EnCase Forensic Imager

VERSION 7.09

USERS GUIDE

GUIDANCE SOFTWARE | USERS GUIDE | ENCASE FORENSIC IMAGER

Copyright 2013 Guidance Software, Inc. All rights reserved.

EnCase, EnScript, FastBloc, Guidance Software and EnCE are registered trademarks or trademarks owned by Guidance
Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and
brands may be claimed as the property of their respective owners. Products and corporate names appearing in this work may or
may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation
into the owners' benefit, without intent to infringe. Any use and duplication of this work is subject to the terms of the license
agreement between you and Guidance Software, Inc. Except as stated in the license agreement or as otherwise permitted under
Sections 107 or 108 of the 1976 United States Copyright Act, no part of this work may be reproduced, stored in a retrieval system
or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise. Product
manuals and documentation are specific to the software versions for which they are written. For previous or outdated versions of
this work, please contact Guidance Software, Inc. at http://www.guidancesoftware.com. Information contained in this work is
furnished for informational use only, and is subject to change at any time without notice.

Contents
CHAPTER 1

EnCase Forensic Imager User's Guide

Overview ............................................................................................................................................................ 5
Launching EnCase Forensic Imager .................................................................................................................... 5
Types of Acquisitions ......................................................................................................................................... 5
Sources of Acquisitions ...................................................................................................................................... 5
Types of Evidence Files ...................................................................................................................................... 6
EnCase Evidence Files ................................................................................................................................... 6
Logical Evidence Files ................................................................................................................................... 6
Raw Image Files ............................................................................................................................................ 6
Single Files .................................................................................................................................................... 6
Acquiring a Local Drive ....................................................................................................................................... 7
Acquiring Non-local Drives ........................................................................................................................... 7
Creating Encrypted Evidence Files ..................................................................................................................... 7
Creating an Encrypted Logical Evidence File ................................................................................................ 7
Creating an Encrypted Evidence File .......................................................................................................... 14
Acquiring Other Types of Supported Evidence Files ........................................................................................ 20
Verifying Evidence Files.................................................................................................................................... 20
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) .......................................... 21
Using a Write Blocker ....................................................................................................................................... 22
Windows-based Acquisitions with Tableau and FastBloc Write blockers .................................................. 22
Acquiring in Windows without a Tableau or FastBloc Write Blocker ......................................................... 22
Acquiring a Disk Running in Direct ATA Mode ................................................................................................. 23
Acquiring Disk Configurations .......................................................................................................................... 23
Software RAID ............................................................................................................................................ 24
RAID-10....................................................................................................................................................... 24
Hardware Disk Configuration ..................................................................................................................... 24
Windows NT Software Disk Configurations ................................................................................................ 24
Support for EXT4 Linux Software RAID Arrays ............................................................................................ 25
Dynamic Disk .............................................................................................................................................. 25
Disk Configuration Set Acquired as One Drive ........................................................................................... 26
Disk Configurations Acquired as Separate Drives....................................................................................... 26
Acquiring a DriveSpace Volume ....................................................................................................................... 27
Canceling an Acquisition .................................................................................................................................. 28
CD-DVD Inspector File Support ........................................................................................................................ 28
Reacquiring Evidence ....................................................................................................................................... 28
Reacquiring Evidence Files ......................................................................................................................... 29
Retaining the GUID During Evidence Reacquisition ................................................................................... 29
Adding Raw Image Files ................................................................................................................................... 29
Restoring a Drive .............................................................................................................................................. 30

Index

33

CHAPTER 1

EnCase Forensic Imager

User's Guide
In This Chapter
Overview
Launching EnCase Forensic Imager
Types of Acquisitions
Sources of Acquisitions
Types of Evidence Files
Acquiring a Local Drive
Creating Encrypted Evidence Files
Acquiring Other Types of Supported Evidence Files
Verifying Evidence Files
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)
Using a Write Blocker
Acquiring a Disk Running in Direct ATA Mode
Acquiring Disk Configurations
Acquiring a DriveSpace Volume
Canceling an Acquisition

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

CD-DVD Inspector File Support

Reacquiring Evidence
Adding Raw Image Files
Restoring a Drive

EnCase Fo rensic Im ager User's Guide

Overview
With EnCase Forensic Imager, you can acquire, reacquire, and translate evidence files into EnCase
evidence files that include CRC block checks, hash values, compression, and encryption. EnCase
Forensic Imager can read and write to current or legacy EnCase evidence files and EnCase Forensic
Imager logical evidence files.
With the LinEn utility, you can perform disk-to-disk acquisitions, and when you couple LinEn with
EnCase Forensic Imager, you can perform network crossover acquisitions.
This User's Guide provides detailed information about all types of EnCase Forensic Imager
acquisitions.
Note: EnCase Forensic Imager is not designed to be run on a suspect system, as it makes changes to the file
system, including writing to temporary files.

