard Easy Encryption Support EnCase provides a way for you to view SafeGuard Easy (SGE) encrypted hard drives during an investigation. This feature is only available to a user with an EDS cert enabled. Note: If no EDS cert is found or the integration DLLs are not properly installed, the physical device will mount, but the encrypted file structure cannot be parsed. Since SafeGuard Easy overwrites the original MBR only for the boot disk, only the boot disk can be decrypted in EnCase.
1.
Use the Add Device Wizard to add the physical device.
2.
EnCase detects the device and displays a user name and password dialog.
3.
Enter a valid user name and password when in online mode.
4.
Click OK.
5.
Once a successful decryption is complete, save the case. The credentials entered in the dialog are stored in Secure Storage, eliminating the need to enter them again.
Note: If the password is empty, the Challenge/Response wizard opens. For more information, see Utimaco Challenge/Response Support on page 27.
Supported Utimaco SafeGuard Easy Encryption Algorithms EnCaseʹs Utimaco SafeGuard Easy decryption feature supports these encryption algorithms:
EnCase Decryption Suite
27
AES192
AES256
DES
3DES
Utimaco Challenge/Response Support Utimaco has an alternate method for decrypting their data using a challenge/response code. Once the code is authenticated, EnCase returns the key and any additional data (such as encrypted sectors) necessary to decrypt the data. 1.
In the SGE credentials dialog, enter a user name but leave the password blank.
2.
Click OK.
3.
A Challenge Response dialog displays with the challenge code in blue. Keep this dialog open while performing the next steps.
28
EnCase Version 6.12 Modules Manual
4.
Log in as Administrator. On the Windows Start page, click All Programs→Utimaco→SafeGuard Easy→Response Code Wizard.
5.
The Welcome dialog displays.
EnCase Decryption Suite
6.
Click Next to begin generating a one time password (OTP). The Authorization Account dialog displays.
7.
Click Next. The Remote User ID dialog displays.
8.
Enter the User ID that was used to derive the challenge code, then click Next.
29
30
EnCase Version 6.12 Modules Manual
9.
The Challenge Code dialog displays. Enter the challenge code generated by EnCase from step 3.
10. Click Next. The Remote Command dialog displays.
11. Select One time logon, then click Next.
EnCase Decryption Suite
12. The Summary dialog displays with the response code in blue.
13. In the EnCase dialog from step 3, select the code length and enter the response code to enable decryption of the selected encrypted evidence.
14. Click OK. 15. In the Summary dialog from step 12 , click Close to close the SafeGuard Easy Response Code Wizard, or click New to generate a new response code from a different challenge code.
31
32
EnCase Version 6.12 Modules Manual
Utimaco SafeGuard Easy Encryption Known Limitation Utimaco SafeGuard Easy treats a machine with multiple hard drives as one hard drive consisting of all sectors of all physical hard drives. In contrast, EnCase examines each hard drive individually. This creates a problem:
SafeGuard Easy overwrites only the Master Boot Record (MBR) of the boot disk
Only the boot disk is detected as encrypted and then decrypted (given the correct credentials are entered)
This means EnCase support for SafeGuard Easy is limited to decrypting only the boot disk, because this is the only drive detected as encrypted by examining the MBR.
Workarounds There are two workarounds for this problem. The first solution: 1.
Obtain both disks. The internal disk holding the SafeGuard Easy kernel (disk 1) The external, i.e., non‐bootable disk (disk 2)
2.
Open the kernel on disk 1. You can then access disk 2.
The second solution: 1.
Obtain a SafeGuard Enterprise (SGN) kernel backup file of disk 1.
2.
Restore disk 1 to an empty disk.
3.
Add the non‐bootable disk as disk 2. The information in the newly restored kernel gives you access to disk 2.
BitLocker Encryption Support (Volume Encryption) Microsoftʹs BitLocker is available in Windows Vista Enterprise and Ultimate editions. It encrypts an entire volume using one of three modes to store the encryption key:
Transparent operation mode (requires Trusted Platform Module [TPM])
User Authentication mode (requires TPM)
USB Key mode (does not require TPM)
When BitLocker is enabled, a large file is created that holds all of unallocated (UAC) space, minus 6 Gigabytes.
Recovery Key and Recovery Password Files The recovery key is a file with a GUID name (for example, 67FA3445‐29D7‐4AB5‐8D0F‐ 7F69B88D1C04.BEK). The recovery password is an Advanced Encryption Standard (AES) 256 key in plain text (.TXT).
EnCase Decryption Suite
33
These keys are matched by Volume GUID and Key Protector GUID and are usually stored on a removable flash drive.
Decrypting a BitLocker Encrypted Device Using Recovery Key 1.
Add a BitLocker encrypted device into EnCase using Add Device or drop and drag.
2.
The BitLocker Credentials dialog displays.
3.
The Recovery Key option button is selected by default. Browse to the location of the .BEK recovery key.
4.
Click OK.
Decrypting a BitLocker Encrypted Device Using Recovery Password 1.
Add a BitLocker encrypted device into EnCase using Add Device or drop and drag.
34
EnCase Version 6.12 Modules Manual
2.
The BitLocker Credentials dialog displays.
3.
Select the Recovery Password option button, then enter the recovery password.
4.
Click OK.
After successful authentication, EnCase saves credentials in Secure Storage, so you do not have to re‐enter them the next time you open the saved case.
WinMagic SecureDoc Encryption Support You can access the hard drive of a system encrypted with SecureDoc software. EnCase supports SecureDoc version 4.5 and above.
EnCase Decryption Suite
35
There are three ways to add SecureDoc disks to EnCase:
Preview the hard drive
Use the Add Device Wizard
Drag evidence files into EnCase
Once you preview a machineʹs disk or open an evidence file, the Master Boot Record (MBR) is checked against known signatures to determine whether the disk is encrypted. The SecureDoc signature is WMSD.
Each SecureDoc user has a key file which can contain multiple keys encrypted using a password associated with the file. SecureDoc users have either administrator or user privileges.
Administrators can encrypt/decrypt drives, reset passwords, add keys to a key file, etc.
Users can only change their passwords
An installer is provided to place these integration DLLs in %ENCASE%\Lib\WinMagic\SecureDoc:
SDForensic.dll
SDC.dll
SDUser.dll Note: The integration is supported on the 32-bit version of EnCase.
1.
When adding a SecureDoc disk, Encase prompts for three credentials:
a. The path to the file containing the user keys (extension .dbk) b. The password associated with the key file
36
EnCase Version 6.12 Modules Manual
c. The path to the emergency disk folder corresponding to the physical disk under examination
2.
Enter the credentials, then click OK.
3.
If the credentials are correct, EnCase decrypts the disk and parses the file system structure.
4.
When you save the case, the ranges of encrypted sectors and the original MBR are retained in the case file for previewed drives as well as evidence files.
The disk view shows encrypted information in the Text and Hex panes for encrypted drives. The disk view shows decrypted information in the Text and Hex panes for decrypted drives.
Acquiring the Device A local acquisition at the physical device level results in acquisition of all decrypted logical volumes. An enterprise acquisition at the physical device level results in acquisition of all sectors in an encrypted state. Note: To obtain decrypted data, perform a local acquisition on the result of the remote acquisition.
Note: SecureDoc 4.5 does not allow for enabling the SCSI_PASS_THROUGH; because of this, every sector's data is decrypted by SecureDoc's filter driver during a physical acquisition.
You can acquire either:
All logical volumes by acquiring at the physical level
An individual logical volume by acquiring at the logical level
The completed acquisition contains the decrypted volumes. You do not need a password to view the file structure.
EnCase Decryption Suite
37
GuardianEdge Hard Disk Encryption Known Limitation With GuardianEdge Hard Disk Encryption (GEHD) version 8.6 and higher, you cannot use client administrator credentials to authenticate to a physical drive in EnCase. While adding the physical hard drive (as opposed to a logical acquisition), an authentication screen displays. If you enter the client administrator account, password, and domain, the authentication screen displays repeatedly without going to the next step. Because GEHD has domainless client administrators, you need to use a default field for the domain: 1.
2.
Make sure you have the EnCase Decryption Suite module with PC Guardian support installed (Help→About EnCase).
In the domain field, enter EA#DOMAIN as the client administrator account.
For more information, see Knowledge Base article 00002281 in the GuardianEdge Customer Support Portal (https://na4.salesforce.com/sserv/login.jsp?orgId=00D300000001ZQU).
CREDANT Encryption Support (File-Based Encryption) EnCase provides a way for you to access CREDANT‐encrypted data on Windows devices. Note: You can obtain the CREDANT API installer from CREDANT Technical Support. Install it, then begin the examination.
EnCase reviews your mounted files and looks for CREDANT‐encrypted data (CredDB.CEF file). If it finds this data, a logon dialog displays.
38
EnCase Version 6.12 Modules Manual
1.
The dialog populates with a known user name and password, Server, Machine ID, and the Shield CREDANT ID (SCID). CREDANT files are processed and decrypted with no further interaction, given that the credentials are correct.
EnCase Decryption Suite
39
The offline dialog is similar. The Online check box is blank and the Machine ID and SCID fields are unavailable.
2.
Save the case once a successful decryption is complete. The credentials entered in the dialog are stored in Secure Storage, eliminating the need to re‐enter them.
The illustration below shows results of a successful decryption:
40
EnCase Version 6.12 Modules Manual
The Tree pane shows a CREDANT folder
The Table pane contains a list of decrypted files
The Text pane shows contents of a decrypted file
The next illustration shows the same files as they appear unencrypted.
EnCase Decryption Suite
41
Supported CREDANT Encryption Algorithms EnCaseʹs CREDANT decryption feature supports these encryption algorithms:
AES128
AES256
3DES
Rijndael 128
Rijndael 256
Blowfish
CREDANT Encryption Support (Offline Scenario) If the machine to be investigated is not on the network with the CREDANT server, you must obtain the CREDANT keys and store them in a location accessible to the Examiner machine. Before you begin: You must install the CREDANT Library Installer to run the utility with the appropriate DLLs. You can obtain the installer from CREDANT technical support. You must have EnCase Decryption Suite installed on the Examiner dongle that will decrypt the CREDANT‐encrypted data. You must obtain the URL for the CREDANT Mobile Guardian (CMG) Device Server. You must obtain an Administrator username and password. The CREDANT administrator must have Forensic Administrator privileges, as specified in the CMG Server Web Interface for CMG v5.4 and later servers. The administrator must have Security Administrator privileges for the v5.3 server. You must obtain the Administratorʹs login domain (for CMG 6.0 and later servers only), the Machine ID for the target device (MUID), the Shield CREDANT ID (SCID), the Username that the key material is being downloaded for, and the Password to use to encrypt the output .bin file.
1.
At a computer that has communication to the CREDANT Server, run the utility CEGetbundle.exe from the Windows command prompt. CEGetBundle.exe is supplied by CREDANT in the CREDANT Library Installer, which also installs the DLLs necessary for the decryption. Copy the integration DLLs and MAC file to the target device as well.
2.
Supply the parameters as follows: CEGetBundle [‐L] XURL ‐aAdminName ‐AAdminPwd [‐ DAdminDomain] [‐dDuid] [‐sScid] [‐uUsername] ‐oOutputFile ‐oOutputFile ‐IOutputPwd -L
Legacy mode for working with pre 5.4 server installs
URL
Device Server URL (e.g., https://xserver.credant.com:8081/xapi)
AdminName
Administrator user name
AdminPwd
Administrator password
42
EnCase Version 6.12 Modules Manual
AdminDomain
Administrator domain (optional: required only if the CMG Server is configured to support multiple domains)
MUID
Machine ID for the target device (also known as the Unique ID or hostname)
SCID
Shield CREDANT ID (also known as DCID or Device ID)
Username
Name of the forensic administrator
OutputFile
File to save the key material in
OutputPwd
Password to encrypt output file
Here is a command example: cegetbundle ‐L ‐Xʺhttps://CredantServer:8081/xapiʺ ‐ aʺAdministratorʺ ‐Achangeit ‐dʺCredantWorkstation.Credant.localʺ ‐sCI7M22CU ‐ uʺAdministratorʺ ‐oʺC:\CredantUserKeys.binʺ ‐iChangeIt 3.
