Guidance Software, Inc
Contents
1. Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide File System Fundamentals Logical and Physical File Size My Pic jpg Logical File Physical File bytes 3045 Bytes 1 cluster Guidance File System Fundamentals Slack Space E File slack is comprised of drive slack and sector RAM slack Sector RAM Slack u Data from the end of the logical file to the end of that sector The 10 byte file written to a 512 byte sector will have 502 bytes of sector RAM slack in the same sector that contains the logical data u Sector RAM slack is zeroed out prior to writing it to the drive 00 00 2 In Windows 95A and older sector RAM slack will contain actual data from RAM and it will be stored on the drive with the file e Drive slack u Data that is contained in the remaining sectors of a cluster that are not a part of the current logical file Alogical file of 10 bytes stored in a four sector cluster will have three sectors of drive slack Guidance oe TWARE Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 39 EnCE Study Guide File Systems FAT File Allocation Table e Often found on legacy hard drives and removable devices FAT tracks u File fragmentation u All of the addressable clusters in the partition u Clusters mark2. Examining computer based evidence with EnCase software EnCase Computer knowledge Good forensic practices Legal Guidance SEL TWARE Examining Computer based Evidence The EnCase evidence file EnCase concepts The EnCase environment EnCase Evidence Processor Index queries and raw keyword searching File signature and hash analysis ET Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 23 EnCE Study Guide The EnCase Evidence File Bit stream image of evidence written to a file Case Data Cannot be changed after evidence file is created Contains u Case number Examiner name Evidence number Unique description Date time of computer system clock u Acquisition notes u Serial number of physical hard drive Guidance The EnCase Evidence File E Cyclical Redundancy Check e 32 bit CRC for by default 64 sectors 32 KB of data If no compression is used e Calculated when evidence file is added to case and rechecked every time the data block is accessed Verification Hash digital signature of all data in evidence file e MD5 128 bit 32 characters e SHA1 160 bit Can choose either one or neither Guidance rant yy TWARE Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 24 EnCE Study
3. o Temp o Internet Explorer history cache favorites cookies Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 21 EnCE Study Guide o Enhanced metafiles print spooler o Windows 7 C Users o Registry files global and user account specific o Swap file pagefile sys o Hibernation Standby file hiberfil sys Legal Issues e Best Evidence Rule o Aprintout of data stored in a computer can be considered as an original under the Federal Rules of Evidence if it is readable by sight and accurately reflects the stored data o Compression of acquired data does not affect admissibility under the Best Evidence Rule o If original evidence must be returned to the owner the forensic image could be considered the Best Evidence e Daubert Frye o Legal test to determine if a scientific or technical process for obtaining enhancing or analyzing evidence is acceptable e Elements of Daubert o Has the process been tested and subject to peer review o Does the process enjoy general acceptance in the related community o Can the findings be duplicated or repeated e Commercially available software has a greater opportunity for peer review testing and validation Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide EnCE Preparation Training
4. the File Types Table The hash value of each logical file is computed and compared with the Hash Library composed of the selected hash sets e Both analyses can be used to help identify suspect files and or exclude known or benign files u The results of both analyses are viewed in the Table view of the Evidence Entry tab Su Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 35 EnCE Study Guide Computer Knowledge Understanding data and binary The BIOS Computer boot sequence File systems Computer hardware concepts Guidance Gr TWARE Understanding Data and Binary Bits and Bytes Name Binary Bit 1 Nibble 0000 Byte 0000 0000 Word 0000 0000 0000 0000 Dword 0000 0000 0000 0000 0000 0000 0000 0000 Qword You get the idea Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide Understanding Data and Binary ASCII and Unicode e The ASCII table American Standard Code for Information Interchange is based on an 7 bit system n The first 128 characters make up the ASCII table and represent alpha numeric values common punctuation and other values The remaining 128 characters are called high bit characters Together 256 characters can be addressed Binary Code 0000 0000 0000 0001 STX 1 0000 0010 Selecting Uni
5. Booting turned off machines LinEn Linux EnCase CD u Disk to disk imaging with Tableau hardware write blocker u Network cross over cable e EnCase Portable ET Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 47 EnCE Study Guide First Response Onsite triage Tableau Fastest u Gallery view hash file signature analysis logical and physical searches with GREP copy unerase EnScript programs etc Network cable preview Fast u Gallery view hash file signature analysis logical and physical searches with GREP copy unerase EnScript programs etc Evidence Processor available on live devices in EnCase v7 03 and higher e EnCase Portable Fast u Triage and Collection jobs Pictures keyword search hash sets filtering with conditions Snapshot Internet history idance c8uidance Acquisition of Digital Evidence Computer Forensic Examiner Must be trained e Must use best forensic practices available e Must avoid damaging or altering evidence Should test and validate computer forensic tools and techniques prior to using them on original evidence Guidance ce TWARE Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 48 EnCE Study Guide Acquisition of Digital Evidence File systems supported by EnCase
6. FAT 12 16 32 exFAT NTFS EXT2 3 4 Linux Reiser Linux UFS Solaris CDFS Joliet ISO9660 UDF DVD Macintosh HFS HFS Mac OS X BSD HP UX Etc Smartphones and tablets Guidance Acquisition of Digital Evidence File systems supported by EnCase e If the file system is not supported by EnCase the examiner can still conduct a physical text search run EnScript programs for file headers and footers etc The examiner can also restore the physical drive to a drive of equal or larger size n The restored drive is verified by the MD5 and or SHA1 hash value A volume may also be restored to a partition containing the same file system a The restored partition is verified by the MD5 and or SHA1 hash value Guidance oe TWARE Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide Acquisition of Digital Evidence Laboratory procedures Cross contamination u Wipe lab examination drives u Use EnCase case management methodology Chain of custody u Controlled access to lab area u Evidence locker or depository Storage u Clean temperature controlled environment u Legacy portable electronic devices may lose battery power potentially erasing all data Guidance Operating System Artifacts Recycler NTFS directory entries and structure Windows artifacts Recent Link files Desktop Se