Launching EnCase Forensic Imager

To launch the application, double click the EnCase Forensic Imager.exe file.
Running the EnCase Forensic Imager executable auto extracts the tool to your Windows Temp
directory.

Types of Acquisitions
EnCase Forensic Imager can acquire evidence in four basic formats:
Current EnCase evidence files (.Ex01): .Ex01 format improves upon the .E01 format with LZ
compression, AES256 encryption with keypairs or passwords, and options for MD5 hashing,
SHA-1 hashing, or both.
Current Logical evidence files (.Lx01): .Lx01 format improves upon the .L01 format with LZ
compression and options for MD5 hashing, SHA-1 hashing, or both. Encryption is not
available for legacy logical evidence (.L01) files.
Legacy EnCase evidence files (.E01): . E01 format makes current acquisitions accessible to
legacy versions of EnCase Forensic Imager.
Legacy Logical evidence files (.L01): .L01 format makes current logical acquisitions accessible
to legacy versions of EnCase.

Sources of Acquisitions
Sources for acquisitions within EnCase Forensic Imager include:
Previewed memory or local devices such as hard drives, memory cards, or flash drives.
Evidence files supported by EnCase Forensic Imager, including legacy EnCase evidence files
(.E01), legacy logical evidence files (.L01), current EnCase evidence files (.Ex01), current
logical evidence files (.Lx01), DD images, VMware files (.vmdk), or Virtual PC files (.vhd). You
can use these to create legacy EnCase evidence files and legacy logical evidence files, or you
can reacquire them as EnCase Forensic Imager .Ex01 or .Lx01 format, adding encryption, new
hashing options, and improved compression.
Single files selected to create a Logical Evidence File from an existing evidence file or an
acquired device.

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

Network crossover using LinEn and EnCase Forensic Imager to create .E01 files or .L01 files.
This strategy is useful when you want to preview a device without disassembling the host
computer. This is usually the case for a laptop, a machine running a RAID, or a machine
running a device with no available supporting controller.

Types of Evidence Files

EnCase Evidence Files
Legacy EnCase evidence files (.E01) are a byte-for-byte representation of a physical device or
logical volume. Current EnCase evidence files (.Ex01) can be encrypted; however, .Ex01 files are
not backward compatible with legacy versions of EnCase.
EnCase evidence files provide forensic level metadata, the device level hash value, and the
content of an acquired device.
Dragging and dropping an .E01 or .Ex01 file anywhere on the EnCase Forensic Imager interface
adds it to the currently opened case.

Logical Evidence Files

Logical evidence files (.L01) are created from previews, existing evidence files, or Smartphone
acquisitions. These are typically created after an analysis locates some files of interest, and for
forensic reasons, they are kept in a forensic container.
Current logical evidence files (.Lx01) provide encryption and hashing options, but they are not
backward compatible with legacy versions of EnCase.
When an .L01 or .Lx01 file is verified, the stored hash value is compared to the entry's current
hash value.
If the hash of the current content does not match the stored hash value, the hash is followed
by an asterisk (*).
If no content for the entry was stored upon file creation, but a hash was stored, the hash is
not compared to the empty file hash.
If no hash value was stored for the entry upon file creation, no comparison is done, and a
new hash value is not populated.

Raw Image Files

Raw image files are a dump of the device or volume. There are no hash comparisons or CRC
checks. Therefore, raw image files are not as forensically sound as EnCase evidence files. Although
the files are not in EnCase evidence file format, EnCase Forensic Imager supports a number of
popular formats.
Before you can acquire raw image files, they must be added to a case. Raw image files are
converted to EnCase Forensic Imager evidence files during the acquisition process, adding CRC
checks and hash values if selected.

Single Files
You can export single files from a previewed/mounted device.

EnCase Fo rensic Im ager User's Guide

Acquiring a Local Drive

Before you begin, verify that the local drive to be acquired was added to the case.
1. To protect the local machine from changing the contents of the drive while its content is
being acquired, use a write blocker. See Using a Write Blocker on page 22.
2. Verify that the device being acquired shows in the Tree pane or the Table pane as write
protected.