Place the .bin file downloaded from the CREDANT server in a path accessible from the Examiner machine. Open EnCase and create a new case or open an existing one. You must have EnCase Decryption Suite installed on the Examiner machine that decrypts the CREDANT‐encrypted data. Note: In legacy mode, you must execute this utility for each user targeted for investigation on the target device while specifying the same output file. The keys for each user are appended to this output file.
4.
Acquire a device with CREDANT encrypted files, or load an evidence file into the case. The Enter Credentials dialog displays, prompting you for only the Username, Password, Server/Offline Server File, Machine ID, and Shield CREDANT ID (SCID) information. Note: In Offline mode, the only information you must provide is the Password and Server/Offline Server File (full path and filename to the .bin file downloaded using the CEGetBundle.exe utility).
When EnCase decrypts CREDANT encrypted files, the key information is placed in Secure Storage in EnCase, and saved with the case. You do not have to re‐enter this information.
CREDANT Files and Logical Evidence (L01) Files To decrypt an encrypted EFS file you need the following: 1.
The EnCase EDS module
2.
The CredDb.CEF file residing in the folder. This is essential, since it contains the information to get to the decryption key.
In EnCase versions prior to 6.12, there are different scenarios from logical evidence files from prior versions of EnCase:
1.
The file is encrypted and the CredDB.CEF file is missing from the same folder within the L01: the file cannot be decrypted.
2.
The file is encrypted and the CredDB.CEF file is in the same folder: the file can be decrypted.
3.
The file is decrypted and the CredDB.CEF file is missing: the file remains decrypted.
EnCase Decryption Suite
43
4.
The file is decrypted and the CredDB.CEF stream is in the same folder: the file will be decrypted twice. Note: The workaround in case 4 is to cancel the CREDANT Credentials dialog or delete the CREDANT keys from the secure storage.
From version 6.12 on, all the scenarios above are handled gracefully, because the CredDB.CEF file is added internally.
If the file is encrypted, the CredDB.CEF stream is automatically stored with the file as metadata.
If the file is decrypted, the CredDB.CEF stream is not automatically stored, as it is not needed. This does not prevent you from storing the stream by specifically saving it to the LEF. Note: If an encrypted file is decrypted and added, this is noted and displayed in the report.
S/MIME Encryption Support The EnCase S/MIME Encryption Support provides the ability to decrypt S/MIME‐encrypted emails found in PST files. Email sent or received with the file extensions .pst, mbox and .edb support the S/MIME PKCS #7 standard. You must have PFX (PKCS 12 standard) certificates installed prior to parsing. PST, EDB, and MBOX mail containers are supported. To decrypt S/MIME data: 1.
Open or create a case and enter Secure Storage.
2.
Right click on a folder in the left pane. A dropdown menu displays.
44
EnCase Version 6.12 Modules Manual
3.
Select Enter Items. The Enter Items dialog displays.
4.
Select the Enter Mail Certificate tab. Note: The only allowed certificate format is .PFX.
5.
Enter the path to the PFX certificate and the password, then click OK.
The PFX cert is decrypted and stored in Secure Storage. S/MIME decryption and signature verification happens in the background. Given the proper password, the certificate is stored in Secure Storage under E‐Mail Certificates folder. After you import the required certificates into Secure Storage, you can parse the email container files using the View File Structure feature in the Entry View.
EnCase Decryption Suite
45
S/MIME Email Certificate contents are displayed like this in Secure Storage:
46
EnCase Version 6.12 Modules Manual
When parsing is complete and successful a directory list displays. In the illustration, the folder is entitled smime.p7m (S/MIME data comes as an attachment of the email). In Entries view, the text of the email is shown in the Text pane while the emailʹs attachments appear in the Table pane.
EnCase Decryption Suite
47
View and work with content in the Records tab.
Troubleshooting a Failed S/MIME Decryption If decryption fails, you can compare Entries view with Records view to try to find the error.
48
EnCase Version 6.12 Modules Manual
Entries view:
Records view:
EnCase Decryption Suite
49
Decrypting S/MIME Emails in an Evidence File Created in Windows Vista You cannot decrypt S/MIME emails in an evidence file created in Windows Vista using an examiner installed on Windows XP or earlier. This is because CryptoAPI on Vista (Crypto Next Generation, or CNG) is not yet supported on XP. So if an evidence file created in Vista contains S/MIME emails, you should perform the examination to decrypt them on a Vista machine as well, given that proper certificates are available.
NSF Encryption Support The Lotus Notes email client has security built into the product. Notes was the first widely adopted software product to use public key cryptography for client‐server and server‐server authentication and for encryption of data, and it remains the product with the largest installed base of PKI users. The EnCase® Suite can decrypt encrypted NSF documents and send them to recipients within the same Domino server. Each server user has an ID file that contains a userʹs:
encrypted private key
public key
password information
password recovery information
It also has an NSF file that represents the userʹs mailbox in 8.3 format in the default path \data\mail\.nsf.
Recovering NSF Passwords To retrieve the recovery password, you must have proper administrative rights on the Domino server.
50
EnCase Version 6.12 Modules Manual
1.
Open the Domino Server.
2.
Log in as the server administrator.
3.
Click OK. The password ID list displays.
4.
Click OK.
EnCase Decryption Suite
51
The recovery password displays.
5.
Click OK and define users authorized to generate recovery passwords.
Lotus Notes Local Encryption Support EnCase can decrypt a local Lotus Notes user mailbox (NSF file suffix). The local mailbox is a replica of the corresponding encrypted mailbox on the Domino server. Each Domino server user has a corresponding NSF file representing that userʹs mailbox in 8.3 format. The default path is \Data\Mail\.nsf. The Lotus Notes client is set up to use the local mailbox. Synchronization between the local and server mailboxes occurs according to a replication schedule determined by the Domino administrator. Encryption of the local mailbox is not mandatory but it is advisable, because without encryption a person familiar with the NSF file structure could read email without needing Lotus Notes. Encryption occurs at block level.
Determining Local Mailbox Encryption Look in the header (the first 0x400 bytes) at offset 0x282. If the byte is 0x1, the mailbox is locally encrypted.
Parsing a Locally Encrypted Mailbox 1.
Obtain the corresponding ID file from the Domino server. All user ID files are backed up on the server either on disk as a file or in the Domino directory as an attachment to email.
52
EnCase Version 6.12 Modules Manual
2.
Parse it using View File Structure, so that the private key is inserted in Secure Storage.
Encrypted Block The example below shows an encrypted block at offset 0x22000:
The decryption algorithm uses a seed that is based on the basic seed from the header and the block offset.
EnCase Decryption Suite
Decrypted Block Here is an example of a decrypted object map at offset 0x22000:
53
54
EnCase Version 6.12 Modules Manual
Locally Encrypted NSF Parsing Results A successfully parsed locally encrypted NSF looks like this in Entry view:
EnCase Decryption Suite
55
If the corresponding ID file cannot be parsed successfully, the Secure Storage is not populated with the data needed to parse the locally encrypted NSF; thus, the Lotus volume is empty:
56
EnCase Version 6.12 Modules Manual
Windows Key Architecture Windows has an elaborate key protection mechanism. The Syskey protects the policy key, the SAM key, and others. These keys protect the user’s password hashes.
In Windows 2000, however, the Master Key is protected by the user’s password hash with a mechanism that slows down any attack. The Master Key protects the user’s private key. And the user’s private key protects a key within the $EFS stream that allows for decryption of the EFS encrypted file.
Dictionary Attack Software implementing this method normally uses a text file containing a large number of passwords and phrases. Each is tried in turn in the hope that one of the words or phrases in the file will decrypt the data involved. A large number of dictionary files (sometimes called word lists) are on the Internet, or you can create your own list. Creating your own list may be preferable if the person under investigation has a particular interest, such as football. There are freeware utilities on the Internet you can use to create a dictionary from combinations of letters, numbers, and characters up to a predefined length. Free Wordlist Generator (http://www.soft82.com/download/windows/free‐wordlist‐generator/) is one example. EDS can attack NT based user account passwords and cached net logon passwords using a dictionary attack.
EnCase Decryption Suite
57
Built-in Attack Specific items do have associated passwords. If they are not automatically retrieved, you can use a trial and error mechanism. This may or may not succeed.
Items that can be Attacked
Local users
Network users that logged on (cached domain users)
Syskey (password mode only)
Master Key, if the user’s SAM or domain cache can’t be accessed (due to corruption, account deletion or Syskey protection). This is much slower than attacking the Local/Network Users
External Attack Local users can be attacked with third party tools. There are freeware tools, and their performance is much greater than EnCase because they can run on many computers at the same time and/or use rainbow tables. EnCase can export the local user’s password hashes in the PWDUMP format that most tools read. This is done from the User List.
58
EnCase Version 6.12 Modules Manual
User List
The User List of Secure Storage shows Local Users, Domain Users, Nix Users, and/or Nix Groups from the local machine or evidence file. Information such as:
last logon date
user SID
NT hash
LanManager hash
is also associated with each account
Integrated Attack There are three different sources for words to be tested:
Internal passwords: These are the password items in the secure storage
Dictionary words: The dictionary is a plain text file that can be in ANSI‐Latin1 or UTF16. Every word needs to be on its own line (it can contain any character, including spaces).
Brute force: Automatically generates words from an alphabet with a length in a given range
There are four “mutators” that can be applied:
EnCase Decryption Suite
59
Toggle Case: Tries all the upper/lower case variations
Append Digits
Prepend Digits
Combine Words: The words are combined with each other. For example, if the dictionary contains the words ʺoldʺ and ʺdogʺ, the result is these four words: old dog olddog dogold
Brute Force Attack A brute force attack works by trying to identify a password or passphrase by testing all possible combinations of the characters of an alphabet. This alpahbet is in the text file pointed to by the ʺalphabet path”. This is a is a plain text file that can be in ANSI‐Latin1 or UTF16, where the first line uses all the characters. This can generate massive amounts of words to test. An example of an alphabet path is “abcdefghijklmnopqrstuvwxyz01234567890‐( )“. Depending on the settings, a dictionary attack can test thousands of passwords contained in a dictionary file in a very brief time frame. It is usual to try a dictionary attack first and then progress to a brute force attack if the password(s) cannot be found. Any information concerning the possible structure/character length of the password helps dramatically.
CHAPTER 3
Physical Disk Emulator In This Chapter
What is the Physical Disk Emulator?
Using Physical Disk Emulator
Third-Party Tools
Boot Evidence Files and Live Systems with VMware
VMware/EnCase PDE FAQs
PDE Troubleshooting
62
EnCase Version 6.12 Modules Manual
What is the Physical Disk Emulator? The EnCase® Physical Disk Emulator (PDE) module allows investigators to mount computer evidence as a local drive for examination through Windows Explorer. The power of this feature is well articulated in many forums. Most notably, this allows investigators many options in their examinations, including the use of third‐party tools with evidence served by the EnCase program. We are committed to the concept of providing an integrated product to our customers. Third‐party tools continue to be developed to complement the core functions and features of the EnCase program, and we encourage their creation and use. PDE allows third‐party access to all supported computer evidence and file system formats. The EnCase program continues its evolution towards becoming a server of forensic data, whether in an image file, a preview of an offline computer or hard drive, or a live machine on a network.
