1. EnCase  Starting a New Case  Adding a Device  Creating a Boot Disk  Keyword Search  Bookmarking  File Signatures  Exporting Files/Report  File Viewers

2. Navigating Encase  Tree Pane, Table Pane, Bottom Pane and Filter Pane Highlighting a folder Home plate > Select the polygon to the left of the folder name. Blue check mark > Select the square to the left of the folder name – Used for keyword search

3. New Case  Encase – New case Select the “New” icon Name – case1 Examiner Name – Your name Export Folder – c:\cases\case1\export Temporary Folder – c:\cases\case1\temp

4. Saving a Case  Save the Case Select the “Save” icon Select your folder Change case name to lower case and remove any space

5. Global Settings  Tools > Options > Global Auto save - set it to 5, increase to 30+ if making a long running search. Enable picture viewer, art and png image display Invalid picture timeout leave at 12 sec Date and Time – MM/DD/YY and 12:00 Show Yes / No

6. Preview Device (HD, Floppy, Thumb Drive, etc)  Select the “Add Device” button.  Next select the appropriate device. Generally you will select “Local Drives” For DOS acquisition select Network Crossover.

7. Preview Device (HD, Floppy, Thumb Drive, etc)  Select the drive letter which represents the device to be imaged. Floppy – Generally select the A drive. USB and Firewire acquisitions – Select drive E, F, etc.

8. Preview Device (HD, Floppy, Thumb Drive, etc)  Adding evidence number and name. Right click on the drive letter. Select > Edit

9. Preview Device (HD, Floppy, Thumb Drive, etc)  Enter an evidence number: Such as (070418-0010) Year 07, month 04 day 18, evidence number 0010.  Enter evidence name. It’s a good idea to add device type in name i.e., desktop, floppy, laptop, etc. Example: smithdesktopHD1, smithdesktopHD2, smithfloppy1, etc.

10. Acquiring Previewed Device  If a previewed device warrants acquisition: Right click on the device and select Acquire.

11. Acquiring Previewed Device  Select - Replace source device This will replace the preview item.  Note! Search, Hash and Signature Analysis Ensure that it is not selected – Acquisition will proceed faster.

12. Acquiring Previewed Device  Set the following: File segment size - 640 Compression - None Password – Leave blank!!!! Generate image hash Output path – Check to ensure the correct one is selected.

13. Adding Previously Acquired Evidence (HD, Floppy, etc.)  Create a new case or open an existing case.  Select > Add Device

14. Adding Previously Acquired Evidence (HD, Floppy, etc.)  Select the appropriate folder i.e., “Local” and then the appropriate file, or

15. Adding Previously Acquired Evidence (HD, Floppy, etc.)  Right click on the “Evidence Files” folder and then select New to create a new path.

16. Adding Previously Acquired Evidence (HD, Floppy, etc.)  Browse the file system until you find that location of the previously acquired evidence. For example: f:\cases\data

17. Boot Disk Creation Tools > Create Boot Disk

18. Boot Disk Creation  Test diskette by rebooting from diskette.  Run EnCase DOS program “en”

19. Boot Disk Creation  ENBD – EnCase Network Boot Disk Save the ENBD file to your desktop. http://www.guidancesoftware.com/support/downloads.aspx Insert floppy in drive. Run ENBD setup file. When finished add the en.exe file. Do not write protect the ENBD disk.

20. Boot Disk Creation

21.  Add the en.exe file. C:\program files\encase\en.exe

22. Keyword Search  Global keywords These words are made available to all your cases. View > Keywords  Case specific keywords These words are only available in this case. View > Cases Sub-Tabs > Keywords

23. Keyword Search  Keyword Sources Investigating officer Search warrant HR Attorney Management Contract, Internet, Previous cases

24. Keyword Search  Keyword Folder Right-click on Keyword folder Select > New Folder Add Folder Name  Examples Email addresses IP addresses Phone numbers

25. Keyword Search  To add a single Keyword Right-click on Keyword Folder > Select New Search Expression – word, phrase, GREP expression. Case sensitive – Check to make case sensitive. GREP – Limits false hits. Active Code Page – Allows foreign languages Unicode – Foreign language char. Check to locate both ASCII and Unicode.