Acquiring Non-local Drives

The LinEn utility acquires non-local drives by performing a network crossover acquisition. When
you use the LinEn utility to acquire a disk through a disk-to-disk acquisition, you must add the
resulting EnCase evidence file to the case using the Add Device wizard.

Creating Encrypted Evidence Files

Creating an Encrypted Logical Evidence File
To create an encrypted logical evidence file:
1. In the Evidence tab, select one or more entries in the left pane. Right click, then click Acquire
> Create Logical Evidence File from the dropdown menu.

Note: The folder highlighted when you click Create Logical Evidence File is treated as the
root folder for including entries in the logical evidence file. Only blue checked child entries
inside that folder are included. To include files from more than one folder, you must highlight
a folder that is a common parent. For instance, in the example above, if you wanted to
include files from both the System Volume Information and $Recycle Bin folders, you would
need to highlight either C, v7_Sample_Evidence, or Entries.

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

2. The Create Logical Evidence File dialog displays. It opens to the Location tab by default.

3. In the Location tab:

a.
b.
c.
d.
e.
f.

Enter the evidence file name.

Enter the evidence number.
Enter the case number.
Enter the examiner name.
Add notes, if desired.
Check the Add to existing evidence file checkbox if you want to add this file to an existing
logical evidence file. You must specify the output path to an existing logical evidence file
that is not locked.
g. Specify the output path for the logical evidence file.
4. In the Logical tab:

EnCase Fo rensic Im ager User's Guide

Source is the root level folder or device containing blue checked items to include in the
logical evidence file.
Files contains the number of files and the total size of the file or files to include in the logical
evidence file.
Target folder within Evidence File is an optional user-specified folder that is created inside
the logical evidence file. Any selected files in the source location are placed inside this folder.
This is useful for organizing multiple additions to a single logical evidence file.
Include contents of files checkbox: If checked, file content data displays in the View pane
when you open the logical evidence file.
File in use checkbox: If checked, the hash is computed when the file is read from evidence.
This is valuable when previewing live data that may have changed since initially calculating
the hash value.
Include original extents checkbox: If checked, original extent information is added to the
logical evidence file. Physical Location, Physical sector, and File Extents columns in the logical
evidence file will match the original entries.
Include contents of folder objects checkbox: If checked, folder content data displays in the
View pane when you open the logical evidence file.
Lock file when completed checkbox: If checked, the logical evidence file is locked after
creation.
5. In the Format tab:

10

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

a. For the Evidence File Format, select Current (Lx01). This is the default.
b. From the Entry Hash dropdown menu, select a hashing algorithm:

None

MD5 (default)

c. Specify Compression as Enabled (default) or Disabled.

d. Specify the File Segment Size (MB) (minimum: 30MB, maximum 8,796,093,018,112MB,
default: 2048MB).
6. Click the Encryption button to open the Encryption Details dialog.
Note: By default, Encase Forensic Imager saves encryption keys to the My Documents folder
of the current user profile. To save the encryption keys to a different location, right click in
the Encryption Details dialog, then click Change Root Path from the dropdown menu.

7. Click the key icon in the upper pane to open the New Encryption Key dialog.

EnCase Fo rensic Im ager User's Guide

11

8. Click Next to generate a new encryption key.

9. After the key is generated, the Password dialog displays.

10. Enter a name for the encryption key, then enter a password and enter the password again to
confirm it. The Password Quality bar indicates if the password you entered is acceptable.
11. When you have entered an acceptable password, confirm the password, then click Finish.

12

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

12. EnCase Forensic Imager prompts you to save the public key file you just created.

13. Back in the Encryption Details dialog, click Update to display a checkbox for the key you just
created.

EnCase Fo rensic Im ager User's Guide

13

14. Click the checkbox for the new key, then click OK.

Using an Existing Public Key

If you want to use an existing public key, copy the .PublicKey file to the My Documents folder of
the current user profile, then click Update.

14

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

Creating an Encrypted Evidence File

To create an encrypted evidence file:
1. In the Evidence tab, select one or more entries in the left pane. Right click, then click Acquire
> Acquire from the dropdown menu.

Note: If a physical device is added (a device that contains one or more volumes, such as
device 2,3,4, etc), EnCase can either acquire the entire physical device, or a single volume
contained within that device. It depends on what you highlight in the tree pane.

o
o
o
o

Highlighting Entries and acquiring acquires the entire physical device.

