This lab is based on a sample from digitaldetec�ve.net.

The scenario is as follows:

On 19th October 2011, Victor BUSHELL, a resident of the United Kingdom, was arrested by HM Revenue
and Customs at the Port of Dover in Kent whilst atemp�ng to leave the country, bound for France. He
had in his possession a forged passport, a laptop computer and €20,000. It is believed BUSHELL is
involved in the importa�on of illegal weapons into the United Kingdom.

His laptop has been imaged and is currently being examined. You have been tasked with reviewing his
Internet browsing data. Everything you need for this case is available in the sample image that has been
uploaded to your MARS Windows Desktop. It has been established that the laptop computer was
running Microso� Windows 7 (64 bit). The suspect was using Microso� Internet Explorer as a web
browser.

EnCase is an industry standard forensic tool used by law enforcement and others around the world.
EnCase is feature rich yet and user friendly.

Using EnCase or a third-party EnCase plug-in tool, you can analyze a file system from a PC, MAC, Linux,
iPhone, or Android phone. This includes crea�ng cryptographic hashes of all evidence, viewing hex
dumps of files and the raw file system, searching for deleted or hidden files, searching keywords, and
other func�onality. Use the instruc�ons provided in this lab as a guide, realizing that they are not a
complete solu�on for crea�ng a report on the incident. You will need to explore addi�onal capabili�es in
EnCase on your own.

You will be working with forensic images created by someone else, ostensibly an evidence technician.
The tool used to create the image was FTK Imager. FTK Imager creates E01 format evidence container
files.

Professionals in the field use EnCase Forensic to

• acquire data;
• inves�gate and analyze data from mul�ple pla�orms;
• find informa�on, even when atempts have been made to hide or delete it;
• manage computer evidence including deleted files, file slack, and unallocated space;
• create exact duplicates of data;
• transfer evidence to police and atorneys;
• allow non-inves�gators to review evidence; and
• quickly prepare reports. (Guidance So�ware, Inc., 2018)
Make sure you have the EnCase Forensic User Guide handy (Guidance So�ware, Inc., 2018). You can scan
it to get an idea of the so�ware capabili�es. You will not be using all of the features in this course.
Suzanne Widup’s Computer Forensics and Digital Investigation with EnCase Forensic (2014) may also be
helpful.

EnCase was chosen for this class because it is widely used in law enforcement and other professions.
There is no free version of the so�ware, however, so if you would like to prac�ce with a similar open
source tool a�er comple�ng this course, Autopsy provides much of the same func�onality.
Consider some reasons why a simple "file copy" or "folder copy" opera�on from a suspect's system is not
enough:

First, copies made using file system u�li�es may contain informa�on that is not in the original file.
Second, copies made using file system u�li�es may omit informa�on that was present in file slack space
or unused por�ons of a directory or directory entry (beyond the recorded ending byte of the file). Both
situa�ons are unacceptable for forensic analysis since the contents of the copies cannot be proven to be
iden�cal to the original. This is why it is important to have a forensically sound image and to use a tool
that has a proven acceptance by NIST standards as well as has a history of being accepted in court.

Lab Deliverables
Your deliverables for this lab will be answering the ques�ons to several specific ques�ons regarding
evidence you found during the analysis. The results will be input into the Project Repor�ng Template.
Process Evidence
With evidence provided by local police, you are ready to begin work using EnCase. The following steps
will enable you to create a case, add the evidence, and process it.

Here a couple of �ps to make your lab experience more efficient:

• This lab takes two to five hours to complete. It is best to complete it all at once because of how
data processes in the forensics tool.
• Take your �me with each step. Read the direc�ons and view the image more than once before
comple�ng the step to ensure you understand what you need to do.
• Document what you do with screen captures and notes. It will be easier to organize your results
and complete your report if you document your path.

Let’s get started. Launch EnCase by connec�ng to your MARS Windows Desktop, click the Windows
Programs Icon in botom le� corner click the EnCase icon.
The ini�al steps of this lab are to Create Case, Add Evidence, and Process Evidence. There are many ways
to select these op�ons.

From the EnCase Forensic home page, click New Case.

Enter the following informa�on in the New Case Op�ons pop-up (see image):

Le� Side of Screen

Templates: Select "Basic"

Case Informa�on: Enter as shown (double-click each data field to edit).
Case Number: Your choice
Examiner Name: Your name
Descrip�on: Bushell Passport

Right Side of Screen

Name: Passport-Bushell
Leave Secondary Evidence Cache blank.
Uncheck Backup every op�on (Note: This is to improve performance. In the real world it would be
checked.)