Evidence File Formats Supported by EnCase PDE EnCase PDE supports mounting of individual image files of hard drives and CDs, but not images or previews of the local forensic machineʹs hard drive. All Image file formats and file systems that are supported by the EnCase software can be mounted with PDE. In addition, the following live computer forensic evidence is supported by PDE:
Local machine preview of CDs
Local machine preview of evidence hard drives through FastBloc® FE and LE hardware write‐blocking devices
Crossover cable network preview of hard drives and CDs
Parallel port preview of hard drives and CDs
EnCase Enterprise and Field Intelligence Model (FIM) live network preview of hard drives and CDs
Using Physical Disk Emulator Do not, under any circumstances, attempt to use PDE to mount EnCase images or previews of the local forensic hard drives. Windows will blue screen if it detects multiple instances of the same drive. Use only evidence files of other machines.
Starting Physical Disk Emulator To mount a device using the Physical Disk Emulator, you must add a physical or logical disk image to a case in the Entries subtab under Cases. PDE can only mount physical devices or volumes. If you select a menu item from a non‐mountable level, the PDE configuration is limited to client mode.
Physical Disk Emulator
Using PDE 1.
Right‐click the logical or physical drive, and select Mount as Emulated Disk.
2.
The Mount as Emulated Disk dialog displays.
Configuring the PDE Client PDE assigns a local port the first time you run PDE. Afterwards the port number is disabled and you cannot change it. To assign a new port number, close the Windows session and restart. PDE does not use any other options in the Server Info tab.
63
64
EnCase Version 6.12 Modules Manual
To specify cache and CD options, click the Client Info tab.
Cache Options If a physical device or volume (not a CD) is selected, decide whether to cache data. By default, caching is disabled. Use the write cache if programs need to access the files in an emulated read/write mode. If cache is enabled, changes made by programs are sent to a separate cache file specified on your local system. 1.
To create a new write cache file an EnCase Differential Evidence File, clear the Disable caching check box.
2.
Select Create new cache in the Cache Type group and specify a Write cache path.
3.
Select Use existing cache and ensure the existing write cache file is specified in the Write cache path field.
If you choose to use an existing cache path, make sure to use a write cache file that was created with the evidence you are currently mounting. Caching is necessary for PDE to function with VMware. In this state, Windows caches file deletions and additions. This is used to boot the drive with VMware as described later in this section. Caching is also necessary when mounting certain volume types. [Placeholder for screenshot]
CD Options If a CD is mounted, the CD Session to view option is enabled to specify which session on a multi‐ session CD should display in Windows. The default session is the last session on the active CD, which is the one normally seen by Windows.
1.
To view a prior session, select that here.
2.
Click OK to continue.
Physical Disk Emulator
65
3.
If a message displays saying the software you are installing has not passed the Windows Logo test, click Continue Anyway. This allows Windows to add the evidence file as a drive with its own drive letter.
If using VMware, you need the physical Device Number.
Verify that the evidence file has been mounted with a drive letter by browsing in Windows Explorer. With the drive letter, you can apply third‐party tools. When the share is created, a sharing (hand) icon appears on the device in the interface.
Mounting Non-Windows Devices Devices with file systems other than NTFS or FAT can be mounted using PDE; however, the volume cannot be seen by Windows (although the physical device can be seen in Disk Management). The process to mount such a device is the same as that used to mount an NTFS or FAT device.
Accessing the Local Disk in Windows Explorer After mounting the disk with PDE in the EnCase interface, open Windows Explorer. The new volume is represented with a hard drive icon, assigned a volume letter, and labeled as a local disk. Browse the mounted drive in Windows Explorer:
To open hidden files, Enable Show hidden files and folders in Windows Explorer by selecting Folder Options in the Tools menu
To view deleted and system files and unallocated clusters, or to mount the evidence file use the EnCase Virtual File System module
Files and folders on the mounted device can be accessed in Windows in the same manner as if the device were an additional drive, although changes will be written to cache (if in use) instead of to the device itself.
Saving and Dismounting the Emulated Disk If write caching is enabled when mounting the device, you can save virtual changes made to the evidence file. 1.
In the EnCase interface, right‐click the drive mounted using PDE.
2.
Select Save emulated disk state.
66
EnCase Version 6.12 Modules Manual
The cache is saved in the path specified for write caching. Each time after the initial save, an instance number is appended to the cache file. These cache files can later be used to remount the evidence in its saved state, but you must have all of the preceding cache files, located in the same directory. To end the emulation: 1.
Double‐click the flashing Physical Disk Emulator indicator in the lower right of the application window.
2.
Click Yes in the Thread Status window to cancel the disk emulation.
If caching is enabled when mounting evidence, this screen displays:
The purpose of the final cache is to create a compressed and merged Differential Evidence File (*.D01) containing the cached data. With the Save Emulated Disk State option selected, there are multiple cache files for the same mounted evidence session. The final cache merges all these files. If there is no need to save the final file, select Discard final cache. Use the Differential Evidence File to open the evidence file and view the emulated disk with the cached changes applied. To apply the cached data: 1.
Right‐click the device.
2.
Select Mount as Emulated Disk.
3.
Click the Client Info tab.
4.
Clear the Disable caching check box.
5.
Select Use existing cache.
6.
Browse in the Write cache path field to find the *.D01 file. After the disk mounts, Windows Explorer reflects the cached changes.
When the device is dismounted, a status screen informs whether the disk was dismounted successfully.
Physical Disk Emulator
67
Closing and Changing the Emulated Disk To mount a different drive, first dismount the currently emulated drive as previously described. You can then set a new mount point. Be sure to dismount evidence that is served through PDE before exiting. A reminder message appears if you attempt to close the case or the EnCase program while evidence is mounted with PDE.
Temporary Files Reminder EnCase Forensic, Enterprise and FIM allow investigators to redirect temporary files to a Temp/Trash folder on a secondary hard drive for faster clean‐up after an examination, and to prevent confidential or contraband materials from being redirected by Windows to the investigatorʹs own temp folder on the operating system drive. When opening a file mounted with PDE in Windows Explorer with a third‐party tool, the Windows operating system controls the temporary file creation on the operating system drive, and any necessary post‐examination cleanup is more laborious.
Third-Party Tools Investigators with the PDE Module can use Windows Explorer to browse the structure of computer evidence. They can also utilize third‐party tools capable of requesting and interpreting data from Windows Explorer to examine evidence outside the EnCase program. Guidance Software® does not certify the performance or accuracy of results obtained through any tools not developed by Guidance Software.
Using Third-Party Tools The third‐party tools and viewers available to the investigator for forensic examination are now greatly expanded with EnCase PDE. To use a third‐party tool, open the file as follows: 1.
Double‐click a file served by PDE to have Windows Explorer request and receive the data from the EnCase software.
2.
Open the data with the assigned program according to the file extension.
Quick View Plus A popular viewing program is Quick View Plus, which allows the investigator to view dozens of file formats without the native applications installed on the examination machine.
Malware Scanning A common use for EnCase PDE is to mount computer evidence for scanning for viruses, Trojans, and other malware programs. First, mount the drive or volume from the evidence file through PDE. In Windows Explorer, select the newly mounted drive (in this case, F:). If an antivirus program is installed and integrated with Windows Explorer, it can be used to scan for viruses. The program reads the emulated disk presented to Windows Explorer. The EnCase program serves the requested data to Windows Explorer, and then to the program for scanning.
68
EnCase Version 6.12 Modules Manual
Boot Evidence Files and Live Systems with VMware Initial Preparation For the Physical Disk Emulator to work properly, VMware version 4.5.1, build 7568 or later is required. To use VMware to mount an evidence file: 1.
Determine the operating system of the subject evidence file using the following methods:
a. Use the Windows Initialize Case module from the Case Processor EnScript® program to determine the operating system.
b. Check the contents of the boot.ini file, which is located on the partition root. c. Examine the folder structure, noting the following: Windows 2000, XP, and 2003 Server all use the C:\Documents and Settings folder for user profiles and folders. Windows NT and 2000 use the C:\WINNT folder for the system root. Windows 9X, XP and 2003 Server use the C:\Windows folder for the system root. 2.
Mount the physical disk containing the operating system using Physical Disk Emulator. Make sure to enable caching
3.
Determine what physical disk number has been assigned to it using one of these methods: This information is provided when the device is mounted. Select the Disk Management option by right‐clicking My Computer in Windows, then select Manage.
There is currently an issue with VMware that prohibits VMware from booting a virtual machine located on a physical disk that is preceded numerically by a SCSI, FireWire, or USB drive. For best results, ensure that only IDE drives are plugged into the machine when you choose to mount as an emulated disk in the EnCase interface. This is easy to verify in Disk Management. If you encounter a message stating, "The specified device is not a valid physical disk device", it is most likely as a result of this issue. Do not use PDE to mount drives in an evidence file or preview of the local computer. Windows, particularly XP, will blue screen if it detects multiple instances of the same drive. Use only evidence files of other machines.
New Virtual Machine Wizard To boot evidence files using VMware:
1.
After you have gathered the needed information, launch VMware.
2.
Select New Virtual Machine from the File menu.
3.
At the New Virtual Machine Wizard screen, click Next.
Physical Disk Emulator
69
4.
4. Select Custom, then click Next.
5.
Select the appropriate Guest Operating System radio button.
6.
Select an operating system from the Version drop‐down menu to identify the operating system version installed on the evidence file, then Next.
7.
In the Name the Virtual Machine dialog, enter a virtual machine name.
As an option, you can click Browse to change the location for VMwareʹs configuration files. 8.
Click Next.
70
EnCase Version 6.12 Modules Manual
9.
Assign the amount of memory for VMware to use, then click Next.
10. Select the type of network to use, then click Next. Selecting Do not use a network connection is recommended in the event that there is some type of malware installed on the machine the evidence file was created from.
11. Accept the default setting in the Select I/O Adapter Types dialog, then click Next.
12. Select Use a physical disk (for advanced users). Ignore any subsequent warning messages. 13. Select the disk that represents the mounted drive using PDE. 14. Accept the default setting of Use Entire Disk, then Click Next. 15. Use the default disk file specified in the Specify Disk File dialog, then click Finish.
Physical Disk Emulator
71
If the disk file is not recognized as a Virtual machine, you can change the name of the file (taking care to leave the .vmdk extension).
VMware returns to the main screen, showing the newly created virtual machine.
Boot the Virtual Machine Boot the virtual machine by starting VMware and performing the following: 1.
Click the link for Start this virtual machine next to the green arrow. The evidence file is write protected by the EnCase program, but PDE enables a write cache that interacts with VMware as if it were mounting a disk in read/write mode.
When the virtual machine starts, the operating system is shown as if the forensic machine was booting the drive. It boots in the same manner as the native machine.
2.
As with booting restored hard drives, the virtual machine may require a user name and password to proceed.
3.
Since pop‐ups (such as AOL Instant Messenger) may cause driver problems, save the state of the virtual machine regularly.
72
EnCase Version 6.12 Modules Manual
VMware/EnCase PDE FAQs Can live evidence be booted with VMware? Live computer evidence (network nodes in the EnCase Enterprise program and local CDs) can be mounted with PDE but cannot be booted with VMware.
What version of VMware should be used with EnCase PDE? PDE/VMware integration is with VMware version 4.5 and higher.