Highlighting the device number (for example, 1, 2, 3, 4) or the evidence name (for
example, Hunter XP or V7_Sample_Evidence) acquires the entire physical device.
Highlighting the volume (C, D, E, F, etc.) acquires that volume.
Highlighting any folder or entry inside a volume acquires only the volume that contains
the highlighted entry.

If a volume (not a physical device) is added (for example, C, D, E, F, but not 1, 2, 3, 4), then the
volume is acquired regardless of what you highlight.

EnCase Fo rensic Im ager User's Guide

15

2. The Acquire Device dialog displays. It opens to the Location tab by default.

3. In the Location tab:

a.
b.
c.
d.
e.
f.

Enter the evidence file name.

Enter the evidence number.
Enter the case number.
Enter the examiner name.
Add notes, if desired.
Restart Acquisition restarts a canceled or disconnected acquisition. If the acquisition was
interrupted, but not canceled, that acquisition cannot be restarted.
g. Accept the designated Output Path, or browse to another location.
h. Enter an optional Alternate Path if desired.
4. In the Format tab:

16

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

a. For the Evidence File Format, select Current (Ex01). This is the default.
b. Specify Compression as Enabled (default) or Disabled.
c. From the Verification Hash dropdown menu, select a hashing algorithm:

MD5 (default)

SHA-1

MD5 and SHA-1

d. Specify the File Segment Size (MB) (minimum: 30MB, maximum 8,796,093,018,112MB,
default: 2048MB).
5. Click the Encryption button to open the Encryption Details dialog.
Note: By default, Encase Forensic Imager saves encryption keys to the My Documents folder
of the current user profile. To save the encryption keys to a different location, right click in
the Encryption Details dialog, then click Change Root Path from the dropdown menu.

6. Click the key icon in the upper pane to open the New Encryption Key dialog.

EnCase Fo rensic Im ager User's Guide

17

7. Click Next to generate a new encryption key.

8. After the key is generated, the Password dialog displays.

9. Enter a name for the encryption key, then enter a password and enter the password again to
confirm it. The Password Quality bar indicates if the password you entered is acceptable.
10. When you have entered an acceptable password, confirm the password, then click Finish.

18

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

11. EnCase Forensic Imager prompts you to save the public key file you just created.

12. Back in the Encryption Details dialog, click Update to display a checkbox for the key you just
created.

EnCase Fo rensic Im ager User's Guide

19

13. Click the checkbox for the new key, then click OK.

Using an Existing Public Key

If you want to use an existing public key, copy the .PublicKey file to the My Documents folder of
the current user profile, then click Update.

20

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

Acquiring Other Types of Supported Evidence Files

In addition to the native EnCase Forensic Imager file formats, .Ex01, .E01, .Lx01, and .L01, EnCase
Forensic Imager supports SafeBack files (.001), VMware files (.vmdk), and Virtual PC files (.vhd)
directly. To add any of these types of evidence files:
1. Select Add Evidence File from the Add Evidence view of the Home tab, or click the Add
Evidence dropdown menu while in the Evidence tab and select Add Evidence File.
2. The Add Evidence File Dialog displays. Use the dropdown menu at the bottom right corner of
the dialog to change to the appropriate file extension for your evidence or choose the All
Evidence Files option.
3. Navigate to the location of your evidence and select the first file of the evidence set as you
would for EnCase evidence files, then click Open.

Verifying Evidence Files

Verify Evidence Files checks CRC values of selected files. It is a way to ensure that evidence is not
tampered with. Verified CRC information is written out to a log file. From the Evidence tab, you
can check the CRC Errors tab in the bottom pane and bookmark any sectors that contain errors.
To perform an Evidence File verification:
1. Acquire the evidence files.
2. Add the evidence files to your case.
3. Click ToolsVerify Evidence Files.
4. The Verify Evidence Files file dialog opens.

EnCase Fo rensic Im ager User's Guide

21

5. Select one or more evidence files, then click Open. During verification, a progress bar displays
in the bottom right corner of the window.

