EnCase Forensic Imager v7.09 User's Guide
EnCase Forensic Imager v7.09 User's Guide
EnCase Forensic Imager v7.09 User's Guide
VERSION 7.09
USERS GUIDE
Contents
CHAPTER 1
Overview ............................................................................................................................................................ 5
Launching EnCase Forensic Imager .................................................................................................................... 5
Types of Acquisitions ......................................................................................................................................... 5
Sources of Acquisitions ...................................................................................................................................... 5
Types of Evidence Files ...................................................................................................................................... 6
EnCase Evidence Files ................................................................................................................................... 6
Logical Evidence Files ................................................................................................................................... 6
Raw Image Files ............................................................................................................................................ 6
Single Files .................................................................................................................................................... 6
Acquiring a Local Drive ....................................................................................................................................... 7
Acquiring Non-local Drives ........................................................................................................................... 7
Creating Encrypted Evidence Files ..................................................................................................................... 7
Creating an Encrypted Logical Evidence File ................................................................................................ 7
Creating an Encrypted Evidence File .......................................................................................................... 14
Acquiring Other Types of Supported Evidence Files ........................................................................................ 20
Verifying Evidence Files.................................................................................................................................... 20
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) .......................................... 21
Using a Write Blocker ....................................................................................................................................... 22
Windows-based Acquisitions with Tableau and FastBloc Write blockers .................................................. 22
Acquiring in Windows without a Tableau or FastBloc Write Blocker ......................................................... 22
Acquiring a Disk Running in Direct ATA Mode ................................................................................................. 23
Acquiring Disk Configurations .......................................................................................................................... 23
Software RAID ............................................................................................................................................ 24
RAID-10....................................................................................................................................................... 24
Hardware Disk Configuration ..................................................................................................................... 24
Windows NT Software Disk Configurations ................................................................................................ 24
Support for EXT4 Linux Software RAID Arrays ............................................................................................ 25
Dynamic Disk .............................................................................................................................................. 25
Disk Configuration Set Acquired as One Drive ........................................................................................... 26
Disk Configurations Acquired as Separate Drives....................................................................................... 26
Acquiring a DriveSpace Volume ....................................................................................................................... 27
Canceling an Acquisition .................................................................................................................................. 28
CD-DVD Inspector File Support ........................................................................................................................ 28
Reacquiring Evidence ....................................................................................................................................... 28
Reacquiring Evidence Files ......................................................................................................................... 29
Retaining the GUID During Evidence Reacquisition ................................................................................... 29
Adding Raw Image Files ................................................................................................................................... 29
Restoring a Drive .............................................................................................................................................. 30
Index
33
CHAPTER 1
Overview
With EnCase Forensic Imager, you can acquire, reacquire, and translate evidence files into EnCase
evidence files that include CRC block checks, hash values, compression, and encryption. EnCase
Forensic Imager can read and write to current or legacy EnCase evidence files and EnCase Forensic
Imager logical evidence files.
With the LinEn utility, you can perform disk-to-disk acquisitions, and when you couple LinEn with
EnCase Forensic Imager, you can perform network crossover acquisitions.
This User's Guide provides detailed information about all types of EnCase Forensic Imager
acquisitions.
Note: EnCase Forensic Imager is not designed to be run on a suspect system, as it makes changes to the file
system, including writing to temporary files.
Types of Acquisitions
EnCase Forensic Imager can acquire evidence in four basic formats:
Current EnCase evidence files (.Ex01): .Ex01 format improves upon the .E01 format with LZ
compression, AES256 encryption with keypairs or passwords, and options for MD5 hashing,
SHA-1 hashing, or both.
Current Logical evidence files (.Lx01): .Lx01 format improves upon the .L01 format with LZ
compression and options for MD5 hashing, SHA-1 hashing, or both. Encryption is not
available for legacy logical evidence (.L01) files.
Legacy EnCase evidence files (.E01): . E01 format makes current acquisitions accessible to
legacy versions of EnCase Forensic Imager.
Legacy Logical evidence files (.L01): .L01 format makes current logical acquisitions accessible
to legacy versions of EnCase.
Sources of Acquisitions
Sources for acquisitions within EnCase Forensic Imager include:
Previewed memory or local devices such as hard drives, memory cards, or flash drives.