Why won't VMware recognize an emulated (mounted) disk? You must launch VMware after emulating the disk with PDE, as VMware will not recognize a physical drive that has been added since it was started. In addition, VMware will not successfully boot evidence files which contain Windows with a non‐default IDE driver. This is a known issue. Additional information is available at http://www.vmware.com/support/kb/enduser/std_adp?p_faqid=36.
What do I do if I see the message "The file specified is not a virtual disk" after running the New Virtual Machine wizard? Occasionally after completion of the new virtual machine wizard in VMware, an error message (ʺThe file specified is not a virtual disk.ʺ) may be encountered. This issue is with VMware, not the EnCase program. Running the New Virtual Machine Wizard again usually resolves this issue.
How do I start a VMware machine with my saved EnCase Differential File? Mount the disk using the existing cache file.
Why does VMware not recognize some physical disks? If your evidence is successfully mounted, but VMware states that the physical disk that the image is mounted on is not a valid Physical Disk, it may be a result of a non‐IDE device on a lower Physical Device than the emulated disk.
Windows XP keeps popping up windows about installing drivers when I boot. The EnCase PDE Module installs GSI‐specific IDE drivers to be loaded in order to emulate the disk as a drive within Windows with an assigned drive letter. A virtual IDE controller is created that can be seen in Device Manager. If Windows is allowed to load default IDE drivers, the module will not work properly. You can prevent this by canceling the attempt from the pop‐up window. Once you have bypassed this message, you can save the state so that the next time the system is rebooted, Windows will not attempt to load the drivers again.
Physical Disk Emulator
73
How do I restart a VMware session from a saved state? VMwareʹs suspend and resume feature allows you to save the current state of your virtual machine, then resume later with the virtual machine in the same state it was when you stopped it. Once you resume and do additional work in the virtual machine, there is no way to return to the state the virtual machine was in at the time you suspended it. To preserve the state of the virtual machine so that you can return to the same state repeatedly, you would need to take a snapshot. Instructions for using the snapshot are available at VMwareʹs web site at http://www.vmware.com/support/ ws45/doc/preserve_snapshot_ws.html. The speed of the suspend and resume operations depends on how much data has changed while the virtual machine has been running. In general, the first suspend operation takes a bit longer than later suspend operations do. When you suspend a virtual machine, a file with a .vmss extension is created. This file contains the entire state of the virtual machine. When you resume the virtual machine, its state is restored from the .vmss file. To suspend a virtual machine: 1.
If your virtual machine is running in full screen mode, return to window mode by pressing Ctrl + Alt.
2.
Click Suspend on the VMware Workstation toolbar.
3.
When VMware Workstation has completed the suspend operation, it is safe to exit VMware Workstation (Exit from the File menu).
Resume a virtual machine as follows: 1.
Start VMware Workstation and choose a virtual machine you have suspended.
2.
Click Resume on the VMware Workstation toolbar. Note that any applications you were running at the time you suspended the virtual machine are running and the content is the same as it was when you suspended the virtual machine.
Additional VMware troubleshooting is available from their knowledge base at http://www.vmware.com/support/kb/enduser/std_alp.php?
PDE Troubleshooting Physical Disk Emulator is not listed under modules when accessing About EnCase from the Help menu If you are using cert files, check to see that the PDE certificate is located in the Cert directory (typically C:\Program Files\EnCase6\Certs). Make sure the security key is installed and working properly (check the title bar to ensure that the program is not in Acquisition mode). If you are using cert files, check the security key ID to ensure that it is the correct one for which the certificate was issued.
I can mount a device locally, but cannot set up a local server Although menus exist for PDE Server operation, it is not currently functional.
74
EnCase Version 6.12 Modules Manual
A message is encountered stating that PDE cannot remove the device when attempting to dismount the device mounted The error message may occur if Windows is accessing a file on the mounted device (e.g., the directory is opened in Windows Explorer or a file is opened in a third‐party application). To resolve the issue, close all Windows applications accessing the mounted device, then click OK.
An error message is encountered stating that you need to reboot your machine, followed by a "Rejected connection" message This issue is due to the device driver not being released properly. The only way to resolve this issue is to close all applications (including the EnCase application) and reboot the forensic machine. You should not encounter the error again when the machine is rebooted. If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.
CHAPTER 4
Virtual File System In This Chapter
What is VFS?
Mounting Evidence with VFS
Dismount the Network Share
Accessing the Share
Third-Party Tools
VFS Server
Troubleshooting
76
EnCase Version 6.12 Modules Manual
What is VFS? The Virtual File System (VFS) module allows investigators to mount computer evidence as a read‐ only, off‐line network drive for examination through Windows Explorer. The value of this feature is that it allows investigators multiple examination options, including the use of third‐party tools with evidence served by the EnCase® program. We are committed to the concept of providing an integrated product to our customers. Third‐party tools will continue to be developed to complement the core functions and features of the EnCase program, and we encourage their creation and use. VFS allows third‐party access to all computer evidence and file system formats supported by the software. For our customers using the EnCase Forensic program, the VFS module has the added power of enabling use of third‐party tools against hard drives previewed through a FastBloc® device or a crossover cable, including deleted files. For customers using the EnCase Enterprise program, VFS allows use of third‐party tools against live machines on the network using best practices, since the operating system is bypassed.
Evidence File Formats Supported by VFS
VFS supports mounting any data that is visible in a case. All image file formats and file systems that are supported by the EnCase software can be mounted with VFS.
Mounting Evidence with VFS The VFS Module is able to mount computer evidence supported by the EnCase program as an offline read‐only network drive in Windows Explorer. You can mount evidence at one of four levels; however, only one mounting point can be designated at a time. If you want to change the mounting point, you need to dismount the evidence and mount at a new level to include the desired devices. The levels where you can mount evidence are:
Case level: Mounting from case‐level is not supported by VFS
Disk/Device level: Mounts a single physical disk or device, with access to all volumes on the disk or device
Volume level: Mounts a single volume/partition on a physical disk
Folder level: The lowest level you can mount is at the folder level This mount level is helpful to examine files in paths that exceed the Windows limit of 264 characters in the full path and name of a file
Using the Server extension, you can also mount evidence to be shared with other investigators through the local area network. The Virtual File System Server is discussed later in this manual.
Mounting a Single Drive, Device, Volume, or Folder Only one mount point can be designated at a time; to include other data, a mount point must be selected that is in a parent relationship to both areas of data to be mounted.
Virtual File System
77
To mount a single drive or device in a case file or a single volume or folder on a drive, right‐click the drive or device, and select Mount as Network Share:
Mount Network Share Options On the Server Info tab of the Mount as Network Share window, most of the server info is disabled when establishing a local server. The only exception is the local port. VFS defaults to establishing a local server, which is the option used when using VFS on the local machine. Since VFS is mounting the evidence as a network shared drive, a local port must be assigned. To allow recovery from errors in Windows, such as a crash while using third‐party tools as described later in this manual, the VFS service runs for the life of the Windows session. This means that the port number can be assigned the first time the VFS service is run to mount evidence. Afterwards the port number is grayed out with the assigned port number unchangeable: 1.
On the Server Info tab, set the local port or use the default setting.
2.
Adjust the Max. clients allowed, up to the maximum number of clients purchased for VFS. To assign a new port number, the Windows session must be closed, such as through a reboot.
3.
Click the Client Info tab to set the volume letter to be assigned to the network share in Windows Explorer.
4.
The default setting allows Windows Explorer to assign the next available volume letter, or you can set any other letter that is currently not assigned. Assigning a specific volume letter can be useful when attempting to virtually reconstruct a mapped network drive, such as for a database:
78
EnCase Version 6.12 Modules Manual
If you currently have mapped networked drives or if you let Windows assign the drive letter, it takes a few seconds to query the system to find an available drive letter If you specified a volume letter, and it is available, the mounting is virtually instantaneous A confirmation popup window informs you that the mount was successful, with the volume letter. The ʺshared handʺ icon appears at the level you designated as the mount point for the shared drive.
Compound Files Many compound files, including Microsoft Word, Excel, Outlook Express, and Outlook files, can be mounted in the EnCase interface. To do this: 1.
Right‐click the file.
2.
Select View File Structure. In the example below, a Microsoft Word .doc file is mounted. The device is then mounted with VFS at the device level.
3.
Mount the case, drive, volume, or folder with VFS as for a single case, drive, etc. by right‐ clicking and selecting Mount as Network Share, as described above for single items.
Virtual File System
79
4.
View the mounted file as a folder in Windows Explorer, where the compound file structure can be browsed.
VFS is a dynamic engine and will serve the data as it is presented by the EnCase software. To view the original Word document file: 1.
Close the mounted compound file.
2.
In Windows Explorer, refresh the screen using the F5 key. If you have currently selected data within the compound file, an error message reports that the data is no longer available, since it was closed inside of the EnCase program.
3.
Select the parent folder of the file to view and open the file.
Encrypting File System Decrypted files can be viewed within Windows when you use VFS in conjunction with the EnCase Decryption Suite (EDS) module. The evidence containing the decrypted files and folders can be mounted with VFS for viewing the decrypted data within Windows Explorer, and with third‐party tools. For information on using the EDS Module to decrypt EFS protected files and folders, see the EDS Module chapter of this document.
RAIDs RAIDs mounted inside the EnCase program can be browsed in Windows Explorer. In the example below, a software RAID 5 comprised of three drives was mounted and then made available for browsing in Windows Explorer with VFS.
Deleted Files The VFS module allows investigators to view deleted and overwritten files in Windows Explorer.
80
EnCase Version 6.12 Modules Manual
An investigator may locate a file in Windows Explorer to view or analyze, but finds that it is not possible to open it. If a file does not open, review the original data in the EnCase interface to see if the file is indeed valid and is not corrupted or partially overwritten.
Internal Files and File System Files The EnCase application organizes some data on devices into virtual logical files to allow for better organization and searching. Examples include Unallocated Clusters and Volume Slack on a volume, and Unused Disk Area on a physical drive. Hidden file system files are also available, such as the $MFT, FAT, or Inode Table directories on NFTS, FAT, and *nix file systems.
RAM and Disk Slack VFS serves the actual logical files on devices along with virtual logical files it organizes for investigators. The physical files are not served, as Windows Explorer would not interact with the file data correctly if the entire physical file was served. For investigators, this means the RAM (sector) slack and drive (file cluster) slack are not available to third‐party tools through VFS in Windows Explorer as a single file. There are, however, two ways to access the data in slack with third‐party tools: The first method is to load a device without parsing the file system: 1.
Launch the EnCase application.
2.
Open a new case.
3.
Load the device by clicking Add Devices.
4.
Right‐click the device and select Edit.
5.
In the Device Attributes window, clear the check from the Read File System box.
Virtual File System
81
When the device is loaded into the EnCase program, the partition and file system are not read and interpreted. The entire device can then be mounted with VFS and be available for examination in Windows Explorer as Unused Disk Area, including slack space.
1.
Another option is to copy only slack area from evidence to the examination computer as a logical file:
2.
Select the device(s) where you want to examine the slack space.
3.
Right‐click the file and select Copy/UnErase.
4.
Select the All selected files radio button under From, and the Merge into one file radio button under To, then click Next.
5.
In the Copy section of the Options screen, select RAM and Disk Slack to copy the RAM slack (also known as sector slack) and the Disk Slack (also known as cluster slack).
6.
Select the appropriate Character Mask option for non‐ASCII characters, or leave the default and click Next.
82
EnCase Version 6.12 Modules Manual
7.
Set the destination path and the name of the file to contain the slack, then click Next.
8.
Click OK in the Copying files dialog that displays at the end of the copying process.
The file containing the slack from the evidence is now available for examination by third‐party utilities on the local examination machine. In the example below, a file is open in WordPad.