Acquiring Device Configuration Overlays (DCO) and Host

Protected Areas (HPA)
EnCase Forensic Imager can detect and image DCO and/or HPA areas on any ATA-6 or higher-level
disk drive. These areas are detected using LinEn or a Tableau write blocker.
This applies to EnCase Forensic Imager applications using:
Tableau
LinEn when the Linux distribution used supports Direct ATA mode
The application now shows if a DCO area exists in addition to the HPA area on a target drive.
HPA is a special area located at the end of a disk. It is usually configured so the casual observer
cannot see it, and so it can be accessed only by reconfiguring the disk. HPA and DCO are extremely
similar: the difference is the SET_MAX_ADDRESS bit setting that allows recovery of a removed
HPA at reboot. When supported, EnCase Forensic Imager applications see both areas if they
coexist on a hard drive.
It is important to note that if you choose to remove a DCO, it will make a permanent change to the
drive controller of the device.

22

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

Using a Write Blocker

Write blockers prevent inadvertent or intentional writes to an evidence disk. Their use is
described in these sections:
Windows-based Acquisitions with Tableau and FastBloc Write Blockers on page 22
Acquiring in Windows without a Tableau or FastBloc Write Blocker on page 22

Windows-based Acquisitions with Tableau and FastBloc Write blockers

The following write blockers are supported in EnCase Forensic Imager:

Tableau T35es
Tableau T35es-RW
Tableau T4
Tableau T6es
Tableau T8-R2
Tableau T9
FastBloc FE
FastBloc 2 FE v1
FastBloc 2 FE v2
FastBloc LE
FastBloc 2 LE
FastBloc 3 FE

Computer investigations require a fast, reliable means to acquire digital evidence. These are
hardware write blocking devices that enable the safe acquisition of subject media in Windows to
an EnCase evidence file.
The hardware versions of these write blockers are not standalone products. When attached to a
computer and a subject hard drive, a write blocker provides investigators with the ability to
quickly and safely preview or acquire data in a Windows environment. The units are lightweight,
self-contained, and portable for easy field acquisitions, with on-site verification immediately
following the acquisition.
Support for Tableau write blocker devices enables EnCase Forensic Imager to:
Identify a device connected through the Tableau device as write blocked.
Access the Host Protected Area (HPA) and access, via removing, the Device Configuration
Overlay (DCO) area of a drive using the Tableau device.
Note: EnCase Forensic Imager does not support access of DCO areas via EnScript. By default,
HPA is automatically disabled on the device.

Acquiring in Windows without a Tableau or FastBloc Write Blocker

Never acquire hard drives in Windows without a write blocker because Windows writes to any
local hard drive visible to it. Windows will, for example, put a Recycle Bin file on every hard drive
that it detects and will also change Last Accessed date and time stamps for those drives.
Media that Windows cannot write to are safe to acquire from within Windows, such as CD-ROMs,
write protected floppy diskettes, and write protected USB thumb drives.

EnCase Fo rensic Im ager User's Guide

23

Acquiring a Disk Running in Direct ATA Mode

If the Linux distribution supports the ATA mode, you will see a Mode option. You must set the
mode before acquiring the disk. An ATA disk can be acquired via the drive-to-drive method. The
ATA mode is useful for cases when the evidence drive has a Host Protected Area (HPA) or Drive
Control Overlay (DCO). Only Direct ATA Mode can review and acquire these areas.
Ensure LinEn is configured as described in LinEn Setup Under SUSE, and autofs is disabled
(cleared). Linux is running in Direct ATA Mode.
1. If the FAT32 storage partition to be acquired has not been mounted, mount it.
2. Navigate to the folder where LinEn resides and type ./linen in the console.
3. The LinEn main screen displays.
4. Select Mode, then select Direct ATA Mode. You can now acquire the disk running in ATA
mode.
5. Continue the drive-to-drive acquisition with Step 3 of Performing a Drive-to-Drive Acquisition
Using LinEn.

Acquiring Disk Configurations

Guidance Software uses the term disk configuration instead of RAID. A software disk configuration
is controlled by the operating system software (or LVM software), whereas a controller card
controls a hardware disk configuration. In a software disk configuration, information pertinent to
the layout of the partitions across the disks is located in the registry or at the end of the disk,
depending on the operating system; in a hardware disk configuration, it is stored in the BIOS of
the controller card. With each of these methods, you can create six disk configuration types:

Spanned
Mirrored
Striped
RAID-5
RAID-10
Basic

24

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

Software RAID
EnCaseForensic Imager applications support these software RAIDs:

Windows NT: see Windows NT Software Disk Configurations

Windows 2000: see Dynamic Disk
Windows XP: see Dynamic Disk
Windows 2003 Servers: see Dynamic Disk
Windows Vista: see Dynamic Disk
Windows Server 2008: see Dynamic Disk
Windows Server 2008R2: see Dynamic Disk
Windows 7: see Dynamic Disk

RAID-10
RAID-10 arrays require at least four drives, implemented as a striped array of RAID-1 arrays.