7. Guide The EnCase Evidence File Logical file that can be renamed and moved Can be broken into multiple segments with a maximum segment size dependent on the file system to which the evidence file is written Can be compressed during acquisition and or reacquired with compression for archival without changing the hash value Can be password protected or encrypted and can be reacquired to remove or change password encryption Individual segments can be verified by the CRCs when compression is not used If compression is used the decompression algorithm is used Guidance oe TWARE The EnCase Evidence File Error granularity is often used to adjust the writing of data to an evidence file when a read error of the subject media occurs Standard Size of the data blocks Exhaustive Sector by sector Guidance Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 25 EnCE Study Guide The EnCase Evidence File Evidence file verification e Data in the entire evidence file is verified by verification hash compared to the acquisition hash value of the original evidence e Data in each data block is verified by a CRC when no compression is used Both the MD5 and or SHA 1 hash and CRCs must match for the evidence file to be verified u f any compression is used the compression algorithm is used to verify data blocks Gu
8. an email address Guidance Q3 TWARE Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide Searching Characters in brackets match any one character that appears in the brackets For example smit hy would match smith and smity A circumflex at the start of the string in brackets means NOT Hence hy matches any characters except h and y A dash within the brackets signifies a range of characters For example a e matches any character from a through e inclusive A backslash before a character indicates that the character is to be treated literally and not as a GREP character i idance c8uidance File Signature and Hash Analysis File Signature Table e Stored in the EnCase configuration file FileTypes ini New file signatures can be added manually The terms file signature and file header mean the same thing 2 The standard hex characters at the beginning of a certain file type Guidance oe T WAR E Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 33 EnCE Study Guide File Signature and Hash Analysis File Types Viewers e EnCase uses the File Types ini file to store external viewer information and associate file extensions with external viewers When the examiner double c
9. e Creating an index will allow you to instantly search for terms in a variety of ways o You can adjust parameters for index creation such as the minimum word length to index or whether to use a noise file a file containing specific words to ignore e Compared to keyword searches that search on the raw text index searches will search on the transcript output of the file which is critical for Microsoft Office 2007 and 2010 files e Generating an index can take time however the trade off in time spent creating the index yields a greater payoff with near instantaneous search times o Guidance Software recommends always indexing your case data Search Queries Index e Once your case has been indexed keyword searched tagged or any combination of the three you can then search for desired information To create a unified search do the following o Goto the Home screen and click the Search button o Inthe Index window enter the keyword s to query the index o dynamic list is displayed on the right side of the window showing the terms in the index and the number of occurrence of a term This is extremely helpful when crafting a query so that you can immediately see if the term exists in the index Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 10 EnCE Study Guide o EnCase v7 will show you all words in the index that start with the term tha
10. internal clock e Computer boot sequence Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 14 EnCE Study Guide File System Fundamentals e File slack is comprised of drive slack and sector RAM slack o Sector RAM slack Data from the end of the logical file to the end of that sector The 10 byte file written to a 512 byte sector will have 502 bytes of sector RAM slack in the same sector that contains the logical data Sector RAM slack is zeroed out prior to writing it to the drive 00 00 In Windows 95A and older sector RAM slack will contain actual data from RAM and it will be stored on the drive with the file o Drive slack Data that is contained in the remaining sectors of a cluster that are not a part of the current logical file A logical file of 10 bytes stored in a four sector cluster will have three sectors of drive slack e File Allocation Table o Often found on legacy hard drives and removable devices o FAT tracks File fragmentation All of the addressable clusters in the partition Clusters marked bad o Directory records File name Date time stamps Created Accessed Written Starting cluster File logical size o Adirectory or folder is a file with a unique header and a logical size of zero e When a file is deleted from a FAT system o 1 character of directory entry changed to E5h o FAT entry value
11. of media o Internal Inspection Check for disconnected media Additional media connected etc o External Inspection Check for connected media Check for additional devices media e Onsite triage o Tableau fastest Gallery view hash file signature analysis logical and physical searches with GREP copy unerase EnScript programs etc o Network cable preview fast Gallery view hash file signature analysis logical and physical searches with GREP copy unerase EnScript programs etc Evidence Processor available on live devices in EnCase v7 03 and higher Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 19 O EnCE Study Guide EnCase Portable fast Triage and Collection jobs Pictures keyword search hash sets filtering with conditions Snapshot Internet history Acquisition of digital evidence e Tag media and transport O O Tag evidence Evidence should be inspected for damage Evidence should be documented and labeled Evidence should be properly bagged in preparation for transport Transport evidence Evidence should be properly secured for transportation Evidence should be stored properly Computer Forensic Examiner e Must be trained e Must use best forensic practices available e Must avoid damaging or altering evidence e Should test and validate computer forensic tools and techn
12. or reproduced without the written permission of Guidance Software Inc EnCE Study Guide Search Queries Index The case index is created with the Evidence Processor Creating an index will allow you to instantly search for terms in a variety of ways You can adjust parameters for index creation such as the minimum word length to index or whether to use a noise file a file containing specific words to ignore Compared to keyword searches that search on the raw text index searches will search on the transcript output of the file which is critical for Microsoft Office 2007 and 2010 files Generating an index can take time however the trade off in time spent creating the index yields a greater payoff with near instantaneous search times Guidance Software recommends always indexing your case data Guidance SE DFTWARE Search Queries Index E Once your case has been indexed keyword searched tagged or any combination of the three you can then search for desired information To create a unified search do the following Go to the Home screen and click the Search button In the Index window enter the keyword s to query the index A dynamic list is displayed on the right side of the window showing the terms in the index and the number of occurrence of a term n This is extremely helpful when crafting a query so that you can immediately see if the term exists in the index EnCase v7 will show you all words in the inde