26. Keyword Search  To add a list of keywords Right-click on Keyword Folder > Select Add Keyword List Enter words

27. Keyword Search  Before beginning a search you must select the word or group of words you want EnCase to find.  To do so, place a blue check next to the word or folder containing the words EnCase should locate.  To begin a search, click on the Search button.

28. Keyword Search  Search each file – Must be checked to activate a keyword search.  Verify file sign – Don’t check  Compute hash value - File hash analysis.  Search file slack – Search space between logical file and physical file.  Undelete files – Logical undelete. Search between starting cluster & following unallocated cluster.  Search with known hashes – will not search known hashes.  Selected keywords only – Unless selected, all keywords are searched.

29. Search Results  Search Hits – To view search results.  View > Cases > Search Hits  Refresh - Use during a search to display current results.

30. Search Results  {·0·9·7·F·7·3·7·E·-·1·6·1·B·-·1·1·D·4·-·A·8·7·5·- ·0·0·6·0·9·7·2·0·4·6·2·B·}  {·7·0·7·B·B·5·4·A·-·B·F·2·F·-·1·1·D·3·- ·9·6·F·E·-·0·0·0·8·C·7·0·C·8·4·9·8·}  {·7·E·8·E·2·E·A·A·-·C·6·1·0·-·1·1·D·3·- ·9·6·F·E·-·0·0·0·8·C·7·0·C·8·4·9·8·}  {·7·1·D·1·9·1·F·2·-·6·5·0·4·-·1·1·D·2·-·8·3·5·4·- ·B·A·6·5·C·F·5·A·6·A·0·1·}  {·7·1·D·1·9·1·F·4·-·6·5·0·4·-·1·1·D·2·-·8·3·5·4·- ·B·A·6·5·C·F·5·A·6·A·0·1·}  {·7·1·D·1·9·1·F·6·-·6·5·0·4·-·1·1·D·2·-·8·3·5·4·- ·B·A·6·5·C·F·5·A·6·A·0·1·}

31. Search Results  Exclude – The item is not deleted from the case. Red highlight.  Export – Creates a tab- delimitated text file which can be imported in to Excel.  Tag File – Will place a blue check on the file to identify it in Home view

32. Bookmarking  Sweeping Bookmarks  Files  Notes  File Group

33. Bookmarking – Sweeping Bookmarks  Sweeping bookmark – Used to capture notable data.  Highlight the item >Right click > Select Bookmarks

34. Bookmarking - Sweeping Bookmarks

35.  Destination folder – Select a folder (i.e., Floppy) or create a new folder by right clicking on Bookmarks > New Folder > Enter new folder name.  Add Comment – i.e., “Bad stuff doc appears to be created on suspects machine.”  Data type – Select Style > ISO Latin > ISO Latin @ 100  View results - Select Bookmarks button > Report button

36. Bookmarking – Files  Used to flag files that contain important case information.  Right click on a file.  Select Bookmark Files

37. Bookmarking – Files  Add the bookmarked item to a folder by selecting an existing folder, or  Select “Create new bookmark folder” and enter the name.  View Bookmarks Select Bookmarks button > Bookmarks Home plate > Report button

38. Bookmarking – Notes  Allows you to add a note to a bookmarked item. i.e., add a note to a bookmarked file.  Formatting includes bold, italic, font size and text indent. However, only text indent is worth using.

39. Bookmarking – Notes  To add a note to a bookmarked file/item. Select Bookmarks button Select Table button In Table View - Rt click on the appropriate file Select Add Note.  Add your notes and indent text as needed.