Evidence files supported by EnCase Forensic Imager, including legacy EnCase evidence files
(.E01), legacy logical evidence files (.L01), current EnCase evidence files (.Ex01), current
logical evidence files (.Lx01), DD images, VMware files (.vmdk), or Virtual PC files (.vhd). You
can use these to create legacy EnCase evidence files and legacy logical evidence files, or you
can reacquire them as EnCase Forensic Imager .Ex01 or .Lx01 format, adding encryption, new
hashing options, and improved compression.
Single files selected to create a Logical Evidence File from an existing evidence file or an
acquired device.
Single Files
You can export single files from a previewed/mounted device.
Note: The folder highlighted when you click Create Logical Evidence File is treated as the
root folder for including entries in the logical evidence file. Only blue checked child entries
inside that folder are included. To include files from more than one folder, you must highlight
a folder that is a common parent. For instance, in the example above, if you wanted to
include files from both the System Volume Information and $Recycle Bin folders, you would
need to highlight either C, v7_Sample_Evidence, or Entries.
Source is the root level folder or device containing blue checked items to include in the
logical evidence file.
Files contains the number of files and the total size of the file or files to include in the logical
evidence file.
Target folder within Evidence File is an optional user-specified folder that is created inside
the logical evidence file. Any selected files in the source location are placed inside this folder.
This is useful for organizing multiple additions to a single logical evidence file.
Include contents of files checkbox: If checked, file content data displays in the View pane
when you open the logical evidence file.
File in use checkbox: If checked, the hash is computed when the file is read from evidence.
This is valuable when previewing live data that may have changed since initially calculating
the hash value.
Include original extents checkbox: If checked, original extent information is added to the
logical evidence file. Physical Location, Physical sector, and File Extents columns in the logical
evidence file will match the original entries.
Include contents of folder objects checkbox: If checked, folder content data displays in the
View pane when you open the logical evidence file.
Lock file when completed checkbox: If checked, the logical evidence file is locked after
creation.
5. In the Format tab:
10
None
MD5 (default)
7. Click the key icon in the upper pane to open the New Encryption Key dialog.
11
10. Enter a name for the encryption key, then enter a password and enter the password again to
confirm it. The Password Quality bar indicates if the password you entered is acceptable.
11. When you have entered an acceptable password, confirm the password, then click Finish.
12
13. Back in the Encryption Details dialog, click Update to display a checkbox for the key you just
created.
13
14. Click the checkbox for the new key, then click OK.
14
Note: If a physical device is added (a device that contains one or more volumes, such as
device 2,3,4, etc), EnCase can either acquire the entire physical device, or a single volume
contained within that device. It depends on what you highlight in the tree pane.
o
o
o
o
If a volume (not a physical device) is added (for example, C, D, E, F, but not 1, 2, 3, 4), then the
volume is acquired regardless of what you highlight.
15
2. The Acquire Device dialog displays. It opens to the Location tab by default.
16
MD5 (default)
SHA-1
d. Specify the File Segment Size (MB) (minimum: 30MB, maximum 8,796,093,018,112MB,
default: 2048MB).
5. Click the Encryption button to open the Encryption Details dialog.
Note: By default, Encase Forensic Imager saves encryption keys to the My Documents folder
of the current user profile. To save the encryption keys to a different location, right click in
the Encryption Details dialog, then click Change Root Path from the dropdown menu.
6. Click the key icon in the upper pane to open the New Encryption Key dialog.
17
9. Enter a name for the encryption key, then enter a password and enter the password again to
confirm it. The Password Quality bar indicates if the password you entered is acceptable.
10. When you have entered an acceptable password, confirm the password, then click Finish.
18
12. Back in the Encryption Details dialog, click Update to display a checkbox for the key you just
created.
19
13. Click the checkbox for the new key, then click OK.
20
21
5. Select one or more evidence files, then click Open. During verification, a progress bar displays
in the bottom right corner of the window.
22
Tableau T35es
Tableau T35es-RW
Tableau T4
Tableau T6es
Tableau T8-R2
Tableau T9
FastBloc FE
FastBloc 2 FE v1
FastBloc 2 FE v2
FastBloc LE
FastBloc 2 LE
FastBloc 3 FE
Computer investigations require a fast, reliable means to acquire digital evidence. These are
hardware write blocking devices that enable the safe acquisition of subject media in Windows to
an EnCase evidence file.