Virtual File System
83
Other File Systems VFS can mount file systems other than those natively support by Windows. Below is an example of a Macintosh OS/X drive mounted with VFS.
Below is the Windows representation of a Palm volume mounted in VFS.
ext2, ext3, UFS, and Other File Systems Unix, Linux and BSD devices can be mounted in Windows Explorer with VFS. One limitation is the forward slash (/) used in *nix file systems. The forward slash is an invalid character in Windows and cannot be displayed in the full path for Windows Explorer. For this reason, the forward slash is represented by the high‐dot (∙). In the example below, the /(root) partition is represented by the high‐dot. The /home partition is represented by ·home.
84
EnCase Version 6.12 Modules Manual
In this example, the / (root) partition of a Solaris workstation is mounted and the parent folder name (the partition name) is displayed as the high‐dot.
Windows has a limit of 264 characters in a full path and file name. This limitation may impact some examinations in Windows Explorer, especially for Unix and Linux devices. In this situation, the investigator may need to mount at the partition or folder level.
Dismount the Network Share To dismount the network share, do the following: 1.
2.
Double‐click the thread bar at the bottom right of the interface that reads Virtual File System, then click Yes.
In the confirmation that the evidence was successfully dismounted, select any status saving options and click OK.
Changing the Mount Point You can only view one mount point at a time. To change the location of the mount point, you must close the current mount point and open a new one. Be sure to dismount evidence that is served through VFS before closing the EnCase program. A reminder message appears if the case or the EnCase program is attempted to be closed while evidence is mounted with VFS.
Virtual File System
85
Accessing the Share Using the EnCase Interface Unique Name Column A Unique Name column displays in Table view for the VFS Module. The column identifies the file name given to a file served from the EnCase program and displayed in Windows Explorer through VFS. The unique name overcomes the Windows limitation of not allowing multiple files to share the same file name as siblings in the same parent folder. The column is empty when the evidence is first mounted with VFS, but is populated when the share is accessed in Windows Explorer. When an investigator selects a folder in Windows Explorer, the data is served by the EnCase program and displayed in Windows Explorer. As the directories are browsed in Windows Explorer, the file names are populated in the Unique Name column, so an investigator can determine which file he or she is examining. The EnCase program appends a pound sign (#) to the end of duplicate file names within the same folder in Windows Explorer.
Using Windows Explorer After mounting the shared network drive with VFS, open Windows Explorer. The new share is represented with a network drive icon and assigned the appropriate volume letter. The name of the share is gsisvr (for Guidance Software®, Inc. Server).
Several operations are then possible, including the following:
86
EnCase Version 6.12 Modules Manual
Browse the mounted case and associated devices in Windows Explorer
Open hidden and deleted files if Show hidden files and folders is enabled in Windows Explorer using the Folder Options in the Tools menu
Use the thumbnail viewer in Windows Explorer to view images in the manner seen by the original user
Third-Party Tools Using VFS, investigators can examine evidence outside the EnCase program by utilizing third‐party tools capable of requesting and interpreting data from Windows Explorer. However, Guidance Software does not certify the performance or accuracy of results obtained through any tools not developed by Guidance Software.
Malware Scanning A common use for VFS is to mount computer evidence to scan for viruses, Trojans, and other malware programs: 1.
Mount the evidence through VFS either locally on the examination machine, or remotely through VFS Server. You can mount the evidence at the device, volume, or folder levels as described previously. The ʺshared handʺ icon indicates the level of the virtual file system mount.
Virtual File System
87
2.
In Windows Explorer, select the gsisvr offline network drive.
3.
Use antivirus software to scan the file.
In the example below, the Scan for Viruses option from Symantec AntiVirus is run by right‐ clicking the drive.
The antivirus software can read the Virtual File System presented to Windows Explorer. The requested data is served by the EnCase program to Windows Explorer, and then to the program for scanning. In this case, the MyDoom virus was found on the computer evidence mounted with VFS.
The examination reports and logs generated by the third‐party tools can then be reviewed and included in the investigatorʹs investigative report.
Other Tools and Viewers The third‐party tools and viewers available to the investigator for forensic examination are now greatly expanded with VFS. To use them, do the following: Double‐click a file served by VFS to open the data with the assigned program according to the file extension.
Assigning File Extension to a Program To assign an associated program to an extension: 1.
Select Folder Options from the Windows Explorer Tools menu.
88
EnCase Version 6.12 Modules Manual
2.
In the Folder Options window, click the File Types tab.
3.
Select the desired extension, and the Details for section lists the program designated for that extension. In this example, JPEG files open with Adobe Photoshop CS.
4.
Click the Change button.
Select or browse to the new program.
Unix or Linux Files Some files, like those in Unix and Linux, do not have file extensions. To view them:
1.
Right‐click the file and select Open.
2.
In the Open With window, select the desired application from the Programs list and click OK.
3.
If the application is not listed, click Browse to find the application executable, or allow Windows to search the Internet (if connected).
4.
Click Other if the appropriate application is not available.
Virtual File System
89
WordPad can open most text‐based files to allow you to view the contents. In the example below, a Linux file is opened with WordPad in Windows Explorer from an evidence file mounted with VFS.
QuickView Plus Another popular viewing program, QuickView Plus, can be used to view dozens of file formats, without the native applications installed on the examination machine.
Temporary Files Reminder The EnCase program allows investigators to redirect temporary files to a Temp/Trash folder on a secondary hard drive for faster cleanup after an examination, and to prevent confidential or contraband materials from being redirected by Windows to the investigatorʹs own temp folder on the operating system drive. When a file mounted with VFS in Windows Explorer is opened with a third‐party tool, the Windows operating system controls the temporary file creation on the operating system drive. Remember to check the Windows Temp folder to perform any necessary post‐examination cleanup.
VFS Server The VFS Module has a server extension so that investigators can share the mounted evidence with other investigators on the local area network/intranet through VFS. The extension enables a number of clients to mount the network share served by the VFS Server through a network connection under these conditions:
Only the machine that is running the VFS Server needs a security key inserted A security key is not required to connect to the VFS Server and access the served data in Windows Explorer.
The client machine(s) must have the EnCase program installed to access the VFS client drivers but can run in Acquisition mode The number of clients that can connect to the VFS Server depends upon the number of VFS Server connections purchased. This information is contained in the VFS Certificate or programmed into the security key.
To determine if the VFS Server is enabled and to view the number of available client connections, do the following:
90
EnCase Version 6.12 Modules Manual
Select About EnCase from the Help menu. If the VFS module is not listed, or the number of clients is not sufficient, contact Customer Service to purchase additional clients.
Configuring the Server Configure the server as follows: 1.
On the VFS Server machine (with the security key inserted), open the EnCase program.
2.
Open the case file(s).
3.
Select the appropriate VFS mount point level: Case Drive/device Volume Folder
4.
Right‐click the mount point and select Mount as Network Share. You have the option of creating a network share from any of the cases, drives, or folders within it. This allows you to share only what is necessary to others, while still having access to cases and devices that you do not want to share.
5.
Since this is the VFS Server machine, select Establish local server for the location on the Server Info tab.
6.
Enter a Port number or use the default of 8177. The Server IP Address is grayed out since the serverʹs IP address is the one assigned to the machine where the mount is taking place.
7.
Note the server machineʹs IP address for use with the client.
8.
Set the maximum number of clients who can connect to the server, with the default being the maximum allowed by your VFS Server certificate.
Since VFS is mounting the evidence as a networked shared drive, the serving port must be assigned. To allow recovery from errors in Windows, such as a crash while using third‐party tools as described previously, the VFS service runs for the life of the Windows session from that port. The VFS Server can also serve the data locally to the investigatorʹs machine. Be aware that it uses one of the server connections.
Virtual File System
91
Restrict Access by IP Address By default, VFS Server is configured to allow access from all IP addresses. However, the preferred method is to restrict access by IP address. To specify a range of machines, do the following: 1.
Select Allow IP Range and specify the high and low IP values.
2.
Select Allow specific IPs.
3.
Right‐click in the Allowed IPs box.
4.
Select New and enter the IP addresses. Enter multiple IP addresses by repeating this action. You can also edit or delete existing IP addresses by right‐clicking Allowed IPs.
5.
Select the Client Info tab. To also mount and view the shared drive locally, leave the Mount share locally box checked and input a Volume Letter.
92
EnCase Version 6.12 Modules Manual
By default, the volume letter field has an asterisk in it, signifying that the next available drive letter will be used. Mounting the share locally uses one of your VFS Server connections. If you are only serving the share to remote clients, clear Mount share locally, and the Volume Letter grays out, as the share is mounted on remote client(s). The VFS Server mounts the share and allows connections on the assigned port. The shared hand icon appears at the VFS mount point. You can continue your examination while it is being shared. Performance depends on the size and type of the examined evidence, processing power of the server and client machines, and the bandwidth of the network.
Connecting the Clients To connect the clients: 1.
Install the EnCase program on the client.
2.
Reboot the machine after installation for Windows to access the VFS drivers. When launching the EnCase program, it is not necessary to have a security key present.
3.
Click Tools→Mount as Network Share.
4.
On the Server Info tab, enter the Server IP Address for the VFS Server machine, and enter the port number the server is listening on.
5.
On the Client Info tab, select the Volume Letter to assign the share, or accept the next available letter.
The confirmation message displays. On the client machine, the share is available in Windows Explorer as gsisvr with the assigned drive letter. The shared computer evidence can be examined as previously described.
Closing the Connection When an investigator using a client machine has completed the examination of the shared drive, or another investigator needs to use the connection, double‐click the progress bar at the lower right and select Yes. A confirmation window reports that the evidence is dismounted and the connection closed, and the ʺshared handʺ icon is removed, indicating that Windows Explorer has removed the shared drive. The EnCase program can be closed on the client computer. On the VFS Server machine, when all clients are finished and have dismounted the share, close the VFS Server by double‐clicking on the flashing Virtual File System bar in the lower right corner of the EnCase application window. You will be prompted to dismount the evidence file, after which you can close the EnCase program.
Virtual File System
93
Troubleshooting Virtual File System is not listed under Modules If you are using cert files, check to see that the VFS certificate is located in the proper Certs directory (typically C:\Program Files\EnCase6\Certs). Make sure the security key is installed and working properly (check the title bar to ensure that the software is not in Acquisition mode). You do not need to have the security key installed on a machine connecting to a remote VFS Server. If you are using cert files, the certificate file is issued for a specific security key; check the security key ID to ensure that it is the correct one for which the certificate was issued.
I can mount a device locally, but cannot set up a local server Select About EnCase from the Tools menu and ensure that Virtual File System Server is listed under Modules. If the Server is not displayed, you may have the wrong cert installed, or you do not have access to the Server edition.
I cannot connect to a device mounted on a remote VFS server Confirm the IP address and port number of the Remote Server. If the IP address is correct, ping the address to ensure connectivity. Make sure the device is still mounted on the remote server. Check to see how many machines are connected to the server, and determine how many clients are permitted to connect to a VFS Server by selecting About EnCase from the Tools menu on the machine running the VFS Server. Determine the number of allowed clients by looking at the number listed next to the Virtual File System Server module. If none of these troubleshooting steps resolves your issue, contact Guidance Software Technical Services.
CHAPTER 5
FastBloc SE Module In This Chapter
What is the FastBloc SE Module?
