EnCase Forensic v20.2 User Guide
EnCase Forensic v20.2 User Guide
Version 20.2
User Guide
One or more patents may cover this product. For more information, please visit, https://www.opentext.com/patents
Disclaimer
Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However, Open
Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for the accuracy
of this publication.
CONTENTS
- iii -
Color Options 49
Font Options 50
Data Paths Options 51
Help Service Options 51
Debug Options 53
Configuring Time Zone Settings 54
EnCase Folder Locations 55
Application Folder 55
User Data 56
User Application Data 58
Global Application Data 59
Install and Configure Evidence Processor Nodes 60
Checking the Windows Application Log 64
- iv -
Case Selections 93
Changing the Evidence Path if the Evidence File is Moved 94
Case Portability 95
Case Page Logo 96
-v -
Acquiring from Microsoft Exchange 116
Acquiring Email from Exchange 2013 or Later 116
Acquiring Email from Exchange Servers on Office 365 123
Acquiring from Microsoft SharePoint 128
Acquiring Evidence from SharePoint 2013 Or Later 128
Acquiring from SharePoint Office 365 OneDrive 132
Acquiring from SharePoint Office 365 134
Connecting to SharePoint Office 365 and OneDrive 136
Acquiring From Cloud-based File Services 137
Acquiring Evidence from Dropbox 137
Connecting to Dropbox repositories 140
Acquiring Evidence from Google Drive 141
Connecting to Google Drive repositories 143
Audit Drive Space 145
Acquiring Device Configuration Overlays (DCO) and Host
Protected Areas (HPA) 145
Using a Write Blocker 146
Windows-based Acquisitions with Tableau and FastBloc Write Blockers 146
Acquiring in Windows using FastBloc SE 147
Acquiring in Windows without a Tableau or FastBloc Write Blocker 147
Acquiring a Disk Running in Direct ATA Mode 147
Acquiring Disk Configurations 148
Software RAID 148
RAID-10 149
Hardware Disk Configuration 149
Windows NT Software Disk Configurations 149
Support for EXT4 Linux Software RAID Arrays 150
Dynamic Disk 151
Disk Configuration Set Acquired as One Drive 151
Disk Configurations Acquired as Separate Drives 152
Acquiring Other Types of Supported Evidence Files 153
CD-DVD Inspector File Support 153
Acquiring a DriveSpace Volume 154
- vi -
Reacquiring Evidence 154
Reacquiring Evidence Files 155
Retaining the GUID During Evidence Reacquisition 155
Adding Raw Image Files 155
Restoring a Drive 156
Wiping a Drive 157
- vii -
Searching With Keywords 187
Adding a New Keyword 189
Creating a New Keyword List 191
Searching for Keywords in Process Memory 192
Creating an Index 192
Indexing Text in Slack and Unallocated Space 193
Setting Word Delimiters for Indexing 194
Add Word Delimiters to Search Index 194
Selecting a Language Index 195
Creating Thumbnails 197
Running EnScript Modules 197
System Info Parser 198
File Carver 199
Windows Event Log Parser 201
Windows Artifact Parser 201
Unix Login 202
Linux Syslog Parser 202
Macintosh OS X Artifacts Parser 202
Result Set Processing 206
Processing a Result Set 206
Launching Processor Options from the Results Tab 207
Creating Result Sets in Entries and Artifacts Views 207
Overwriting the Evidence Cache 208
EnScript Application UI 209
Home Page 209
Case Page 210
Processor Manager 210
Processor Node Installation 211
Opening the Processor Manager 211
Adding Processor Nodes to the Processor Manager 211
Configuring Processor Nodes 212
Process Evidence Menu 214
Queuing Evidence for Processing 215
- viii -
Processor Manager Tab 217
Processor Manager Toolbar 222
Running Multiple Instances of EnCase from the Same Machine 225
Processor Manager Error and Information Messages 225
Show Logging 234