The hardware versions of these write blockers are not standalone products. When attached to a
computer and a subject hard drive, a write blocker provides investigators with the ability to
quickly and safely preview or acquire data in a Windows environment. The units are lightweight,
self-contained, and portable for easy field acquisitions, with on-site verification immediately
following the acquisition.
Support for Tableau write blocker devices enables EnCase Forensic Imager to:
Identify a device connected through the Tableau device as write blocked.
Access the Host Protected Area (HPA) and access, via removing, the Device Configuration
Overlay (DCO) area of a drive using the Tableau device.
Note: EnCase Forensic Imager does not support access of DCO areas via EnScript. By default,
HPA is automatically disabled on the device.
23
Spanned
Mirrored
Striped
RAID-5
RAID-10
Basic
24
Software RAID
EnCaseForensic Imager applications support these software RAIDs:
RAID-10
RAID-10 arrays require at least four drives, implemented as a striped array of RAID-1 arrays.
Spanned
Mirrored
Striped
RAID 5
Basic
The information detailing the types of partitions and the specific layout across multiple disks is
contained in the registry of the operating system. EnCase Forensic Imager applications can read
this registry information and resolve the configuration based on the key. The application can then
virtually mount the software disk configuration within the EnCase Forensic Imager case.
There are two ways to obtain the registry key:
Acquiring the drive
Backing up the drive
Acquire the drive containing the operating system. It is likely that this drive is part of the disk
configuration set, but in the event it is notsuch as the disk configuration being used for storage
purposes onlyacquire the OS drive and add it to the case along with the disk configuration set
drives.
To make a backup disk on the subject machine, use Windows Disk Manager and select Backup
from the Partition option.
25
This creates a backup disk of the disk configuration information, placing the backup on a CD or
DVD. You can then copy the file into your EnCase Forensic Imager application using the Single Files
option, or you can acquire the CD or DVD and add it to the case. The case must have the disk
configuration set drives added to it as well. This process works only if you are working with a
restored clone of a subject computer. It is also possible a registry backup disk is at the location.
In the EnCase Forensic Imager Evidence tab, select the device containing the registry or the
backup disk and all devices which are members of the RAID. Click the Open button to go to the
Entry view of the Evidence tab. Select the disk containing the registry, click the dropdown menu
on the upper right menu of the Evidence tab. Select Device, then select Scan Disk Configuration.
At this point, the application attempts to build the virtual devices using information from the
registry key.
Dynamic Disk
Dynamic Disk is a disk configuration available in Windows 2000, Windows XP, Windows 2003
Server, Windows Vista, Windows 2008 Server, Windows 7, and Windows 2008 Server R2. The
information pertinent to building the configuration resides at the end of the disk rather than in a
registry key. Therefore, each physical disk in this configuration contains the information necessary
to reconstruct the original setup. EnCase Forensic Imager applications read the Dynamic Disk
partition structure and resolve the configurations based on the information extracted.
To rebuild a Dynamic Disk configuration, add the physical devices involved in the set to the case.
In the Evidence tab, select the devices involved in the Dynamic Disk and click the Open button on
the menu bar to change to the Entries view of the Evidence tab. Select the devices then click the
dropdown menu at the top right of the Evidence tab. Select Device and choose Scan Disk
Configuration.
If the resulting disk configurations seem incorrect, you can manually edit them by returning to the
highest Evidence view of the Evidence tab. Select the Disk Configuration option, click the
dropdown menu from the top right corner of the Evidence tab, and select Edit Disk Configuration.
26
4. Acquire the disk configuration as you normally acquire a single hard drive, depending on the
means of acquisition. Crossover network cable or drive-to-drive acquisition is
straightforward, as long as the set is acquired as one drive.
If the physical drives were acquired separately, or could not be acquired in the native
environment, EnCase Forensic Imager can edit the hardware set manually.
Stripe size
Start sector
Length per physical disk
Whether the striping is right handed
You can collect this data from the BIOS of the controller card for a hardware set, or from the
registry for software sets.
