UWEBIC IY467 Digital Evidence

Lab 3 Introduction to EnCase

Adapted from Week 14 Practical Session 2022 - 2023
Computer Crime and Digital Evidence
EnCase/Autopsy: An Introduction
Issued: 18th October 2022 by Jay Murphy

Contents
1 Aim and Objectives.....................................................................3

2 Introduction...............................................................................3

3 Task 1: Introduction to EnCase 7...............................................4

3.1 The EnCase Home Screen..............................................................................4
3.2 Create a New Case.........................................................................................5
3.3 Add a forensic image to the case....................................................................8
3.4 Browse the evidence......................................................................................10
3.5 Gallery View.................................................................................................13
3.6 Bookmarking notable items...........................................................................14

4 Conclusions..............................................................................16

5 Appendix...................................................................................16

Page 2
 UWEBIC IY467 Digital Evidence
1 Aim and Objectives
The aim of today’s lab session is to familiarise yourself with Encase - a
proprietary Digital Forensics software.

Objectives

By the end of this session, you should:

 Be able to understand the structure of the EnCase 7 user interface.

 Know how to create a new case on Encase, using a forensic image.

 Be familiar with the basic functionality of EnCase.

 Started identifying useful evidence for your investigation.

 Started documenting your work in your Contemporaneous Notes.

2 Introduction
For this lab, you will need the image from a case, in the form of an E01 case file
to be used with EnCase.

Please note that the E01 file is the one you will use to complete your
coursework this term. The goal is to create a new case on EnCase using the
E01 image file and initiate your investigation on the Hunter Case.

Because you are working on the case, you need to document any relevant actions in
your Contemporaneous Notes, so before you begin, download a copy of the template
from your Assessment folder on the VLE.

You will need VMWare installed and running in order to run EnCase. Either
VMWare Workstation or the free VMWare Player is fine. You also need the
Windows 10 Encase 7 VM image.
Instructions for where to find everything you need are in the Installing your
software for IY467 document.

There are some hard drives in college which you may be able to use in class. For
maximum flexibility in completing your coursework however, having your own hard
drive or saving the images on your own device will mean you can work anywhere.

Page 3
 UWEBIC IY467 Digital Evidence
3 Task 1: Introduction to EnCase 7
Step 1: Getting Started

Start VMWare.

Step 2: Copy the Hunter XP forensic image file into the VM.

Copy the Hunter EnCase image into the VM from the Student’s Folder
(accessed via https://xa.uwe.ac.uk unless you are on a UWE machine): “S:\fet\
CSCT\ComputerCrimeAndDigitalEvidence- UFCFP4-30-1\ Hunter Image for
Dongled v6” into a folder named HunterCase under your Documents in your
Virtual Machine. ( O r i n t h e s h a r e d f o l d e r o n y o u r h o s t m a c h i n e i f
you have one set up.)

If you have trouble downloading it, you can ask for the source hard drive from your
tutor.

Step 3: Run EnCase 7 from the Desktop.

Check that Ivanti UWE VPN (formerly Pulse VPN) is connected, and launch
EnCase from your VM Desktop. If you are prompted to allow changes to your
device from EnCase, click Yes (Figure 1).

Figure 1: Allow changes from EnCase.

Page 4
 UWEBIC IY467 Digital Evidence
3.1 The EnCase Home Screen
The EnCase Home Screen provides a variety of options (see Figure 2): you can
Create a new case or Open an existing one, view Options, File Types, or Encryption
Keys, run Processor Manager, and access Help functions.

Figure 2: EnCase Home Screen.

Please note that if you have not installed the up-to-date licence keys, or if you are
trying to work with EnCase on your own machine without enabling the VPN
connection, you will probably see the Home screen depicted in figure 3 (EnCase
Acquisition). This is a lightweight EnCase version and will not allow you to do
everything you need to do for your coursework or lab tasks.

Figure 3: EnCase Home Screen (unlicensed version).

If this is the interface that you see, you will need to resolve this before doing anything
else. If you have not installed the licence keys go back to the software installation
instructions and do that. If you have, check that the VPN is connected and close and
reopen EnCase. If that doesn’t fix it, go to Tools > Settings > NAS tab and browse to
the keys again to make sure they are in a location you can still see.

Page 5
 UWEBIC IY467 Digital Evidence
Next, you are going to create a new case using EnCase and an image.