13. when applying to attend the EnCE Preparation course o The Phase I written examination will not be given during class Once you complete the class you will be given login instructions You will have ten 10 business days from the last day of class to take Phase I After the 10 days access to the exam will be terminated o Complete details for this course can be found at http www guidancesoftware com Training aspx menu id 137 amp id 1000018146 e CEIC o Registered attendees at our annual CEIC conference may elect to take the Phase I test at no additional charge during the conference o All requirements must be met prior to attending CEIC Anyone interested in taking the Phase I test at CEIC must fill out an application and return it to the certification coordinator one 1 month prior to the conference via fax email or mail Only those who have preregistered and been approved will be admitted to take the Phase I test at CEIC o Please visit www ceicconference com for more information Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide Maintaining Your Certification As of January 1 2012 payment of 75 USD via credit card check or purchase order is required for renewal completion The payment must accompany a completed renewal form and the supporting documentation detailed as follows As of November 1 2008 EnCase Certi
14. Guidance SOFTWARE EnCE Study Guide Version EnCE Study Guide SOFTWARE Guidance Certification Background The EnCase Certified Examiner program was created to meet the requests of EnCase users as well as to provide a recognized level of competency for the examiner While many different certifications exist the EnCE provides an additional level of certification and offers a measure of professional advancement and qualifications Certain qualifications must be met to enter the certification process An application and a detailed explanation can be found at http Awww quidancesoftware com computer forensics training ence certification htm The cost is USD 200 00 US and USD 300 00 International payable by credit card check or purchase order The certification program does not generate profits for Guidance Software the testing fee covers the cost of the written test provided by ExamBuilder Once payment has been received and processed the certification coordinator will email testing instructions to you The certification process addresses both EnCase software EnCase and general areas of computer forensics It involves a written test consisting of 180 questions 174 for international candidates no legal questions Two hours are provided to complete the written exam which is true false and multiple choice Once the Phase I results are received the instructions for completing Phase II will be provided to y
15. ance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 31 EnCE Study Guide Searching Global Regular Expression and Print GREP A period matches any single character Character represented by its ASCII value in hex x09 is a tab xOA is a line feed Both ped ber 0 9 hex digits should be present even if they are 2 Repeat zero or one time 0 wFFFF Unicode 16 bit character The question mark says repeat the Group ab together for Repeat m to n times preceding character or set one or alar sari zero times idance Suidance Searching An asterisk after a character matches any number of occurrences of that character including zero For example john smith would match john smith john smith and johnsmith Aplus sign after a character matches any number of occurrences of that character except zero For example john smith would match john smith or john smith but would NOT match johnsmith A pound hash sign matches any numeric character 0 9 For example matches any phone number in the form 327 4323 ab The parentheses allows the examiner to group individual characters together as an AND statement m n The curly braces state number of times to repeat i e mto n times The pipe is an OR statement and can be used with the parentheses i e com net org for the end of
16. ase is recommended Use unique directory names Each case requires an Export Temp and EvidenceCache folder Guidance oe TWARE Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 27 EnCE Study Guide The EnCase Environment The EnCase methodology EvidenceCache Storing cache files and containers for processed evidence Export Default folder for exporting evidence Temp Default temporary folder for file viewing idance c8uidance Evidence Processor After adding evidence to a case and confirming that the data is valid and browsable the first task you undertake is to run the EnCase Evidence Processor The Evidence Processor lets you run in a single automated session a collection of powerful analytic tools against your case data Since you can run the Evidence Processor unattended you can work on other aspects of the case while this tool is processing data After completion the case data will be processed and ready for you to begin the important analytic and reporting phases of your investigation Guidance Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 28 EnCE Study Guide Evidence Processor The following evidence processing functions are available Recover folders Recover files that have been deleted or
17. c May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide The EnCase Evidence File Verification e Cyclical Redundancy Check o 32 bit CRC for by default 64 sectors 32 KB of data If no compression is used o Calculated when evidence file is added to a case and rechecked every time the data block is accessed o Verification hash digital signature of all data in evidence file MD5 128 bit 32 characters SHAI 160 bit Can choose either one or neither The EnCase Evidence File Characteristics e Logical file that can be renamed and moved e Can be broken into multiple segments with a maximum segment size dependent on the file system to which the evidence file is written e Can be compressed during acquisition and or reacquired with compression for archival without changing the hash value e Can be password protected or encrypted and can be reacquired to remove or change password encryption e Individual segments can be verified by the CRCs when compression is not used o If compression is used the decompression algorithm is used e Error granularity is often used to adjust the writing of data to an evidence file when a read error of the subject media occurs o Standard Size of the data blocks o Exhaustive Sector by sector Evidence File Verification e Data in the entire evidence file is verified by verification hash compared to the acquisition hash