Background Information
Installing the FastBloc SE Module
Using the FastBloc SE Module
Disk Caching
Troubleshooting
96
EnCase Version 6.12 Modules Manual
What is the FastBloc SE Module? The FastBloc® SE (Software Edition) module is a collection of drive controller tools designed to control reads and writes to a drive attached to a computer through USB, FireWire, SCSI, IDE, and SATA controller cards in order to enable the safe acquisition of subject media from Windows to an EnCase® evidence file. In addition, an investigator can wipe devices attached to a controller card that is controlled by the FastBloc SE module, or restore them while maintaining the hash value of the logical file. When FastBloc SE moduleʹs write blocking capability is enabled, it ensures that no data are written to or modified on a write blocked device. The Write‐block USB, FireWire, SCSI Devices option is used to write block and protect attached drives. In the past, conducting a forensic, non‐invasive acquisition of a hard disk drive was performed in DOS, or through a write protecting hardware device. This was done to control writes by the operating system to the subject drive. The FastBloc SE module eliminates the need to have a hardware write blocker installed on the forensic machine in order to acquire EnCase evidence files in a forensically sound manner through Windows.
Background Information HPA and DCO Configured Disks Host Protected Area Hard disks can be configured with a Host Protected Area (HPA). It is designed to allow vendors to store data safe from user access, diagnostics or MS Windows backup tools. If present, the data stored in this area is inaccessible by the operating system, BIOS or the disk itself. Knowledge of this area and the ability to access it are important, as there is the potential for a sophisticated user to hide data in the HPA. The FastBloc SE module sees the HPA if it is present, and the content hidden there displays. Disk integrity remains intact when previewing and acquiring disks with HPAs.
Device Configuration Overlay The Device Configuration Overlay (DCO), sometimes called the Disk Configuration Overlay, is similar to the HPA discussed above. It is an optional feature within the ATA et seq. standard, and is supported by most hard disks. Like the HPA, it can also be used to segment off a portion of the hard disk drive capacity from view by the OS or file system, usually for diagnostic or restoration purposes. Contents of the DCO can control behavior of the drive, and one of the DCO fields controls the max_sectors drive data. It can thus be used to artificially restrict access to the full drive.
Architecture Both the HPA and the DCO are typically located at the ends of the hard disk. If present, the HPA area is placed on the drive after the DCO is configured. This gives the drive three types of storage that are laid out one after another on the drive:
FastBloc SE Module
97
Normal
HPA protected
DCO protected
Overriding HPA and DCO Settings The write blocking functionality of the FastBloc SE module is designed to prevent writes to a suspect hard drive while previewing, examining or acquiring the device for forensic purposes. The FastBloc SE module allows EnCase software to recognize disks with HPA and DCO regions. The FastBloc SE module automatically overrides HPA settings, which makes the HPA area of the hard disk visible to the investigator. To do this, it temporarily removes the HPA settings and then replaces them, so no permanent disk alterations are made. If only a DCO is present, it is removed to allow the EnCase software to view the data. If both HPA and DCO are present in an area simultaneously, the FastBloc SE module first removes the HPA setting, then the DCO setting. The HPA is removed only if an HPA and DCO area exist simultaneously. ALERT! When the EnCase software encounters a hard drive with a defined DCO, or DCO and HPA, it must permanently remove both overlays to image the entire drive. Based on the design and published specifications of DCO and HPA, there is no known way to access the entire data area without making this change. Investigators must note that although this change does not affect the data contained on the drive, it is a permanent change to the drive controller that is not affected by powering down the drive. Investigators may wish to account for this anomaly in their documentation.
Installing the FastBloc SE Module The process for installing the module involves a few more steps than the other modules. 1.
Install the FastBloc SE module as listed in Installing the EnCase Modules on page 5.
2.
Shut down the forensic machine.
3.
Insert one of the IDE controllers listed in FastBloc SE Module Specific Requirements on page 4.
4.
Turn on the computer.
Install the drivers that came with the IDE controller. Consistent with sound computer forensic practices, test the FastBloc SE module with non-evidence media to verify the write blocking capability prior to using the device with actual evidence.
98
EnCase Version 6.12 Modules Manual
Using the FastBloc SE Module Write Blocking IDE and SATA Controller Cards The FastBloc SE module write blocks PCI IDE and SATA controller cards. See FastBloc SE Module Specific Requirements on page 4 for a listing of supported PCI IDE controller cards. To successfully prevent writes or modifications to an IDE device, the controller channel is write blocked before the device is attached to the PC. When the channel is protected with the GSI driver, shut down the machine and attach the device. On reboot, Windowsʹ write permissions are revoked. To write block an IDE controller: 1.
Launch the EnCase Program and select Write‐Block IDE channel from the Tools menu.
2.
In the list of available IDE channels, blue‐check the channel to write block and click OK.
3.
4.
A popup window may display saying that the software has not passed Windows LOGO testing.
Click Continue Anyway to replace the installed driver with the GSI driver.
FastBloc SE Module
99
5.
Shut down the forensic machine.
6.
Attach the suspectʹs hard disk to the controller selected in step 2.
7.
Restart the forensic computer. The selected channel is write blocked on system startup.
Turning Off IDE Write Block Protection To turn off the write block protection: 1.
Shut down the forensic computer.
2.
Remove the suspectʹs hard disk.
3.
Repeat steps 1 and 2 above, deselecting the write protected controller in step 2.
4.
Reboot the forensic machine.
5.
The GSI driver is replaced with the original default Windows driver.
Write Blocking a USB, FireWire, or SCSI Device To write block a USB, FireWire, or SCSI device, the EnCase software intercepts the signal sent to Windows when a device is attached to the computer. It then filters the driver for that device, enabling write protection. When using the Fastbloc SE module on a USB, FireWire or SCSI device, there are two modes, which both protect the device from being modified or written to:
Write Blocked: A write blocked device is protected against writing to or modifying files when the device is attached to a PC. Files deleted from or added to the device appear in Windows as modified, but the modifications are saved in a local cache, not on the device itself. This mode does not prompt errors when attempting to write to the drive.
Write Protected: A write protected device is protected against writes or modifications when the device is attached to a PC. If writes or modifications to the device are attempted, Windows responds with an error message. Removing write protection takes effect on all devices that are or have been connected to the PC.
To write block a USB, FireWire, or SCSI device: 1.
Make sure no devices are attached.
2.
Select Write‐block USB, Firewire, SCSI drive from the Tools menu.
100
EnCase Version 6.12 Modules Manual
3.
Select Write‐Blocked in the dialog.
4.
Insert the USB, FireWire, or SCSI device. Because some SCSI devices are not initially hot swappable, you may want to use a hot swappable carrier to protect the device, such as the StarTech DRW150SCSIBK SCSI drive bay.
5.
A confirmation window displays when the device is successfully blocked.
6.
Click Finish.
Verify Write Block You can confirm successful write‐blocking of the device when previewing the device in the EnCase program: 1.
Click the New icon on the top toolbar to open a new case and complete the required information.
2.
Click the Add Device icon.
3.
Blue check Local Drives in the right pane, then click Next. In the Choose Devices window, the device and volume (if present) on the write‐blocked channel have a green box around the icon in the Name column, and a bullet appears in the Write Blocked column for each.
Removing Write Block from a USB, FireWire, or SCSI Device Removing the USB, FireWire, or SCSI Device To remove a USB, FireWire or SCSI device: 1.
Use the hardware removal tool in the System Tray in the lower right corner of the task bar to remove the device.
FastBloc SE Module
101
In Windows 2000, this tool is named Unplug or Eject Hardware; in Windows XP, Safely Remove Hardware.
2.
Remove the device physically when the wizard has confirmed safe removal.
Removing Write-Block 1.
Select Write‐block USB, FireWire, SCSI drive from the Tools dropdown menu.
2.
Click Clear All in the window that opens.
3.
Click Yes on the prompt to confirm the removal of all USB, FireWire, and SCSI write‐ blocked devices.
Selecting Clear All removes write blocking and write protection on all USB, FireWire, and SCSI devices previously protected by the FastBloc SE module.
4.
A confirmation window displays when write block is successfully removed.
102
EnCase Version 6.12 Modules Manual
5.
Click OK to finalize write block removal.
Previewing a Write Blocked Device To preview a write blocked device: 1.
Write block or write protect the appropriate device following the steps outlined previously in this manual.
2.
Create a new case in the EnCase program.
3.
Click Add Device. In the Choose Devices dialog, a bullet in the Write Blocked column indicates the subject media is write blocked. Devices write blocked by the FastBloc SE module also have a green square around the icon ( ).
4.
Blue check a write blocked device or volume, then click Next.
5.
Click Finish in the Preview Devices screen to begin previewing subject media.
Wiping The FastBloc SE module allows wiping a device attached to one of the supported PCI IDE controller cards mentioned in FastBloc SE Module Specific Requirements on page 4. Wiping is done in the same manner as for drives attached directly to the motherboard. See the Using EnCase Tools chapter of the EnCase Enterprise Userʹs Guide for instructions on wiping a drive using the EnCase interface.
Restoring The FastBloc SE module also allows the restoration of an evidence file to a device of similar size or larger attached to one of the supported PCI IDE controller cards previously mentioned. Restore a device in the same manner as with drives attached directly to the motherboard. See the Using EnCase Tools chapter of the EnCase Enterprise Userʹs Guide for details.
FastBloc SE Module
103
Disk Caching When the FastBloc SE module is set to write block, the writes are actually being cached to the investigatorʹs hard drive. This does not occur with write protect, since Windows generates an error rather than allowing the appearance of the write to take place.
Write Block Validation Testing and Disk Caching Do not use evidence hard drives to perform write blocking capability tests. Although Windows may appear to allow modifications of the write blocked subject media, this does not actually occur.
Disk Caching and Flushing the Cache To flush the write cache, reboot the computer or remove the media that is write blocked. Preview the drive with the EnCase interface or browse using Windows Explorer to verify that the cache emptied.
Troubleshooting The Write Block option does not appear in the Tools menu Make sure the module was installed as described in Installing the EnCase Modules on page 5. Select About EnCase from the Help menu to verify that the FastBloc SE module is listed in the window. Check that the security key is in the machine. If the security key is out, or not functioning properly, the EnCase program will be in Acquisition mode. If you are using cert files, the cert file may be tied to a different security key. Consult an administrator to determine the associated security key and cert file.
Windows and the EnCase program do not recognize the attached device Check all power and data connections to the device. Check to see if the subject hard drive is spinning. If the device is connected via an external drive bay, shut down the computer and try connecting the power connector (not the data connector) to a Molex® power cable directly from the computer. Restart the computer. If the drive starts spinning, shut down the computer again and swap cables. If the subject drive does not spin, or is making unusual sounds (whirring, clicking, etc.), the drive may be defective and you may not be able to acquire it by normal methods. If the subject drive is spinning, check the data cables. You may want to try using a 40‐wire cable if you are using an 80‐wire cable. Check the USB or FireWire port to ensure proper functioning by inserting a known good device. Make sure the port is recognized in Device Manager.
104
EnCase Version 6.12 Modules Manual
Windows sees the subject drive, but the EnCase program does not If you can see the physical drive but cannot see the contents of the drive, the EnCase interface may be in acquisition mode. This may indicate that the security key is not installed or (if you are using cert files) is not tied to the cert file. Refer to the EnCase Userʹs Guide for instructions on how to install the security key drivers. You may have a corrupt version of the EnCase program. If you are using cert files, make a backup of all your cert files. Download and reinstall the newest version of the EnCase software. Be sure to select Local Devices instead of Evidence Files when you begin the preview process. If at all possible, try to acquire on a completely different machine. This helps pinpoint the problem, as it may be a hardware or operating system conflict. If you are using cert files, be sure to use a security key tied to the cert file.