40. Bookmarking – File Group  In Tree view select (with a blue checkmark) the folder containing the files you want to bookmark.  Rt click on the folder and select Bookmark Data.  Ensure that “Bookmark Selected Items” is checked.  Select “ok”  View Bookmarks Select Bookmarks button > Bookmarks Home plate > Report button.

41. Bookmarking – File Group

42. Bookmarking - Report

43. Evidence File  Restoring a drive  Compression To compress data files once the HD has been acquired. Rt click on device > Select Acquire > Replace Source Device > Compression - Best

44. File Signatures  View > File Signatures Used to compare file headers with file extensions

45. File Signatures  To Start: Click on Search button.  Ensure that only the “Verify file signatures” option is selected.  Click on the Start button. The process will run in the background.  Click on Save - Once the process is done.

46. File Signatures  _ Deleted  X – Deleted, overwritten file Starting cluster is occupied by another file.  O – Undeleted by EnCase.  O – Directory entry with a file name but no starting cluster.

47. File Signatures  Signature Analysis Select the case / device “home plate” Table View - Sort order Signature File Ext Name  Secondary sorts Shift > double-click

48. File Signatures  *Alias The header and the extension don’t agree The header exists in the Signature table Generally renamed extension – Encase displays file type.  !Bad Signature The header and the extension don’t agree The extension exists in the Signature table The header does not exist in the Signature table  Match - Header & extension agree.  Unknown –Header & extension do not exist in Signature table.

49. Exporting Files  Use the blue checkmark to select files to export.  Right click in the table view.  Select > Copy/UnErase.

50. Exporting Files

52. Exporting Report  Select Report button  In Table View Right Click on report Select Export Select Format Input path

53. Windows Artifacts – INFO2  Sort by name – Double click on the “Name”.  Click on the first file, under name, in the Table View.  Type “info” real fast.

54. Windows Artifacts – INFO2  Highlight text starting with C:\Documents and end with.doc  Right click > Bookmark Data

55. Windows Artifacts – INFO2  Note that the SID number (S-1-5-...- 1003) ends with 1003.  Under Data Type, Select Windows > Win2000 Info File Record

56. Windows Artifacts – INFO2  Deleted - Note the date & time, is it relevant?  Path – Note the files location and what was deleted.

57. Windows Artifacts – Link Files  Shortcut files – Record creation, access and last written dates. Provides insight to how a computer was configured at a given point in time. May indicate when an application was installed. When created after application install it supports the allegation that the user had knowledge of a file or application. Contains the fully qualified path to the file referenced. Provides evidence of the existence of an application which is no longer installed.

58. Windows Artifacts – Link Files  Sort by file type – Double click on the “File Ext” column.  Then sort by name – Press on the Shirt key and Double click on the “Name” column.  Click on the first file, under “File Ext” and type “lnk” real fast.

59. Windows Artifacts – Link Files  Note, you should now be at the start of the lnk files.  Click on the first link file, under “Name” and type “art” real fast.

60. Windows Artifacts – Link Files

61.  Select the Hex button.  FO28 - Start at byte offset 28  LE24 - Highlight the next 24 bytes.

62. Windows Artifacts – Link Files  Right click on your selection and select Bookmark Data.

63. Windows Artifacts – Link Files  Select Dates > Windows Date/Time

64. Windows Artifacts – Link Files  Note, the date and time associated with this link file.

65. Windows Artifacts Volume Serial Number  To associate the link file with the current volume.  Select file > In text mode select the path > select Hex mode.

66. Windows Artifacts Volume Serial Number  Allocate the Hex value 10 that appears before the path selection.  Note the value of the four bytes prior to the hex 10.

67. Windows Artifacts Volume Serial Number  Select “Entries” in the Tree Pane and the drive in the Table Pane.  Next, select the Report button in the Bottom Pane.  Allocate the volume serial number.