18. case Hash Library Expand compound files Expand compound and compressed files such as ZIP RAR and GZ Find email Extract individual messages from email archive files such as PST Microsoft Outlook NSF Lotus Notes DBX Microsoft Outlook Express EDB Microsoft Exchange AOL and MBOX Find internet artifacts Collect Internet related artifacts such as browser histories and cached web pages You also have the option to search unallocated space for the Internet artifacts Search for keywords Search raw not transcript text for specific keywords Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide o Index text Create an index for when you need to search for keywords in compound files Microsoft Office 2007 and 2010 and across large amounts of data You can adjust the parameters for index creation such as the minimum word length to index and whether to use a noise file o File signature analysis Determine if the extension of a file has been altered and whether or not the extension matches the file type as specified by the file s header o Protected file analysis Identity encrypted and password protected files o Creating thumbnails from images Creates image thumbnails for faster display in the EnCase GUI Search Queries Index e The case index is created with the EnCase Evidence Processor
19. code will cause EnCase to search for the keyword in both ASCII and Unicode n Unicode uses two bytes for each character allowing the representation of 65 536 characters Suldance The BIOS Basic Input Output System The BIOS checks and configures the computer system after power is turned on The BIOS chip is usually found on the motherboard The BIOS should be checked during each examination of a computer to check the boot sequence and settings of the internal clock Su Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 37 EnCE Study Guide Computer Boot Sequence The BIOS immediately runs POST and then prepares the system for Add in cards such as SCSI tha irst piseran to Tun drive controller cards can have a BIOS on the card that POST Power On Self Test loads at this time These checks the system board BIOS normally detect memory RAM keyboard devices and load floppy disk hard disk etc information into the BIOS for presence and reliability data area in RAM BIOS FROM ADD IN CARDS A special RAM BIOS data area of 256 bytes contains LOAD RAM WITH the results of the system BIOS DATA check identifying the Boot Sequence location of attached devices Guidance oe TWARE Computer Boot Sequence Boot Sequence Master Boot Record Go to Boot Partition Boot Record Guidance oe TWARE
20. corrupted on FAT and NTFS volumes Hash analysis Generate MD5 and or SHA 1 hash values for files and compare against your case Hash Library Expand compound files Expand compound and compressed files such as ZIP RAR and GZ Find email Extract individual messages from e mail archive files such as PST Microsoft Outlook NSF Lotus Notes DBX Microsoft Outlook Express EDB Microsoft Exchange AOL and MBOX Find internet artifacts Collect Internet related artifacts such as browser histories and cached web pages n You also have the option to search unallocated space for the Internet artifacts Guidance Evidence Processor Search for keywords Search raw not transcript text for specific keywords Index text Create an index for when you need to search for keywords in compound files Microsoft Office 2007 and 2010 and across large amounts of data You can adjust the parameters for index creation such as the minimum word length to index and whether to use a noise file File signature analysis Determine if the extension of a file has been altered and whether or not the extension matches the file type as specified by the file s header Protected file analysis Identify encrypted and password protected files Creating thumbnails from images Creates image thumbnails for faster display in the EnCase GUI Guidance Eu TWARE Copyright O 2015 Guidance Software Inc May not be copied
21. currences of that character including zero For example john smith would match john smith john smith and johnsmith A plus sign after a character matches any number of occurrences of that character except zero For example john smith would match ohn smith or john smith but would NOT match johnsmith A pound hash sign matches any numeric character 0 9 For example matches any phone number in the form 327 4323 The parentheses allows the examiner to group individual characters together as an AND statement The curly braces state number of times to repeat i e m to n times The pipe is an OR statement and can be used with the parentheses i e com net org for the end of an email address Characters in brackets match any one character that appears in the brackets For example smit hy would match smith and smity A circumflex at the start of the string in brackets means NOT Hence hy matches any characters except h and y A dash within the brackets signifies a range of characters For example a e matches any character from a through e inclusive A backslash before a character indicates that the character is to be treated literally and not as a GREP character File Signature and Hash Analysis File Signatures o Stored in the EnCase configuration file FileTypes ini o New file signatures can be added manually o The terms fil
22. duplicated or repeated Commercially available software has a greater opportunity for peer review testing and validation idance c8uidance Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 52 SOFTWARE Guidance 1055 East Colorado Boulevard Suite 400 Pasadena CA 91106 2375 Phone 626 229 9191 ext 9468 certification guidancesoftware com www guidancesoftware com
23. e signature and file header mean the same thing the standard hex characters at the beginning of a certain file type Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 12 EnCE Study Guide e File Types Viewers o EnCase uses the FileTypes ini file to store external viewer information and associate file extensions with external viewers o When the examiner double clicks on a file EnCase will copy the file to the Temp folder and launch the Windows associated viewer or user defined external viewer to read the file Hash Sets and Hash Library e Hash sets can be built with one file or any number of selected files o The sets contain the hash values of the file s in the set and selected metadata e The hash value of a file is computed only from the logical file independent of the file name time date stamps and the slack space of the physical file e The Hash Library is built from selected hash sets o The examiner can exclude specific hash sets to remain within the scope of the examination o Youcan have two Hash Libraries for each case Signature and Hash Analysis e File extensions are compared to the file signature header according to the File Types Table e The hash value of each logical file is computed and compared with the Hash Library composed of the selected hash sets e Both analyses can be used to help identify suspect files and o
24. ed bad Directory records u File name Date time stamps Created Accessed Written u Starting cluster u File logical size e A directory or folder is a file with a unique header and a logical size of zero Guidance File Systems FAT Cluster Length Accessed Wrritten Created MwyNote TXT 1000 952 Picture 1 GIF 1002 890 Picture 2 JPG 1004 5000 Job Search DOC 24888 11000 Report DOC 79415 34212 Personal Letter DOC 88212 10212 Directory Clusters 8 25 00 8 25 00 8 25 00 8 25 00 8 25 00 8 25 00 Allocation Units Guidance cr TWARE Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 8 22 00 6 15 98 7 12 99 8 25 00 7 31 00 8 25 00 8 22 00 6 15 98 7 12 99 8 1 00 6 20 00 8 25 00 File Allocation 40 EnCE Study Guide File Systems FAT Directory Entry Cluster Length Guidance Qui so TWARE File Systems FAT File Allocation Table Guidance Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 41 EnCE Study Guide When a file is deleted from a FAT system e 1st character of directory entry changed to E5h FAT entry values change from allocated to unallocated 0 No effect on the data within the clusters When EnCase virtually undeletes a file e Directory entry read u Obtains starting e