Select OK and agree to further prompts. The screen below will display.
Naviga�ng EnCase gets easier with prac�ce. It uses a tab interface similar to a web browser. In the image,
note the Home icon to return to the main case page. There you will find op�ons including Search,
Browse, Evidence, Reports, and Case.

Add Evidence
Next, add evidence—the files captured with the forensic imaging tool.

Select Add Evidence (top menu bar) and select Add Evidence File.
Navigate to the loca�on of the Sample1.E01 file and click Open. This should be in your classroom share
folder on the MARS Windows Desktop.

In general, if the acquisi�on opera�on created more than one file for the output (i.e., a "file set"), the
first file in the compressed file set will be designated as 01. Specify this file when adding the evidence
file. The file with extension .txt is a summary of the acquisi�on opera�on (dates, media, drives, results,
output files.)

Click Open to access the Evidence tab and view each added image file. EnCase will ingest the evidence
files and create a verifica�on hash to ensure it matches the original acquisi�on hash of each image file.
(The inges�on occurs in the background. You don't need to wait for it to complete before moving to the
next steps.)
If the two hashes do not match, the examiner will be alerted. This informa�on can be found in the View
pane using the Report view.

Ingest Evidence Process

In the Evidence window, select Process Evidence -> Process:

The EnCase Processor Op�ons window appears. Maximize the window for beter viewing by selec�ng the
rectangle image in the upper right corner of the window.

Note: Review Chapter 6 of the EnCase Forensic User Guide. It details each op�on in the Process window.
Leave What to Process unchanged (all three evidence files in this case).

Leave Immediately queue the evidence selected.

Make sure Priori�za�on is selected.

Since the image is large, priori�ze Documents and Pictures (see image). You will be able to move forward
more quickly.
Select everything except the Unix, Linux, and OSX se�ngs. Note some items, based on the image might
not be clickable.

Select Recover Folders (click to expand and select op�on for NTFS 3.0)

Select File signature analysis (selected by default as are some other op�ons)

Select Protected file analysis

Select Thumbnail crea�on

Select Hash analysis

Select Expand compound files

Select Find email

Select Find Internet ar�facts

Select Index test and metadata

Select Windows Ar�fact Parser and configure as shown below. Note, we will not search unallocated
space in this instance, however, this is something that you may want to do to be complete.
In the interest of �me, leave File Carver unselected for this image. The scenario states that the user was
not hiding files using these methods; however, as a general prac�ce, this would be a good prac�ce.

Since you are looking for gun-related evidence, you could also add Search for keywords. Type them in
the Add Keywords List (see image). You can add your own search terms. Note: You can create patern
matches using grep style syntax. Checking the Whole Word op�on may help eliminate hits in text
transla�ons of system or other files irrelevant to your search.

Click OK to begin processing. Click Yes for any warnings that may follow. Note, if you don't see the OK
buton at the botom, maximize the window. Be warned, EnCase is system hog, so prepare for some slow
responses while the image is processed.
Track Progress
EnCase will now process the evidence files, which can take up to 30 minutes. You can track the progress
with the progress bar at the botom right of the window. Double-click the Processing Bushell (priori�zed
items) at the botom right side to reveal the process manager (see image).

You can see when it is completed, by scrolling to the right and observing the status and start and stop
�mes.
You can see more details on the processing status by clicking the task name under the Processor
Manager tab. The image below shows that the priori�zed task finished and the associated Performance.
Take Action
Once processing is complete, save the case. Be sure to save o�en to avoid losing any work! The Status
will update to complete when the evidence is processed

Using the top menu bar, click Case (Case Name), then Save. Case Name will probably be Lone Wolf.

Opening Evidence and Checking Time Zone

Once EnCase finishes processing the priori�zed items, you can move on with the inves�ga�on.
Meanwhile, you can also explore the evidence file by clicking the Evidence name under the Evidence tab.
This will display the drive and directory structure of the captured evidence as shown below.

In addi�on, by clicking the File Extents tab on the menu for the evidence file, you can see informa�on
about the file extents which is useful for your report. Be sure your window is maximized to reveal the
tabs on the far right of the submenu. Take note of the op�ons on this pane such as the permissions, Hex
and Transcript op�ons.