When a RAID-5 consists of three or more disks and one disk is missing or bad, the application can
still rebuild the virtual disk using parity information from the other disks in the configuration,
which is detected automatically during the reconstruction of hardware disk configurations using
the Scan Disk Configuration command.
27
3. The Disk Configuration dialog displays. Enter a name for your disk configuration. Click the
appropriate disk configuration.
4. Right click the empty space under Component Devices and click New.
5. Enter the start sector and size of the selected disk configuration, select the drive image which
belongs as the first element of the RAID, then click OK.
6. Repeat steps 4 and 5 for each additional element drive of the RAID in order.
7. Back at the main Disk Configuration screen, set the Stripe Size, select whether this is a
Physical Disk Image, and whether it uses Right-Handed Striping.
8. Once you are sure that the settings and order of the drives is correct, click OK. EnCase
Forensic Imager will generate a new item in your Evidence tab containing the RAID rebuilt to
your specifications. This new Disk Configuration can be acquired to an EnCase evidence file
and processed in the Evidence Processor just like a physical drive.
28
Canceling an Acquisition
You can cancel an acquisition while it is running. After canceling, you can restart the acquisition.
To cancel an acquisition while it is running:
1. At the bottom right corner of the main window, double click the Thread Status line. The
Thread Status dialog displays.
2. Click Yes. The acquisition is canceled. You can restart it at a later time.
Reacquiring Evidence
When you have a raw evidence file generated outside an EnCase application, reacquiring it results
in the creation of an EnCase evidence file containing the content of the raw evidence file and
providing the opportunity to hash the evidence, add case metadata, and CRC block checks.
You may also want to reacquire an existing EnCase evidence file to change the compression
settings or the file segment size.
29
30
3. Drag and drop the raw images to be acquired. The raw images to be added are listed in the
Component Files list. For DD images or other raw images consisting of more than one
segment, the segments must all be added in their exact order from first to last.
4. Click the Generate true GUID checkbox for EnCase Forensic Imager to generate a unique
GUID if a match is found.
5. Accept the defaults in the Add Raw Image dialog or change them as desired, then click OK.
6. A Disk Image object displays in the Evidence tab.
7. You can reacquire this image as you would any other supported evidence or previewed
device.
Restoring a Drive
The following steps describe how to restore a drive. Note that before you begin, you first need to
add evidence to the case.
1. From the EnCase Forensic Imager top toolbar, select the Evidence option from the View
dropdown.
2. In the Table view, click the evidence file with the device you would like to restore.
3. From the Device dropdown on the Evidence tab menu, select Restore. The Restore dialog
displays.
31
Index
A
Acquiring a Disk Running in Direct ATA Mode 23
Acquiring a DriveSpace Volume 27
Acquiring a Local Drive 7
Acquiring Device Configuration Overlays (DCO) and
Host Protected Areas (HPA) 21
Acquiring Disk Configurations 23
Acquiring in Windows without a Tableau or
FastBloc Write Blocker 22
Acquiring Non-local Drives 7
Acquiring Other Types of Supported Evidence Files
20
Adding Raw Image Files 29
C
Canceling an Acquisition 28
CD-DVD Inspector File Support 28
Creating an Encrypted Evidence File 14
Creating an Encrypted Logical Evidence File 7
Creating Encrypted Evidence Files 7
D
Disk Configuration Set Acquired as One Drive 26
Disk Configurations Acquired as Separate Drives
26
Dynamic Disk 25
E
EnCase Evidence Files 6
EnCase Forensic Imager User's Guide 3
H
Hardware Disk Configuration 24
L
Launching EnCase Forensic Imager 5
Logical Evidence Files 6
O
Overview 5
R
RAID-10 24
Raw Image Files 6
Reacquiring Evidence 28
Reacquiring Evidence Files 29
Restoring a Drive 30
Retaining the GUID During Evidence Reacquisition
29
S
Single Files 6
Software RAID 24
Sources of Acquisitions 5
Support for EXT4 Linux Software RAID Arrays 25
T
Types of Acquisitions 5
Types of Evidence Files 6
U
Using a Write Blocker 22
V
Verifying Evidence Files 20
W
Windows NT Software Disk Configurations 24
Windows-based Acquisitions with Tableau and
FastBloc Write blockers 22