68. Windows Artifacts Volume

69. Windows Artifacts Application Data  Outlook Express – Email storage location.  Documents & Settings > User Name > Local Settings > Application Data > Identities > GUID number > Microsoft > Outlook Express.

70. Windows Artifacts Root Folder  Named after the user login name.  Ntuser.dat – Last written time represents the users last logout time.

71. Windows Artifacts Recent Folder  Recently accessed files – Great place to start investigating a case.  Start > All Programs > My Recent Documents – Represent link files.  Documents & Settings > User Name > Recent  While windows only displays the last 15 documents, the Recent folder could contain hundreds of link file names, which may be of value.  A shortcut may refer to a volume that wasn’t present when evidence was collected.

72. Windows Artifacts Desktop Folder  Documents & Settings > User Name > Desktop.  Desktop items may be the result of the following four sources; the users Desktop folder, Registry, All Users desktop folder and Domain Group policy.

73. Windows Artifacts My Documents  Documents & Settings > User Name > My Documents.  Windows will generally store files in this folder.

74. Windows Artifacts Sent To Folder  Contains only those items added by the user.  Drive letters for attached media can be found here.

75. Windows Artifacts Temp Folder  Documents & Settings > User Name > Local Settings > Temp  Note, this folder is specific to the user.  May contain evidence of application installation.

76. Windows Artifacts Thumb Files  Sort by file type – Double click on the “File Ext” column.  Then sort by name – Press on the Shirt key and Double click on the “Name” column.  Click on the first file, under “File Ext” and type “db” real fast. Next, click on the first db file, under “Name” and type “thu” real fast.  Right click on thumbs.db > View File Structure.  Root Entry folder will contain images.

77. Windows Artifacts Favorites Folder  Documents & Settings > User Name > Favorites .url - Users Internet Explorer & Windows Explorer favorites settings.  Note the unique header – It can be used to local deleted shortcuts.

78. Windows Artifacts Cookies Folder  Documents & Settings > User Name > Cookie.  Small text files which may provide insight into sites visited by the user.  The index.dat file contains data about each cookie.  Use an external viewer.

79. Windows Artifacts History Folder  Documents & Settings > User Name > Local Settings > History.  Contains all the history for 20 days – the default period. .IE5 folder – Contains

80. Windows Artifacts Temporary Internet Files  Documents & Settings > User Name > Local Settings > Temporary Internet Files > Content.IE5  Internet e-mail is stored here.

81. Windows Artifacts Swap File  Pagefile.sys – Represents windows virtual RAM.  Search with the Unicode option enabled.

82. Windows Artifacts Hibernation File  In order for a machine to enter sleep mode the contents of RAM must be written to hiberfil.sys  The contents reflects the last time the machine entered hibernation.

83. Windows Artifacts Print Spooling  Windows > System32 > spool > printers.  Two files are created shadow (SHD) and spool (SPL).  SHD – contains username, file name, printer & print mode.  SPL - contains print data.

84. Windows Artifacts Print Spooling  Rarely find in allocated space. Generally, found in unallocated space, page file, hibernation file and slack space.  Search String: \x01\x00\x00\x00..\x00.{34,34}EMF

85. Windows Artifacts Print Spooling  Right click on selected data > Bookmark Data  EMF will generally provide positive results, while emf0 will not.

86. Windows Artifacts Print Spooling  Under Data Type, select: Picture > Picture.

87. Windows Artifacts – Time

90. File Viewers  View > File Viewers  Right Click > File Viewer  Select New  Enter program name  Enter path to program.exe

91. File Viewers  View > File Types  Select File Types > Home plate  Table view > Sort by extension

92. File Viewers  Right click on extension  Select Installed Viewer  Select appropriate File Viewer

93. Conclusion  Starting a New Case  Adding a Device  Creating a Boot Disk  Keyword Search  Bookmarking  File Signatures  Exporting Files/Report  File Viewers