For your lab report, answer the following ques�ons:

1. Using the Hex tab in the evidence window, what are the first four hex values displayed?
2. Using the Permissions tab in the evidence window, what are the unique Names listed? (e.g
Administrators…)
3. Using the Atributes tab in the evidence window, what is the Full Serial Number?

To reveal the System control details, you need to Expand Recovered Folders, then Windows, followed by
System32 and then config. On the right-hand pane, click Table view to display the files in the directory.
Find the file SYSTEM. Highlight the system file, right-click it, and choose Entries | View File Structure.

A dialog box will pop up asking you to confirm whether you wish to con�nue parsing. Leave both op�ons
unchecked. Select OK.
Once EnCase completes parsing the file structure, the file name becomes a hyperlink and the icon next to
it gains a green arrow. Click the arrow to see what's inside. This may take a few minutes if the system is
s�ll busy processing the evidence file.

Next, expand the \ControlSet001\Control\TimeZoneInforma�on

In looking at the values in this key in the evidence file, you can determine its TimeZone se�ng. In the
following image, the �me zone is displayed using the Text tab of the TimeZoneKeyName registry entry.

For your report, answer this ques�on:

What is the �me zone listed for the image?
Browsing the System
Part of what EnCase does is maintain the integrity of your evidence by crea�ng hashes of all files so that
it can be proven that files were not manipulated a�er the fact. However, you s�ll need to do inves�ga�ve
work to find informa�on of interest. EnCase provides several ways to find items of interest.

A�er crea�ng a case and adding evidence, you can browse and manipulate your views of the evidence in
many ways:

• Quickly search the processed evidence a�er it is indexed.

• View thumbnails of images in the Gallery.
• See data culled into a manageable subset.
• Use filters that enable elimina�on of data based on a wide variety of atributes.
• Browse through evidence directly from evidence files or devices.
Chapter 7 of the EnCase Forensic User Guide covers the interface in detail.

Click the Home icon in the upper-le� corner of the menu, then Evidence under the Browse heading.
Note, you may need to hit the le� arrow buton to return to the Home page of EnCase. You will know
you are there when you the Search, Browse, Evidence and Report op�ons.

A page with the evidence files you added will display. To explore one (in this case the single disk file),
click the link for the evidence in the Name column to display the explorer style view of the evidence.
Start by examining the file Recovered Folders directory. The first directory provides some interes�ng
results. Be sure you have selected the Gallery view to see the actual images. You can also see the
directory contents in a thumbnail gallery by clicking the gallery tab. This is useful when there are a
number of pictures to view. You can navigate through each thumbnail image by clicking on it
You can also use the tabs at the botom of the screen to switch between Doc, Picture, Text and other
views.

For your report answer the following ques�ons:

• What type (e.g. Guns, Knifes, Rocket Launchers…) of weapons do you immediately see when you
browse the 9RD3Y03V folder.
• Which folder contains a Mastercard image?
• Which folder contains a Login with Facebook image?
• Which folder contains at least two images of people?
Hints:

• When browsing the folders, just click the le� side of the folder so it turns green.
• You don’t need to go beyond what is available on the ini�al gallery display to answer the
ques�ons. In others, no reason to search through mul�ple images on each folder. Just look at
what is available on the first page without scrolling.
• The EnCase tool can be a litle slow displaying the images, so wait for the items to become
visible.
Viewing Keyword Results
To view the results of the keyword search ini�ated during the evidence processing, return to the home
page (using the home icon) and select Keyword Hits. Alterna�vely, you can select View from the menu
and then Keyword Hits.

Looking at the keyword results, you can see the number of items and hits found throughout the image.
You can see the results returned by clicking on the items and then naviga�ng the tabs for more details.
For example, if the Weapons items is selected, it returns 17 items that can be reviewed further.

If you click on the Weapons items and looks for the “can dogs smell your gun gauge” web page. Then,
click on the transcript tab to see the associated content of this site.
For your lab report answer the following ques�ons:

• Go to the first hit of the Guns-> Items. This is most likely named search[1].htm.

Review the transcript. What does the central theme of this search seem to be? Provide some specific text
examples of the transcript that align with this central theme.
 • Go to Password-> Items and find search[2].htm file. Look at the transcript of this resource.

Review the transcript. What does the central theme of this search seem to be? Provide some specific text
examples of the transcript that align with this central theme.

Use the Project Report Template to submit your lab results for review by your instructor.

Reference
Prac�ce Files - NetAnalysis - Digital Detec�ve Knowledge Base (digital-detec�ve.net)