Acquisition takes too long If the acquisition started out at a normal speed, and then rapidly decreased later in the acquisition, there is a good chance that the EnCase program has encountered bad sectors on the subject drive. Because the software will make multiple attempts at reading bad sectors, acquisition time may increase. Enabling compression dramatically increases acquisition time. A completely slow acquisition may be the result of slower equipment. If you are acquiring to external media (i.e., the storage media is an external hard drive) the transfer rates will be significantly slower than with a directly connected hard drive. If the subject drive is an older or slower model, the acquisition speed is limited. If the forensic machine has an older or slower storage drive, the acquisition is slowed by the driveʹs slow write speed. If you are acquiring a newer drive, try an 80‐wire cable, as this allows faster throughput. Ensure the FireWire/USB cable is securely connected at both ends. If FireWire is not available, use a USB 2.0 connection (USB 2.0 is up to 40 times faster than USB 1.0). In addition, when using USB, limit any other CPU‐intensive tasks during the acquisition, since these contribute to a loss of transfer speed. Use FireWire ports whenever possible, since the interface is faster than USB.
Acquisition and verification hashes do not match There may be a data integrity issue with the cable. Try using a 40‐wire cable if you are using a 80‐ wire cable, a shorter IDE cable, and/or a shielded IDE cable if possible. Try using a different USB or FireWire cable.
FastBloc SE Module
105
There are different hash values each time the drive is hashed This indicates a failing drive. Because the number of sector errors increases each time, hash values change. Since the first acquisition typically contains the least number of bad sectors, use that file for analysis.
There are multiple bad sectors after acquisition This can indicate a defective drive. Ensure that the cables are securely connected to the controller and the drive. If the subject drive is in an enclosure when you try to acquire it, it may become hot during the acquisition. Try removing the drive from the enclosure to keep it cooler, which may reduce the number of sector errors.
CHAPTER 6
CD/DVD Module In This Chapter
What is the CD/DVD Module?
Burning Evidence Files During Acquisition
Burning Logical Evidence Files During Acquisition
Burning Files and Reports
Burning Existing Evidence and Logical Evidence Files
108
EnCase Version 6.12 Modules Manual
What is the CD/DVD Module? Use the CD/DVD Module to burn the following to a CD or DVD:
Evidence and Logical Evidence Files during acquisition
Files and folders, as well as reports from the EnCase® program
Existing Evidence Files and Logical Evidence Files
Unless specified otherwise, files burned maintain the following properties (if available):
Entry Name (either entry or report)
Last Written date
Entry Created date
Logical size
Consistent with sound computer forensic practices, test the CD/DVD module with non-evidence media to verify proper installation and operation prior to using it with actual evidence.
Burning Evidence Files During Acquisition The process for burning an evidence file to removable media at the time of an acquisition starts with a preview: 1.
Create a new case or open an existing one.
2.
Add a Device for preview as described in the EnCase Userʹs Guide.
3.
Right click the device icon in the Case tree, then select Acquire.
4.
When you get to the Options screen, select Burn Disc, then click Next.
CD/DVD Module
109
Selecting CD Information To select CD information, choose appropriate options from the preconfigured settings in the CD Info dialog.
Joliet: This specifies the format of the image to adhere to the Joliet standard, which allows long entry names. UDF: This specifies the format of the image to adhere to the UDF standard, which is used primarily for DVDs. Burn: This initiates the burn of the image to the disc once you click Finish. If the box is cleared, the Archive Folder for the image is updated, but not burned until initiated by the user in the Archive Entries tab. An ISO is also created for the user to burn at any time with any program. Delete ISO after Burn: This deletes the created ISO image from the temporary folder set with the Path option once it is burned to media. Publisher: This optional field allows you to specify the name of the person who burned the image to disc. Preparer: This optional field allows you to specify the name of the person who prepared the image for burning. Path: This field sets the path for the temporary placement of the ISO image prior to being burned. CD Burners: Any media burner recognized by the system appears in this window. Select the media burner of your choice. If a recognized burner is not listed, the burning option is disabled. The image produced contains the ISO9660 format with Joliet selected by default. If Joliet or UDF formats are selected, additional trees are built for those formats. ISO9660 allows only eight‐character (old DOS 8.3) names. Names longer than eight characters are truncated to the first four characters of the file name, followed by four random numbers.
110
EnCase Version 6.12 Modules Manual
Burning When the initial acquisition is complete, the status screen displays and the burn to CD starts, indicated by a blue Burning thread displayed on the EnCase programʹs task bar. Evidence entries are burned as long as there is enough room left on the medium based on set segment size. If there is no room left, the disc is ejected and a prompt appears instructing you to insert another disc. Evidence entries are verified on the removable media after they have been burned. After the entry is burned, a status window reports the results of the write and verification.
Burning Logical Evidence Files During Acquisition To burn a logical evidence file during acquisition: 1.
Preview the device.
2.
On the Entries tab, select the folders for the Logical Evidence File.
3.
Right click and select Create Logical Evidence File.
4.
In the Create Logical Evidence File dialog, select Burn Disc, then click Next.
5.
5. In the CD Info dialog, select options as described above.
A separate thread runs for burning the logical evidence entries while they are created. The burn to disc occurs when the first segment finishes acquiring. To cancel the burn, double‐click the blue Burning status message on the bottom task bar. Logical evidence, like other evidence entries, is verified after burned. The status window at the end of the process presents the verification and acquisition status for the burned entries. If there is no room left on a disc, the disc is ejected and a prompt appears to insert another disc.
Burning Files and Reports Create a New Image Session To create a new image session:
CD/DVD Module
111
1.
Select Archive Files from the View dropdown menu.
2.
To create a new image session for burning data to a CD/DVD from selected entries or reports, right‐click in the root of Archive Files and select New Image. By default, the module places cached items in C:\Program Files\EnCase6\Cache. To change the root path, right click the root item, select Change Root Path, and browse to or create a folder.
A disc icon appears in the tree, called discimage1. Subsequent images created are named discimage2, discimage3, etc. 3.
To rename images, right click the image folder (or press F2) and select Rename. A cached image of this file is stored in C:\Program Files\EnCase6\Cache with the folder name and a .cdi extension.
Preparing Entries for Burning To prepare entries for burning:
1.
In the Entries tab, select the entries to be sent to removable media.
2.
Right click the desired folder in the tree and select Copy Folders or Copy/UnErase to open the standard option windows for those features.
112
EnCase Version 6.12 Modules Manual
Use Copy Folders to add the selected entries to the folder, retaining the existing entries. File sizes of selected entries retain the original logical size of the file but not the physical size.
Use Copy/Unerase to maintain structure based on the options set in the export menu, such as Logical File, Entire Physical File, RAM and Disk Slack, etc.
CD/DVD Module
113
3.
Right click the Archive Files icon in the Destination Folder window and select New Image. By default, this isdiscimage1. Folders created previously are visible in the Destination Folder window.
4.
Select the appropriate folder, then click Finish.
5.
Click OK to add the entries to the Archive Files folder.
6.
To view the added entries, navigate to the Archive Files tab and select the folder the where you sent the entries.
7.
Right click in the table and select Update.
Preparing Reports for Burning To prepare a report for burning: 1.
Go to Report view in either the Table Pane or View Pane.
2.
Right click in the report pane and select Export.
3.
In the Export Report dialog, select Burn to Disc.
4.
Select the appropriate output format, Document or Web Page.
5.
Enter the complete path in the Path field or browse to the export location.
6.
Select a Destination Folder. If entries already exist in the destination folder, the selected entries are added to them.
7.
Click OK to add the report to the discimage folder.
The newly added report is stored under the Archive Files tab and saved globally so you can add to or delete from it at any time.
114
EnCase Version 6.12 Modules Manual
Burning the Created Image folders to Disc Prior to burning a disc image, entries and reports can be moved between volumes by dragging and dropping them from one image to another. Each image may have its own formatting and output options:
To access the option window to view or edit the settings, right click a volume and select Edit.
To rename a volume right click and select Rename.
To burn the image to disc: 1.
Right click the image folder and select Burn Disc.
2.
In the Archive Files tab, the disc images appear with entries listed in the Table pane.
3.
Select appropriate options from the preconfigured settings in the CD Info dialog as described above. When the image is burned, a status window reports the results of the write.
Burning Existing Evidence and Logical Evidence Files EnCase Evidence Files and Logical Evidence Files that are already created can be burned to media from the EnCase interface. Exceptions to this functionality are: Single Entries
SafeBack Images
Previewed drives
VMware images
Mounted volumes
Virtual PC images
dd images
Any other non‐evidence files
To burn an EnCase Evidence File or Logical Evidence File to disc, it must first be added into the case using the standard methods:
Dragging and dropping the file into the EnCase interface
Using Add Device
To burn an existing evidence or logical evidence file:
1.
On the Cases tab, select the Devices subtab.
2.
Right click in the table and select the image to be burned. Note that only the highlighted device is burned, not selected (blue‐checked) devices.
CD/DVD Module
3.
Right click on the device and select Burn to Disc.
4.
Continue as described in Selecting CD Information on page 109.
115
Guidance Software Legal Notification No part of this manual, including the products and software described in it, may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means, except documentation kept by the purchaser for backup purposes, without the express written permission of Guidance Software, Inc. (ʺGSIʺ). GSI PROVIDES THIS MANUAL ʺAS ISʺ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL GSI, ITS DIRECTORS, OFFICERS, EMPLOYEES OR AGENTS BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, LOSS OF BUSINESS, LOSS OF USE OR DATA, INTERRUPTION OF BUSINESS AND THE LIKE), EVEN IF GSI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES ARISING FROM ANY DEFECT OR ERROR IN THIS MANUAL OR PRODUCT. CEIC, EnCase eDiscovery Suite, EnCase Enterprise, EnCase Enterprise AIRS, EnCase Forensic, EnCE, EnScript, FastBloc, Guidance Software, EnCase Neutrino, Snapshot, and WaveShield are registered trademarks or trademarks owned by GSI in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Products and corporate names appearing in this manual may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation into the ownersʹ benefit, without intent to infringe. Product Manuals and Documentation are specific to the software versions for which they are written. For previous or outdated manuals, product release information, contact Guidance Software at http://www.guidancesoftware.com. Specifications and information contained in this manual are furnished for informational use only, and are subject to change at any time without notice.
Support Guidance Software develops solutions that search, identify, recover, and deliver digital information in a forensically sound and cost effective manner. Since our founding in 1997, we have moved into network enabled investigations, and enterprise wide integration with other security technologies. This section provides information on our support for you through:
118
EnCase Version 6.12 Modules Manual
Technical manuals and release notes
Support portal on the Web, including access to downloads
Technical Support Department
Customer Service Department
Message Boards
Training
Professional Services
Technical Manuals and Release Notes Guidance Software provides printed manuals for all of our product lines, as well as PDF versions of interim updates and release notes, describing the new features and problems fixed. We welcome your feedback on the documentation. Please feel free to contact us at
[email protected] (mailto:
[email protected]).
Technical Support Guidance Software provides a variety of support options, including phone, email, online submission forms, an up to date knowledge base, and a message board (technical forum). Support is available from Sunday, 7:00 PM through Friday, 6:00 PM Pacific Time (Monday, 3:00 AM to Saturday, 1:00 PM GMT). This excludes public holidays in the United States and the United Kingdom during respective business hours.