25. exFAT functions as FAT does e If the file is not fragmented the FAT is not updated Guid Guidance File Systems exFAT E Within the directory entries of the exFAT file system there are multiple 32 byte records at least three for each directory entry Each record has an identifier byte Directory Entry Record Record ID 85 hex Contains Attributes Created Accessed and Last Written dates times Stream Extension Record Record ID cO hex Contains logical size starting extent size of filename CRC of filename and whether the FAT is being used to track the clusters allocated to the file File Name Extension Record Record ID C1 hex Contains the filename in Unicode n Additional records may be needed for longer file names ET Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 43 EnCE Study Guide File Systems exFAT When a file is deleted the first bit of the identifier of the record is changed from 1 to 0 changing the identifier to reflect a record not in use It is also possible for the Directory Entry Record to be changed in this manner if the file is renamed This means that if the file was fragmented and there was a cluster chain the chain is not destroyed on deletion In exFAT since allocation status is in the bitmap there is no need to zero out the cluster run As long as the cl
26. fied Examiners are required to achieve one of the following items prior to their expiration date in order to renew e Attend a minimum of thirty two 32 credit hours of documented continuing education in computer forensics or incident response to maintain the certification o The training should either be from Guidance Software your agency or an accredited source Training should be either in a classroom lab setting or online Proof of attendance should be provided via a certificate transcript or official letter o Earn one 1 credit hour for each classroom hour of training and 1 2 credit hour for each one hour of instruction as a computer forensics or incident response curriculum instructor e Achieve a computer forensics or incident response related certification within the renewal period A certificate of completion must be submitted as documentation e Attend one CEIC conference within the renewal period Your certification must be current at the time of the conference and you must attend at least 10 sessions to fulfill the requirement to renew your EnCE Register online at http www ceicconference com Renewal forms will be available at the registration desk during the conference Please check the box on the renewal form and registration will be on file with Guidance Software Training and teaching hours may be combined to reach the total 32 hours required Documentation may be a certificate of completion official lette
27. h as video cards Network Interface Cards NIC Small Computer System Interface SCSI cards Integrated Drive Electronics IDE and Serial Advanced Technology Attachment SATA disk drives can be attached directly to the motherboard with a ribbon cable Legacy SCSI hard disk drives require a controller card on the motherboard Guidance ce T WAR E Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide Computer Hardware Concepts Geometry of hard drives Cylinder Heads Sectors older drives C x H x S x 512 bytes per sector total bytes e Logical Block Addressing Total number of sectors available x 512 bytes total bytes Master Partition Table Volume Boot Record Partition Tables Partition Recovery Guidance Good Forensic Practice First response Acquisition of digital evidence Operating system artifacts Guidance SE DFTWARE Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 46 EnCE Study Guide First Response At the Scene Photograph take notes sketch Image RAM u EnCase Portable or WinEn Take down the system whether pull plug or shut down depends on circumstances u Shut Down if UNIX Linux or server u Pull Plug it depends on circumstances Suldance First Response
28. idance EnCase Concepts The case file case Compound file containing n Pointers to locations of evidence files on forensic workstation n Results of file signature and hash analysis n Bookmarks a Investigator s notes e A case file can contain any number of hard drives or removable media The case file should be archived with the evidence cache and evidence files as it contains all of the investigator s notes a Use the Create Package feature Guidance or T WAR E Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 26 EnCE Study Guide EnCase Concepts The configuration ini files e Contain Global Options used for all cases Some configuration ini files a FileTypes ini E Organizes files into groups by extension gt Determines which viewer to use File Signature Table a Local ini Global configuration settings n Viewers ini Installed external viewers associated to EnCase Guidance The EnCase Environment The EnCase methodology Case management n Use large capacity high RPM revolutions per minute hard drives with single partition for evidence files Wipe the drive to eliminate any claims or arguments of cross contamination Give the hard drive a unique label prior to acquisitions to differentiate your drives from the that of the suspect Separate folders for each c
29. iques prior to using them on original evidence Acquisition of Digital Evidence e File Systems Supported by EnCase O O O FAT 12 16 32 exFAT NTFS EXT2 3 4 Linux Reiser Linux UFS Solaris CDFS Joliet 1509660 UDF DVD Macintosh HFS HFS Mac OS X BSD HP UX E lC Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 20 EnCE Study Guide e Smartphones and tablets e If the file system is not supported by EnCase the examiner can still conduct a physical text search run EnScript programs for file headers and footers etc e The examiner can also restore the physical drive to a drive of equal or larger size o The restored drive is verified by the MD5 and or SHA1 hash value e A volume may also be restored to a partition containing the same file system o The restored partition is verified by the MD5 and or SHA1 hash value Laboratory Procedures e Cross contamination o Wipe lab examination drives o Use EnCase case management methodology e Chain of custody o Controlled access to lab area o Evidence locker or depository e Storage o Clean temperature controlled environment o Legacy portable electronic devices may lose battery power potentially erasing all data Operating System Artifacts e Recycler e NTFS directory entries and structure e Windows artifacts o Recent o Link files o Desktop o Send To