Page 6
 UWEBIC IY467 Digital Evidence
3.2 Create a New Case
Under Case File on the home screen (Figure 2), select New Case. Give a name to the case;
e.g. Hunter. Then, double click on the Value field for Case Number and give it a value. (It
doesn’t matter what value – obviously if you were working in forensics and had dozens of
cases to manage it would be more important!) Complete the Examiner Name and
Description fields (see Figure 4).

Figure 4: Provide details for your case.

Note the facility to back up your case every 30 minutes. You can change this
timing and specify the backup location. Please note that if you specify a backup
location in your VM, then you might (over time) run out of space on your hard
disk. It makes sense to back up your work to a convenient location in case your
VM gets corrupted. You might want to use a “shared folder”.

Page 7
 UWEBIC IY467 Digital Evidence
Note 1: When you create a new case, EnCase automatically creates the various
case folders, either in the default location, or in a user specified location (as seen
in Figure 5).

Figure 5: Folder structure.

Use File Explorer to find the Case folder you have just created when you created the
new case.

The Temp folder is used by EnCase when viewing files inside EnCase; the
Export folder is generally used to export evidence (Figure 6).

Figure 6: Folder structure for the current case.

Figure 7: Dialogue message from Encase regarding the Backup location.

Page 8
UWEBIC IY467 Digital Evidence

Page 9
 UWEBIC IY467 Digital Evidence
Note 2: When you created the case and clicked OK, you might have seen a message
from EnCase, if your Backup folder is located in the same disk with your Base case
folder (Figure 7).

Why might it be a bad idea to have the case file and the backup file on the same drive?

Page 10
 UWEBIC IY467 Digital Evidence
3.3 Add a forensic image to the case
The case has been created (you should see a similar output to Figure 8). However,
no evidence files are linked to the case. To link the Hunter image with the Hunter
case, follow the next steps.

Figure 8: The Case Window.

Add the forensic image to the case, by clicking on the Add Evidence link
(Figure 9) in the Case Window.

Figure 9: Add evidence to the case.

Page 11
 UWEBIC IY467 Digital Evidence
Choose Add Evidence File (Figure 10) and browse to where you saved your image
file. Find the evidence file (i.e. E01 file) and hit Open. Encase will immediately
load the new file and launch the case.

Note that EnCase verifies the case as soon as you load a new evidence file (Figure
11). Also note that the Hunter XP image file is an EnCase image file (.E01), not a
raw image such as the one you acquired in Lab 2 using FTK Imager. The icon
before the Hunter XP entry indicated in Figure 11, shows that this image comes
from a hard disk.

Figure 10: Add the evidence file.

Figure 11: EnCase initiates and verifies the case.

Page 12
 UWEBIC IY467 Digital Evidence
3.4 Browse the evidence
While browsing the evidence, note that the verification and acquisition hashes
(look at the Fields tab) can be viewed in the bottom pane of the window (Figure
12).

Figure 12: Acquisition and verification MD5 hashes for the Hunter case.

Double click on the Hunter XP link (Evidence tab). You will see a new view of the
evidence, as seen in figure 13.

Figure 13: The Tree-Table View.

Page 13
 UWEBIC IY467 Digital Evidence
The Tree-Table view consists of three areas: The Tree pane, the Table pane, and
the View pane (see figure 14). The Tree pane shows a generic view of the evidence.
Once you double click an entry on the Tree pane, the Table pane will provide
information about that entry. When you click an entry on the Table pane the View
pane will parse this item and present detailed information about the item. Think of it
like going from a broader scope to a more specific view of the evidence. The Tree-
Table view can change from the Split Mode button.

Figure 14: The Tree, Table and View panes.

Figure 15: Expand or collapse the tree structure using the arrows on the left.

You can expand/collapse the tree structure using the small arrow boxes on the
left of the folders in the tree pane (in red in figure 15). The structure of the
Hunter case (Tree pane) should look familiar as it is the structure of a Windows
machine.

Page 14
 UWEBIC IY467 Digital Evidence
If you click on the area to the right of the expand/collapse arrow (those arrow-like
signs), its child folders (or files) turn green. This is called ‘green plating’. This
action shifts the focus in the table pane to this particular area. For example, in
figure 16, the table pane shows the files contained within the folder called
‘Hunter Pics’ and its subfolders.

Figure 16: Green plating an area of interest.

Browse through the file structure and see if you can find a folder called Hunter
Pics, filled with images that might be of use to your investigation.

Did you find an empty folder? What do you think the suspect has done?