Phone/Mail Support US Contact Info: 215 North Marengo Avenue Suite 250 Pasadena, CA 91101 Phone: 1‐626‐229‐9191, Option 4 Fax: 626‐229‐9199 UK Contact Info: Thames Central, 5th Floor Hatfield Road Slough, Berkshire UK SL1 1QE Phone: +44 (0) 1753552252, Option 4 Fax: +44 (0) 1753552232 Toll‐Free Numbers: Germany: 0‐800‐181‐4625 China: 10‐800‐130‐0976 Australia: 1‐800‐750‐639 Hong Kong: 800‐96‐4635 New Zealand: 0‐800‐45‐0523 Japan: 00‐531‐13‐0890
Guidance Software
119
Online Support Guidance Software offers a Support Portal to our registered users, providing technical forums, a knowledge base, a bug tracking database, and an Online Request form. The Portal gives you access to all support‐related issues in one site. This includes:
User, product, beta testing, and foreign language forums (message boards)
Knowledge Base
Bug Tracker
Technical Services Request form
Downloads of previous software versions, drivers, etc.
Other useful links
Although technical support is available by email, you will receive more thorough, quicker service when you use the online Technical Support Request Form (https://support.guidancesoftware.com/node/381). Note that all fields are mandatory, and filling them out completely reduces the amount of time it takes to resolve an issue. If you do not have access to the Support Portal, please use the Support Portal registration form (https://support.guidancesoftware.com/forum/register.php?do=signup).
Registration Registration requires you to choose a unique username and password. Please provide all requested information, including dongle ID, phone, e‐mail address, organization, etc. This helps us identify you as a registered owner of EnCase. You will receive an email within 24 hours. You must follow the link in that email before you can post on the forums. Until you do that, you will not have permission to post. Once you have verified your email address, you will be added to the Registration List. Please allow 24 business hours for your account to be approved. Once your registration is approved, you can access the Support Portal (https://support.guidancesoftware.com/). The Support Portal provides a tutorial that briefly overviews the site.
120
EnCase Version 6.12 Modules Manual
User, Product, and Foreign Language Forums To access the forums, click on the Forum Tab (https://support.guidancesoftware.com/forum/) in the Support Portal. The forums allow registered users to post questions, exchange information, and hold discussions with Guidance Software and other users in the EnCase community. Different discussion groups are available as follows: Foreign Language Groups
French
Arabic
German
Spanish
Japanese
Chinese
Korean
Forum Groups
User Group
Consultant and Practitioners
Computer Forensic Hardware Issues
EnScript Forum
Product Specific Groups
EnCase Neutrino
Enterprise
FIM
eDiscovery
These groups are only available to customers who have purchased the respective products. Enter a group by clicking on the group name.
Posting to a Group To create a new post, click the Click the post.
icon.
icon to reply to a post, or use the Quick Reply icon at the bottom of each
Guidance Software
121
Searching The forums contain an accumulation of over ten years of information. Use the button to search for keywords, or click Advanced Search for more specific search options.
Bug Tracker Use Bug Tracker to submit and check the status and priority of submitted defect and enhancement requests. It is broken down by product, showing the current number of bugs/enhancements and public bugs for each product. To access the Bug Tracker, click on Bug Tracker (https://support.guidancesoftware.com/forum/project.php) in the Support Portal.
Knowledge Base You can find answers to frequently asked questions (FAQs) and other useful product documentation in the Knowledge Base. You can also submit your own articles to help other EnCase users. To access the Knowledge Base, click on Knowledge Base (https://support.guidancesoftware.com/directory) in the Support Portal. From here, you can browse, search, and write Knowledge Base articles.
Online Technical Support Request Form Please use the Request Form for assistance from a Technical Services engineer. To access the form, click on Request Form (https://support.guidancesoftware.com/node/381) in the Support Portal.
122
EnCase Version 6.12 Modules Manual
Other Useful Links
The Support Portalʹs landing page contains a section of useful links, including:
Guidance Software Home Page
Download Center to download software, hardware, manuals, boot disks, support articles, etc.
My Account to register your dongle id to receive up to date software by email
NVD (National Vulnerability Database) Information and Responses
Guidance Product Version Matrix for checking compatibility of different product versions
Hardware Recommendations for EnCase Forensic and EnCase Enterprise
Subscribe to Public Bugs
Customer Service The Guidance Software Customer Services Department is staffed by highly‐trained, friendly staff capable of resolving any problem regarding your order. Hours and contact information are listed below. Phone: 626.229.9191 Fax: 626.229.9199 Email:
[email protected] (mailto:
[email protected]) Internet: http://www.guidancesoftware.com/support/cs_requestform.aspx Hours: Monday through Friday 6:00 a.m. to 5:00 p.m., Pacific Time
Guidance Software
123
Message Boards The Guidance Software message boards are resources for the computer forensics community to exchange ideas, ask questions, and give answers. The message boards are an invaluable resource for the forensic investigator. Discussions range from basic acquisition techniques to in‐depth analysis of encrypted files and more. Thousands of experienced and skilled users are registered on the boards, reviewing posts every day, and providing their expertise on all Guidance Software products. More information about the message boards, including information on how to join the message board, is located at: http://www.guidancesoftware.com/support/messageboards.asp.
Downloads When you receive your product, register with Guidance Software to receive updates. Registration is located at https://www.guidancesoftware.com/myaccount/registration.aspx site. If you have any trouble registering your product, contact Customer Service (see page 122). If you have any trouble downloading the updates once registered, contact Technical Support (see page 118).
Training Guidance Software offers a variety of professional courses for the beginner, intermediate and advanced user of all its applications. In addition to providing a solid grounding in our software, we also provide our students with accepted best practices for investigation, report generation and evidence preservation. Guidance Software offers courses for law enforcement agencies, organizations concerned with forensics and incident response, and advanced topics for all users.
Professional Services The Guidance Software Professional Services Division (PSD) combines world‐leading computer investigations experts with world‐leading forensic technology to deliver turnkey solutions to forensic investigations. Guidance Software has combined its industry‐leading computer investigation technology with a team of the most highly trained and capable investigators in the world to bring you complete turnkey solutions for your business. When you face investigative issues that go beyond your internal capabilities, our professional services group is able to respond either remotely or by coming on site to provide the right technology and computer investigations personnel for the job.
124
EnCase Version 6.12 Modules Manual
Internal Investigations
Theft of intellectual property
Intrusion reconstruction
Wrongful termination suit
Compliance
Sarbanes‐Oxley
PII risk assessment
California SB 1386
eDiscovery
Pending litigation
Responsive production
Forensic preservation
Information Security
Compromise of system integrity
Policy review
Unauthorized use
Forensic lab implementation
Index A
D
Accessing the Local Disk in Windows Explorer • 65 Accessing the Share • 85 Analyze EFS • 14, 18 Associate Selected • 21
Decrypted Block • 53 Decrypting S/MIME Emails in an Evidence File Created in Windows Vista • 49 Deleted Files • 79 Determining Local Mailbox Encryption • 51 Dictionary Attack • 56 Disk and Volume Encryption • 12 Disk Caching • 103 Disk Caching and Flushing the Cache • 103 Dismount the Network Share • 84 Downloads • 123
B Background Information • 96 BitLocker Encryption Support (Volume Encryption) • 32 Boot Evidence Files and Live Systems with VMware • 68 Boot the Virtual Machine • 71 Built‐in Attack • 57 Burning • 110 Burning Evidence Files During Acquisition • 108 Burning Existing Evidence and Logical Evidence Files • 114 Burning Files and Reports • 110 Burning Logical Evidence Files During Acquisition • 110 Burning the Created Image folders to Disc • 114
C CD/DVD Module • 9, 107 CD‐DVD Module Specific Requirements • 5 Certificate Files for Your Security Key • 5 Certificates Programmed on the Security Key • 5 Changing the Mount Point • 84 Closing and Changing the Emulated Disk • 67 Closing the Connection • 92 Compound Files • 78 Configuring the PDE Client • 63 Configuring the Server • 90 Connecting the Clients • 92 Create a New Image Session • 110 CREDANT Encryption Support (File‐Based Encryption) • 37 CREDANT Encryption Support (Offline Scenario) • 41 CREDANT Files and Logical Evidence (L01) Files • 42 Customer Service • 122, 123
E EDS Features • 12 EFS Files and Logical Evidence (L01) Files • 17 EnCase Decryption Suite • 11 EnCase Decryption Suite Module • 7 EnCase Physical Disk Emulator Module • 7 EnCase Virtual File System Module • 8 Encrypted Block • 52 Encrypting File System • 79 Enter Items • 18 Evidence File Formats Supported by EnCase PDE • 62 Evidence File Formats Supported by VFS • 76 ext2, ext3, UFS, and Other File Systems • 83
F FastBloc SE Module • 9, 95 FastBloc SE Module Specific Requirements • 4, 97, 98, 102 File Based Encryption • 13
G GuardianEdge Hard Disk Encryption Known Limitation • 37 Guidance Software • 117
H HPA and DCO Configured Disks • 96
I Initial Preparation • 68 Installing the EnCase Modules • 5, 97, 103 Installing the FastBloc SE Module • 97
Internal Files and File System Files • 80 Introduction • 3, 4
L Legal Notification • 117 Locally Encrypted NSF Parsing Results • 54 Lotus Notes Local Encryption Support • 51
M Malware Scanning • 86 Message Boards • 123 Minimum Recommended Requirements • 4 Mount Network Share Options • 77 Mounted Files • 13 Mounting a Single Drive, Device, Volume, or Folder • 76 Mounting Evidence with VFS • 76 Mounting Non‐Windows Devices • 65
N New Virtual Machine Wizard • 68 NSF Encryption Support • 49
O Other File Systems • 83 Other Tools and Viewers • 87 Overriding HPA and DCO Settings • 97 Overview • 12
P Parsing a Locally Encrypted Mailbox • 51 PDE Troubleshooting • 73 Physical Disk Emulator • 61 Preparing Entries for Burning • 111 Preparing Reports for Burning • 113 Previewing a Write Blocked Device • 102 Product Matrix • 12, 13 Professional Services • 123
R RAIDs • 79 RAM and Disk Slack • 80 Recovering NSF Passwords • 49 Removing Write Block from a USB, FireWire, or SCSI Device • 100 Restoring • 102 Restrict Access by IP Address • 91
S S/MIME Encryption Support • 43 SafeBoot Encryption Support (Disk Encryption) • 23
Saving and Dismounting the Emulated Disk • 65 Secure Storage Items • 23 Secure Storage Tab • 17 Secure Storage Tab and EFS • 17 Selecting CD Information • 109, 115 Starting Physical Disk Emulator • 62 Support • 117 Supported CREDANT Encryption Algorithms • 41 Supported SafeBoot Encryption Algorithms • 26 Supported Utimaco SafeGuard Easy Encryption Algorithms • 26
T Technical Manuals and Release Notes • 118 Technical Support • 118, 123 Temporary Files Reminder • 67, 89 Third‐Party Tools • 67, 86 Training • 123 Troubleshooting • 93, 103 Troubleshooting a Failed S/MIME Decryption • 47 Turning Off IDE Write Block Protection • 99
U Using EDS • 14 Using Physical Disk Emulator • 62 Using the EnCase Interface • 85 Using the FastBloc SE Module • 98 Using Third‐Party Tools • 67 Using Windows Explorer • 85 Utimaco Challenge/Response Support • 26, 27 Utimaco SafeGuard Easy Encryption Known Limitation • 32 Utimaco SafeGuard Easy Encryption Support • 26
V Verifying the Modules are Installed • 6 VFS Module Specific Requirements • 4 VFS Server • 89 Virtual File System • 75 VMware/EnCase PDE FAQs • 72
W What is the CD/DVD Module? • 108 What is the FastBloc SE Module? • 96 What is the Physical Disk Emulator? • 62 What is VFS? • 76 Windows Key Architecture • 56 WinMagic SecureDoc Encryption Support • 34 Wiping • 102 Write Block Validation Testing and Disk Caching • 103
Write Blocking a USB, FireWire, or SCSI Device • 99 Write Blocking IDE and SATA Controller Cards • 98