Hardware Disk Configuration

Hardware disk configurations can be acquired:
As one drive
As separate drives

Windows NT Software Disk Configurations

In a Windows NT file system, you can use the operating system to create different types of disk
configurations across multiple drives. The possible disk configurations are:

Spanned
Mirrored
Striped
RAID 5
Basic

The information detailing the types of partitions and the specific layout across multiple disks is
contained in the registry of the operating system. EnCase Forensic Imager applications can read
this registry information and resolve the configuration based on the key. The application can then
virtually mount the software disk configuration within the EnCase Forensic Imager case.
There are two ways to obtain the registry key:
Acquiring the drive
Backing up the drive
Acquire the drive containing the operating system. It is likely that this drive is part of the disk
configuration set, but in the event it is notsuch as the disk configuration being used for storage
purposes onlyacquire the OS drive and add it to the case along with the disk configuration set
drives.
To make a backup disk on the subject machine, use Windows Disk Manager and select Backup
from the Partition option.

EnCase Fo rensic Im ager User's Guide

25

This creates a backup disk of the disk configuration information, placing the backup on a CD or
DVD. You can then copy the file into your EnCase Forensic Imager application using the Single Files
option, or you can acquire the CD or DVD and add it to the case. The case must have the disk
configuration set drives added to it as well. This process works only if you are working with a
restored clone of a subject computer. It is also possible a registry backup disk is at the location.
In the EnCase Forensic Imager Evidence tab, select the device containing the registry or the
backup disk and all devices which are members of the RAID. Click the Open button to go to the
Entry view of the Evidence tab. Select the disk containing the registry, click the dropdown menu
on the upper right menu of the Evidence tab. Select Device, then select Scan Disk Configuration.
At this point, the application attempts to build the virtual devices using information from the
registry key.

Support for EXT4 Linux Software RAID Arrays

EnCase Forensic Imager provides the ability to parse EXT4 Linux Software RAID arrays (for Ubuntu
version 9.1 and version 10.04), using the Scan for LVM option in the Device dropdown menu.
These configurations are supported:
RAID 1 (mirror)
RAID 10
Note: EnCase Forensic Imager does not support partial reconstruction of RAIDs. After parsing, all
RAID devices must have full descriptors or the process will fail.

Dynamic Disk
Dynamic Disk is a disk configuration available in Windows 2000, Windows XP, Windows 2003
Server, Windows Vista, Windows 2008 Server, Windows 7, and Windows 2008 Server R2. The
information pertinent to building the configuration resides at the end of the disk rather than in a
registry key. Therefore, each physical disk in this configuration contains the information necessary
to reconstruct the original setup. EnCase Forensic Imager applications read the Dynamic Disk
partition structure and resolve the configurations based on the information extracted.
To rebuild a Dynamic Disk configuration, add the physical devices involved in the set to the case.
In the Evidence tab, select the devices involved in the Dynamic Disk and click the Open button on
the menu bar to change to the Entries view of the Evidence tab. Select the devices then click the
dropdown menu at the top right of the Evidence tab. Select Device and choose Scan Disk
Configuration.
If the resulting disk configurations seem incorrect, you can manually edit them by returning to the
highest Evidence view of the Evidence tab. Select the Disk Configuration option, click the
dropdown menu from the top right corner of the Evidence tab, and select Edit Disk Configuration.

26

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

Disk Configuration Set Acquired as One Drive

Unlike software disk configurations, those controlled by hardware contain necessary configuration
information in the cards BIOS. Because the disk configuration is controlled by hardware, EnCase
Forensic Imager cannot automatically reconstruct the configurations from the physical disks.
However, since the pertinent information to rebuild the set is contained within the controller, the
computer (with the controller card) actually sees a hardware disk configuration as one (virtual)
drive, regardless of whether the set consists of two or more drives. Therefore, if the investigator
acquires the set in its native environment, the disk configuration can be acquired as one drive,
which is the easiest option. The best method for performing such an acquisition is to conduct a
crossover network cable acquisition.
Note: The LinEn boot disk for the subject computer needs to have Linux drivers for that particular RAID
controller card.