30. ived and accepted payment instructions will be provided to you Once payment is received you will be provided with login credentials to enroll in Phase I of the testing process The test is available in English and Spanish Phase Testing Options e ExamBuilder o ExamBuilder provides online testing services available at all times o Once you receive email instructions from the certification coordinator visit the ExamBuilder website at https testing exambuilder com to enroll in the Phase I testing process Follow the instructions for log in and complete the enrollment form o If you have questions about the enrollment process contact the Guidance Software certification coordinator at 626 229 9191 ext 9468 or certification guidancesoftware com Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide e EnCE Prep Course o This course is designed for EnCase users preparing for certification The certification is based upon the skills and knowledge presented in the Guidance Software EnCase Computer Forensics I and EnCase Computer Forensics II courses The EnCE Prep course is not intended to be a replacement for these two classes instead it is a thorough but accelerated review of the covered subjects Student s cannot waive or substitute the prerequisite attendance of the Guidance Software EnCase Computer Forensics II course
31. licks on a file EnCase will copy the file to the Temp folder and launch the Windows associated viewer or user defined external viewer to read the file Guidance File Signature and Hash Analysis File signature analysis Signature Table Analysis Explained File Types Signature Analysis Signature Header Comparison Signature Colum Colum LISTED LISTED CORRECT Name of the Signature Match JPEG Image Standard NOT LISTED LISTED INCORRECT blank Bad Signature LISTED LISTED INCORRECT Name of the Signature Alias JPEG Image Standard Guidance oe TWARE Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide File Signature and Hash Analysis Hash sets and Hash Library Hash sets can be built with one file or any number of selected files n The sets contain the hash values of the file s in the set and selected metadata The hash value of a file is computed only from the logical file independent of the file name time date stamps and the slack space of the physical file The Hash Library is built from selected hash sets n The examiner can exclude specific hash sets to remain within the scope of the examination n You can have two Hash Libraries for each case Guidance File Signature and Hash Analysis Signature and hash analysis File extensions are compared to the file signature header according to
32. nd To Temp Internet Explorer history cache favorites cookies Enhanced MetaFiles Print Spooler Windows 7 C Users Guidance ce TWARE Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 50 EnCE Study Guide Operating System Artifacts Windows artifacts continued Registry files global and user account specific Swap file pagefile sys Hibernation Standby file hiberfil sys Guidance s9r T W AR Legal Issues Best evidence rule Aprintout of data stored in a computer can be considered as an original under the Federal Rules of Evidence if it is readable by sight and accurately reflects the stored data Compression of acquired data does not affect admissibility under the Best Evidence Rule If original evidence must be returned to the owner the forensic image could be considered the Best Evidence Guidance oe TWARE Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 51 EnCE Study Guide Legal Issues Daubert Frye Legal test to determine if a scientific or technical process for obtaining enhancing or analyzing evidence is acceptable Elements of Daubert Has the process been tested and subject to peer review e Does the process enjoy general acceptance in the related community Can the findings be
33. o need to zero out the cluster run o As long as the clusters themselves have not been reused for newer files it is possible to accurately recover even heavily fragmented files that were deleted because the cluster run would still be intact File Systems NTFS e Master File Table MFT administratively documents all files folders on NTFS volume e MFT comprised of records 1024 bytes each e MET grows but doesn t shrink e Atleast one MFT record is allocated to each file and folder on volume e Bitmap file documents if clusters are allocated or unallocated e Two types of files Resident and Nonresident e File Systems NTFS e Resident files o Data resides within MFT record for file o Data does not begin at the beginning of a sector cluster o Logical size physical size Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 17 EnCE Study Guide e Nonresident files o Data not within MFT Record o MFT record houses pointers to clusters storing file o Pointers in the form of a data run e Both types of files may be hashed as long as logical size is greater than 0 Computer Hardware Concepts e The computer chassis or case is often incorrectly referred to as the CPU e The CPU is the Central Processing Unit installed on the motherboard e Also installed on the motherboard are the Random Access Memory the Read Only Memory and add in cards s
34. oss contamination o Give the hard drive a unique label prior to acquisitions to differentiate your drives from that of the suspect Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc O EnCE Study Guide Separate folders for each case are recommended Use unique directory names Each case requires an Export Temp and EvidenceCache folder EvidenceCache Storing cache files and containers for processed evidence Export Default folder for exporting evidence Temp Default temporary folder for file viewing Evidence Processor After adding evidence to a case and confirming that the data is valid and browsable the first task you undertake is to run the EnCase Evidence Processor The Evidence Processor lets you run in a single automated session a collection of powerful analytic tools against your case data Since you can run the Evidence Processor unattended you can work on other aspects of the case while this tool is processing data After completion the case data will be processed and ready for you to begin the important analytic and reporting phases of your investigation The following evidence processing functions are available O Recover folders Recover files that have been deleted or corrupted on FAT and NTFS volumes Hash analysis Generate MD5 and or SHA 1 hash values for files and compare against your
35. ou in an email message from myaccount guidancesoftware com This message will be sent to the address you provided on your application If you fail the Phase I test you will be required to wait two 2 months from the date the test was taken before being allowed to re take the test Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide Your Phase II email message will include directions for accessing a certification version of EnCase Forensic evidence files and objectives or issues you must address You must work the case compile your report and then send the report to Guidance Software for review and grading within 60 days If you do not finish the Phase Il in the time allotted you will be required to wait two 2 months from the date that the test was due and restart from the beginning Those who fail the EnCE Phase II exam must wait two 2 months prior to retesting If after resubmitting Phase II you fail again you must begin the retesting process from Phase I Beginning the Certification Process The first step toward certification is to review the qualifications and complete the application available at http www guidancesoftware com computer forensics training ence certification htm Submit the completed application to the EnCE certification coordinator at the address provided Once your application has been rece