Green-plating gives us a quick and easy way to search for images, wherever they
are stored on the disk.

Use the Tree pane to green-plate the whole of C: Then click on the Gallery tab above
the Table pane. The Gallery tab shows you all the images in the green-plated area of
the disk. Some of the images are not very interesting, they are stock images saved by
websites, such as buttons and borders. Scroll down through the images until you find
some that look more suspicious. Clicking on one of these images will take you to its
location.

Where are the images? How do you explain this?

.
In Figure 17 a jpg file has been chosen (101-0188 IMG.JPG in the Christina
Detsiwt folder). A photo or an image file will usually be shown by default in the
Picture tab of the View pane.

Page 15
 UWEBIC IY467 Digital Evidence
Browse to this file yourself in the evidence.

Green plate the Hunter Pics folder and you will be able to see all the images
(including in subfolders) under it. Select 101-0188 IMG.JPG in the table pane and
use the tabs in the View pane to explore it.

The Picture tab shows the image chosen.

The Hex tab (as shown in Fig. 17) allows you to view the file data. You can select
specific areas in the Hex view. The current example shows that I underlined the
numbers FF D8 FF E1.

What are these numbers and why did I underline them?

(Look at: https://www.garykessler.net/library/file_sigs.html)

You can also see the Exif data for this file (Figure 17).

Figure 17: Examination of a particular object. The Hex tab in the View pane
shows raw data.

What camera was used to take the photograph?

At what date/time?
Can you see any problems in relying upon this timestamp?
Take a look at the Last Accessed, File Created and Last Written attributes of the
file you examine (at the Table view). Do the Exif data timestamps match any of
these 3 timestamps?

Page 16
UWEBIC IY467 Digital Evidence

Page 17
 UWEBIC IY467 Digital Evidence
3.5 Gallery View
Return to viewing the picture files on the suspect’s computer in Gallery view by
green plating the whole disk and selecting ‘Gallery’ at the Table pane (see Figure
18). You can move around the gallery by using the arrows or page up/down
buttons on the keyboard, mouse scroll, or the side scroll bar. If you come across a
picture that is potentially relevant, blue tick it by clicking in the small box in its
top left corner. You can see a report on the picture (Report tab) in the bottom
View pane.

Page 18
UWEBIC IY467 Digital Evidence

Figure 18: The Gallery view on the Table pane.

3.6 Bookmarking notable items

You might want to bookmark your potentially relevant items so that you can
come back to them at a later date and use them in your forensic report.
Bookmarking is a very powerful technique which can save you a lot of time
when building your report.

Figure 19: Bookmarking a notable item.

To bookmark an item that you previously blue-ticked: using the mouse, right
click and select Bookmark-Selected items (see Figure 19). Start Bookmarking
and placing comments on them!

Page 19
 UWEBIC IY467 Digital Evidence
Note: The highlighted area at the Table pane (Figure 19) is called the Dixon box and it
will show you how many files you have selected. You can use it to unselect instantly a
large number of files. This is in general a very useful facility and you should get into
the habit to always check the Dixon box.

It is important to maintain a clear structure for your bookmarks as it will save

you a lot of time when you build a report upon the case (more on this later during
the semester). EnCase provides a clear bookmarking structure, but you can also
add your own items, using the New Folder field (as seen in Figure 20).

Figure 20: Bookmark folder structure.

Examine all the picture files in the Hunter case, bookmarking potentially relevant files. This
work will contribute to your coursework for this semester for this module.
However, please note that the timezone for the system is not yet configured. Thus,
timestamps cannot be yet trusted. You can browse the evidence and identify notable
items but do not make any final conclusions yet, until you specify the timezone.
This will be done at the next lab session.

Page 20
UWEBIC IY467 Digital Evidence

4 Conclusions
In this lab session you created a case in EnCase. You also browsed the
evidence from the Hunter case. Hence, you might have an understanding by
now (looking at the pictures) about the case. However, you should not draw
any conclusions before you examine all evidence items and run the
Evidence processor on EnCase. Remember, it is important that you look at
the evidence impartially!

5 Appendix
Files start with specific numbers, which act as a signature. This is why
we call them file signatures (or magic numbers). Notice that the signature
analysis column on EnCase next to the file in question is empty. When we
perform signature analysis (later during this semester), EnCase will let us
know if the file (extension) matches with its given signature. EnCase
compares the magic number of the file with its extension and identifies if
they are consistent. This is one way to understand if the file extension of a
given file has been changed.

Page 21