To acquire the set:

1. Keep the disk configuration intact in its native environment.
2. Boot the subject computer with a Live Linux Boot Disk containing the LinEn utility and
configured with the drivers for the RAID controller card.
3. Launch the LinEn utility.
Note: The BIOS interprets the disk configuration as one drive, so EnCase Forensic Imager
applications will as well. The investigator sees the disk configuration as one drive.

4. Acquire the disk configuration as you normally acquire a single hard drive, depending on the
means of acquisition. Crossover network cable or drive-to-drive acquisition is
straightforward, as long as the set is acquired as one drive.
If the physical drives were acquired separately, or could not be acquired in the native
environment, EnCase Forensic Imager can edit the hardware set manually.

Disk Configurations Acquired as Separate Drives

Sometimes acquiring the hardware disk configuration as one drive is not possible, or the method
of assembling a software disk configuration seems incorrect. Editing a disk configuration requires
this information:

Stripe size
Start sector
Length per physical disk
Whether the striping is right handed

You can collect this data from the BIOS of the controller card for a hardware set, or from the
registry for software sets.
When a RAID-5 consists of three or more disks and one disk is missing or bad, the application can
still rebuild the virtual disk using parity information from the other disks in the configuration,
which is detected automatically during the reconstruction of hardware disk configurations using
the Scan Disk Configuration command.

EnCase Fo rensic Im ager User's Guide

27

To acquire a disk configuration set as one disk:

1. Add the evidence files to one case.
2. On the Evidence tab, click the down arrow in the far right corner to display a dropdown
menu, then click Create Disk Configuration.

3. The Disk Configuration dialog displays. Enter a name for your disk configuration. Click the
appropriate disk configuration.
4. Right click the empty space under Component Devices and click New.
5. Enter the start sector and size of the selected disk configuration, select the drive image which
belongs as the first element of the RAID, then click OK.
6. Repeat steps 4 and 5 for each additional element drive of the RAID in order.
7. Back at the main Disk Configuration screen, set the Stripe Size, select whether this is a
Physical Disk Image, and whether it uses Right-Handed Striping.
8. Once you are sure that the settings and order of the drives is correct, click OK. EnCase
Forensic Imager will generate a new item in your Evidence tab containing the RAID rebuilt to
your specifications. This new Disk Configuration can be acquired to an EnCase evidence file
and processed in the Evidence Processor just like a physical drive.

Acquiring a DriveSpace Volume

DriveSpace volumes are only recognized as such after they are acquired and mounted into a case.
On the storage computer, mount the DriveSpace file as a volume, then acquire it again to see the
directory structure and files.
To acquire a DriveSpace volume:
1. A FAT16 partition must exist on the forensic PC where you will Copy/Unerase the DriveSpace
volume. A FAT16 partition can be created only with a FAT16 OS (such as Windows 95).
2. Run FDISK to create a partition, then exit, reboot, and format the FAT16 partition using
format.exe.
3. Image the DriveSpace volume.
4. Add the evidence file to a new case and search for a file named DBLSPACE.000 or
DRVSPACE.000.

28

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

5. Right click the file and copy/unerase it to the FAT16 partition on the storage computer.
6. In Windows 98, click StartAll ProgramsAccessoriesSystem ToolsDriveSpace.
7. Launch DriveSpace.
8. Select the FAT16 partition containing the compressed .000 file.
9. Select Advance MountDRVSPACE.000, then click OK, noting the drive letter assigned to it.
The Compressed Volume File (.000) from the previous drive is now seen as folders and files in
a new logical volume.
10. Acquire this new volume.
11. Create the evidence file and add to your case. You can now view the compressed drive.

Canceling an Acquisition
You can cancel an acquisition while it is running. After canceling, you can restart the acquisition.
To cancel an acquisition while it is running:
1. At the bottom right corner of the main window, double click the Thread Status line. The
Thread Status dialog displays.

2. Click Yes. The acquisition is canceled. You can restart it at a later time.

CD-DVD Inspector File Support

EnCase Forensic Imager applications support viewing files created using CD/DVD Inspector, a
third-party product. Treat these files as single files when adding them, as zip files, or as composite
files when using the file viewer. Drag single files into the application.

Reacquiring Evidence
When you have a raw evidence file generated outside an EnCase application, reacquiring it results
in the creation of an EnCase evidence file containing the content of the raw evidence file and
providing the opportunity to hash the evidence, add case metadata, and CRC block checks.
You may also want to reacquire an existing EnCase evidence file to change the compression
settings or the file segment size.