36. r exclude known or benign files o The results of both analyses are viewed in the Table view of the Evidence Entry tab Computer Knowledge e Understanding data and binary e The BIOS e Computer boot sequence e File systems e Computer hardware concepts Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 13 EnCE Study Guide Understanding Data and Binary e Bits and Bytes Bit Name Binary Bit 1 4 Nibble 0000 bByte 0000 0000 16 Word 0000 0000 0000 0000 32 Dword 0000 0000 0000 0000 0000 0000 0000 0000 64 Qword You get the idea e ASCII and Unicode o The ASCII table American Standard Code for Information Interchange is based on an 7 bit system The first 128 characters make up the ASCII table and represent alpha numeric values common punctuation and other values The remaining 128 characters are called high bit characters Together 256 characters can be addressed o Selecting Unicode will cause EnCase to search for the keyword in both ASCII and Unicode Unicode uses two bytes for each character allowing the representation of 65 536 characters e Basic Input Output System o The BIOS checks and configures the computer system after power is turned on o The BIOS chip is usually found on the motherboard o The BIOS should be checked during each examination of a computer to check the boot sequence and settings of the
37. r from the provider or transcript Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide e Guidelines for submitting renewal credit for attendance at any other computer forensic conference other than CEIC are o Only labs count seminars or product demos are not considered o Calculate one 1 CPE for every hour in a lab o To submit credits please send a copy of the conference agenda and indicate the labs attended and how many CPE each one is worth e Please do not submit your renewal documents separately Keep all certificates together and only send them when you have the requirement fulfilled When you are ready send the renewal form and any certificates letters documents via fax email or regular mail e The requirements must be met within the renewal period i e if the renewal date is June 1 2012 the requirements must have been achieved between June 1 2009 and June 1 2012 Should your certification expire you will be required to restart the EnCE process from Phase I Extensions will not be granted If you are unsure of your expiration date please email certification guidancesoftware com Complete renewal details are available at http Awww guidancesoftware com EnCE Renewal htm Other Study Material This Study Guide highlights the topics contained in the EnCE test including good forensic practices legal issues compute
38. r knowledge knowledge of EnCase evidence discovery techniques and understanding file system artifacts If you need reference materials to prepare for a specific topic or portion of the exam some recommended study materials are listed below EnCase Computer Forensics I manual by Guidance Software EnCase Computer Forensics II manual by Guidance Software EnCase Legal Journal by Guidance Software EnCase User s Manual by Guidance Software Handbook of Computer Crime by Eoghan Casey How Computers Work by Ron White Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide EnCE Preparation Training e Examining computer based evidence with EnCase software EnCase e Computer knowledge e Good forensic practices e Legal Examining Computer based Evidence e The EnCase evidence file e EnCase concepts e The EnCase environment e EnCase Evidence Processor e Index queries and raw keyword searching e File signature and hash analysis The EnCase Evidence File e Bit stream image of evidence written to a file The EnCase Evidence File Contains Case Data e Cannot be changed after evidence file is created e Contains o Case number o Examiner name o Evidence number o Unique description o Date time of computer system clock o Acquisition notes o Serial number of physical hard drive Copyright 2015 Guidance Software In
39. s change from allocated to unallocated 0 o No effect on the data within the clusters Copyright O 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 15 EnCE Study Guide e When EnCase virtually undeletes a file o Directory entry read Obtains starting extent logical size Obtains number of clusters by dividing logical size by bytes per cluster o FAT examined to determine if starting cluster extent is in use o If starting extent is in use EnCase deems this file to be Deleted Overwritten e File Allocation Table versions o FAT 16 2 16 65 536 total allocation units available clusters o FAT 32 228 268 435 456 total allocation units 4 bits are reserved by Microsoft o Two copies of the FAT are stored for backup purposes o A cluster is composed of multiple sectors A sector contains 512 user addressable data bytes File Systems exFAT e exFAT was originally created for USB flash drives and SD cards but can be used to format volumes under Windows 7 o ExFAT is recognized by Windows operating systems XP and after e The exFAT file system uses 32 bits within the table and has a limit of 4 294 967 285 232 11 cluster addresses e The exFAT file system uses free space bitmaps to reduce fragmentation and free space allocation detection issues o Each cluster is tracked in the bitmap o A single bit is used for each clus
40. t you have typed and will dynamically update the list as you type additional letters At any time you can double click on a query term and it will show the show the information about that term o Click on the Play button to run the query Raw Keyword Searching e EnCase for Windows o Logical raw keyword searching is conducted on allocated files o Physical searching is conducted upon the unallocated areas of the physical disk o Logical search will find a word fragmented between two noncontiguous clusters whereas a physical search will miss the fragmented word e Case Sensitive o Not set by default Selecting will limit hits to exact case of words entered Can be used with GREP and Unicode e GREP o Box must be selected for EnCase to use GREP expression otherwise EnCase will search for the literal entered characters Can be used with Case Sensitive and Unicode options e Unicode o Selecting this box will enable EnCase to search for keywords in both ANSI and Unicode Recommended to be selected for most searches Can be used with GREP and Case Sensitive options Unicode uses two bytes for each character allowing the representation of 65 536 characters Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 11 EnCE Study Guide Global Regular Expression and Print GREP ab m n An asterisk after a character matches any number of oc