EnCase Fo rensic Im ager User's Guide

29

Reacquiring Evidence Files

Start by adding the evidence file(s) to your case as previously described. You can reacquire
evidence either from the Evidence tab or through the Evidence processor. To acquire in the
Evidence tab:
1. Select the items you want to reacquire.
2. Click the Open button to change to the Entries view of the Evidence tab.
3. Highlight the item you want to reacquire, click Acquire on the top menu, and select Acquire
from the dropdown menu.
4. Complete the Acquire Device dialog as you would for previewed evidence.
5. You can repeat steps 3 and 4 for each device or volume you want to reacquire.

Retaining the GUID During Evidence Reacquisition

EnCase Forensic Imager now provides an option that retains the GUID when evidence is
reacquired. To retain the GUID, select the Keep GUID checkbox that displays in the Advanced tab
of the Acquire Device dialog. To open the Acquire Device dialog, select the device for acquisition.

Adding Raw Image Files

Reacquiring raw evidence files like DD images or CD-ROM .iso files embeds the device contents
within an EnCase evidence file adding case metadata, CRC block checks and, optionally, the hash
value of that image.
To acquire a raw evidence file:
1. In the Add Evidence dropdown menu, click Add Raw Image.

30

EnCase Fo rensic Im ager Versio n 7 .0 9 User's Guide

2. The Add Raw Image dialog opens.

3. Drag and drop the raw images to be acquired. The raw images to be added are listed in the
Component Files list. For DD images or other raw images consisting of more than one
segment, the segments must all be added in their exact order from first to last.
4. Click the Generate true GUID checkbox for EnCase Forensic Imager to generate a unique
GUID if a match is found.
5. Accept the defaults in the Add Raw Image dialog or change them as desired, then click OK.
6. A Disk Image object displays in the Evidence tab.
7. You can reacquire this image as you would any other supported evidence or previewed
device.

Restoring a Drive
The following steps describe how to restore a drive. Note that before you begin, you first need to
add evidence to the case.
1. From the EnCase Forensic Imager top toolbar, select the Evidence option from the View
dropdown.
2. In the Table view, click the evidence file with the device you would like to restore.
3. From the Device dropdown on the Evidence tab menu, select Restore. The Restore dialog
displays.

EnCase Fo rensic Im ager User's Guide

31

4. Click Next to collect local hard drives.

5. From the list of Local Devices, click the drive you want to restore.
6. Click Next. The Drives dialog displays.
7. Select options for wiping and verification.
8. Click Finish.
9. A dialog displays asking you to verify the local drive selection. Verify that you are restoring to
the correct drive by typing Yes, then click OK.
The bar in the lower right corner of the screen tracks the progress of the restore.

Index
A
Acquiring a Disk Running in Direct ATA Mode 23
Acquiring a DriveSpace Volume 27
Acquiring a Local Drive 7
Acquiring Device Configuration Overlays (DCO) and
Host Protected Areas (HPA) 21
Acquiring Disk Configurations 23
Acquiring in Windows without a Tableau or
FastBloc Write Blocker 22
Acquiring Non-local Drives 7
Acquiring Other Types of Supported Evidence Files
20
Adding Raw Image Files 29

C
Canceling an Acquisition 28
CD-DVD Inspector File Support 28
Creating an Encrypted Evidence File 14
Creating an Encrypted Logical Evidence File 7
Creating Encrypted Evidence Files 7

D
Disk Configuration Set Acquired as One Drive 26
Disk Configurations Acquired as Separate Drives
26
Dynamic Disk 25

E
EnCase Evidence Files 6
EnCase Forensic Imager User's Guide 3

H
Hardware Disk Configuration 24

L
Launching EnCase Forensic Imager 5
Logical Evidence Files 6

O
Overview 5

R
RAID-10 24
Raw Image Files 6
Reacquiring Evidence 28
Reacquiring Evidence Files 29

Restoring a Drive 30
Retaining the GUID During Evidence Reacquisition
29

S
Single Files 6
Software RAID 24
Sources of Acquisitions 5
Support for EXT4 Linux Software RAID Arrays 25

T
Types of Acquisitions 5
Types of Evidence Files 6

U
Using a Write Blocker 22

V
Verifying Evidence Files 20

W
Windows NT Software Disk Configurations 24
Windows-based Acquisitions with Tableau and
FastBloc Write blockers 22