41. ter on the volume e When a file is created within exFAT a different sequence of events may occur than in FAT o It the file is fragmented then exFAT functions as FAT does o If the file is not fragmented the FAT is not updated Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 16 EnCE Study Guide e Within the directory entries of the exFAT file system there are multiple 32 byte records at least three for each directory entry Each record has an identifier byte o Directory Entry Record Record ID 85 hex Contains Attributes Created Accessed and Last Written dates times o Stream Extension Record Record ID c0 hex Contains logical size starting extent size of filename CRC of filename and whether the FAT is being used to track the clusters allocated to the file o File Name Extension Record Record ID C1 hex Contains the filename in Unicode additional records may be needed for longer file names e When a file is deleted the first bit of the identifier of the record is changed from 1 to 0 changing the identifier to reflect a record not in use o Itis also possible for the Directory Entry Record to be changed in this manner if the file is renamed e This means that if the file was fragmented and there was a cluster chain the chain is not destroyed on deletion e InexFAT since allocation status is in the bitmap there is n
42. uch as video cards Network Interface Cards NIC Small Computer System Interface SCSI cards e Integrated Drive Electronics IDE and Serial Advanced Technology Attachment SATA disk drives can be attached directly to the motherboard with a ribbon cable e Legacy SCSI hard disk drives require a controller card on the motherboard e Geometry of hard drives o Cylinder Heads Sectors older drives Cx Hx Sx 512 bytes per sector total bytes o Logical Block Addressing Total number of sectors available x 512 bytes total bytes e Master Partition Table e Volume Boot Record e Partition tables e Partition recovery Good Forensic Practice e First response e Acquisition of digital evidence e Operating system artifacts Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 18 EnCE Study Guide First Response e At the scene o Photograph take notes sketch o Image RAM EnCase Portable or WinEn o Take down the system whether pull plug or shut down depends on circumstances Shut down if UNIX Linux or server Pull plug it depends on circumstances o Disconnect computers hard drive s o Access BIOS Obtain system date and time Obtain boot sequence e Booting turned off machines o LinEn Linux EnCase CD Disk to disk imaging with Tableau hardware write blocker Network cross over cable o EnCase Portable e Inspection
43. usters themselves have not been reused for newer files it is possible to accurately recover even heavily fragmented files that were deleted because the cluster run would still be intact Guidance File Systems NTFS Master File Table MFT Administratively documents all files folders on NTFS volume e MFT Comprised of records 1024 bytes each e MFT grows but doesn t shrink At least one MFT record is allocated to each file and folder on volume Bitmap file documents if clusters are allocated or unallocated Two types of files Resident and Nonresident Guidance oe T WAR E Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc 44 EnCE Study Guide File Systems NTFS Resident files e Data resides within MFT record for file Data does not begin at the beginning of a sector cluster Logical size physical size Nonresident files Data not within MFT Record e MFT record houses pointers to clusters storing file Pointers in the form of a data run Both types of files may be hashed as long as logical size is greater than 0 Guidance Computer Hardware Concepts The computer chassis or case is often incorrectly referred to as the CPU The CPU is the Central Processing Unit installed on the motherboard Also installed on the motherboard are the Random Access Memory the Read Only Memory and add in cards suc
44. value of the original evidence e Data in each data block is verified by a CRC when no compression is used e Both the MD5 and or SHA 1 hash and CRCs must match for the evidence file to be verified o If any compression is used the compression algorithm is used to verify data blocks Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide EnCase Concepts e The case file case o Compound file containing Pointers to the locations of evidence files on forensic workstation Results of file signature and hash analysis Bookmarks Investigator s notes e A case file can contain any number of hard drives or removable media e The case file should be archived with the evidence cache and evidence files as it contains all of the investigator s notes o Use the Create Package feature The Configuration ini Files e Contain global options used for all cases e Some configuration ini files o FileTypes ini Organizes files into groups by extension determines which viewer to use File Signature Table o Local ini Global configuration settings o Viewers ini Installed viewers associated to EnCase The EnCase Methodology e Case management o Use large capacity high RPM revolutions per minute hard drives with single partition for evidence files o Wipe the drive to eliminate any claims or arguments of cr
45. x that start with the term that you have typed and will dynamically update the list as you type additional letters 2 can double click on a query term at any time and it will show the show the information about that erm Click on the Play button to run the query Su Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide Raw Keyword Searching EnCase for Windows Logical raw keyword searching is conducted on allocated files Physical searching is conducted upon the unallocated areas of the physical disk e Logical search will find a word fragmented between two noncontiguous clusters whereas a physical search will miss the fragmented word Guidance Raw Keyword Searching Adding Keywords Case Sensitive a Not set by default selecting will limit hits to exact case of words entered can be used with GREP and Unicode GREP Box must be selected for EnCase to use GREP expression otherwise EnCase will search for the literal entered characters can be used with Case Sensitive and Unicode Unicode Selecting this box will enable EnCase to search for keywords in both ANSI and Unicode recommended to be selected for most searches can be used with GREP and Case Sensitive Unicode uses two bytes for each character allowing the representation of 65 536 characters Guidance ct TWARE Copyright O 2015 Guid
46. xtent logical size u Obtains number of clusters by dividing logical size by bytes per cluster FAT examined to determine if starting cluster extent is in use e If starting extent is in use EnCase deems this file to be Deleted Overwritten Guidance File Systems File Allocation Table e FAT 16 u 2 16 65 536 total allocation units available clusters e FAT 32 u 2 28 268 485 456 total allocation units u 4 bits are reserved by Microsoft Two copies of the FAT are stored for backup purposes Acluster is composed of multiple sectors A sector contains 512 user addressable data bytes Guidance E ortware Copyright 2015 Guidance Software Inc May not be copied or reproduced without the written permission of Guidance Software Inc EnCE Study Guide File Systems exFAT exFAT was originally created for USB flash drives and SD cards but can be used to format volumes under Windows 7 e ExFAT is recognized by Windows operating systems XP and after The exFAT file system uses 32 bits within the table and has a limit of 4 294 967 285 232 11 cluster addresses The exFAT file system uses free space bitmaps to reduce fragmentation and free space allocation detection issues Each cluster is tracked in the bitmap Asingle bit is used for each cluster on the volume When a file is created within exFAT a different sequence of events may occur than in FAT e If the file is fragmented then
Download Pdf Manuals
Related Search