Acquiring and Processing Live Previews 236
Live Previews of Local Devices 236
Direct Network Previews 237
Crossover Previews 237
- ix -
Sharing Conditions 268
Printing a Condition 268
Browsing Through Evidence 269
Check for Evidence when Loading a Case 269
Finding the Location of an Evidence Item 269
Determining the Time Zone of Your Evidence 270
Viewing Related Items 272
Browsing Images 272
Viewing Evidence 273
Creating Custom File Types 273
Viewing Multiple Evidence Files Simultaneously 275
Viewing Multiple Artifacts Simultaneously 275
Viewing Contents of 7-Zip Files 275
Macintosh Artifacts 276
Displaying HFS+ File System Compressed Files 276
HFS+ Extended Attributes 276
HFS+ Directories Hard Links 277
Finder Data and .DS_Store 278
Displaying Permissions for HFS+ Files and Directories 279
Macintosh OS X Media Containers 280
Viewing Processed Evidence 282
Viewing Media Analysis Data 282
Viewing Compound Files 285
Repairing and Recovering Inconsistent EDB Database Files 286
Viewing Email 287
Viewing Attachments 288
Showing Conversations 288
Displaying Related Messages 289
Showing Duplicate Email Messages in a Conversation 290
Exporting to *.msg 290
-x-
CHAPTER 8 Searching Through Evidence 291
Overview 293
Index Searches 293
Tag Searches 293
Keyword Searches through Raw Data 294
Viewing and Saving Search Results 294
Searching Indexed Data 294
Search Operators and Term Modifiers 297
Search Fields 303
Reserved Characters 304
Finding Tagged Items 305
Keyword Searching Through Raw Data 305
Refreshing Search Results during a Keyword Search 308
Retrieving Keyword Search Results 309
Bookmarking Keyword Search Results 310
Analyzing Individual Search Results 310
Viewing Saved Search Results 310
Creating a LEF from Search Results 312
Finding Data Using Signature Analysis 312
Adding and Modifying File Signature Associations 313
Running File Signature Analysis against Selected Files 315
Exporting Data for Additional Analysis 316
Copying Files 317
Copying Folders 319
Exporting Search Results for Review 320
Creating a Review Package 321
Analyzing and Tagging a Review Package 322
Exporting a Review Package 324
Importing a Review Package 324
- xi -
Hashing Features 329
Working with Hash Libraries 330
Creating a Hash Library 330
Creating a Hash Set 331
Adding Hash Values to a Hash Set 332
Adding Results to a Hash Library 334
Querying a Hash Library 335
Adding Hash Libraries to a Case 336
Viewing Hash Sets Associated with an Entry 336
Managing Hash Sets and Hash Libraries Associated with a Case 338
Viewing and Deleting Individual Hash Items 338
Changing Categories and Tags for Multiple Hash Sets 338
Importing Hash Sets 339
NSRL Hash Sets 339
Integration with Project VIC 340
- xii -
Editing Bookmark Content 357
Editing Bookmarks 357
Renaming Bookmarks 358
Decoding Data 358
Quickly Viewing Decoded Data 359
Viewing Decoded Data by Type 359
- xiii -
Creating a Report 414
Exporting a Report 421
Maintenance 422
Preparing Portable Devices 422
Modifying the EnCase Portable Device Configuration 423
Preparing Additional USB Storage Devices 425
Configuring EnCase Portable for NAS Licensing 426
Troubleshooting 427
FAQs 429
- xiv -
Viewing a Report 477
- xv -
Data Acquisition - BlackBerry 544
Acquired Data - BlackBerry 544
Supported Models - BlackBerry 546
RIM BlackBerry FAQ 546
Acquiring Data from Symbian OS Smartphones 546
About Data Acquisition from Symbian OS Smartphones 547
Data Acquisition - Nokia Symbian 564
Acquired Data - Nokia Symbian 564
Supported Models - Nokia Symbian 564
Nokia Symbian OS Physical Acquisition FAQ 564
Acquiring Data from a WebOS Based Device 565
Preparing Device for Acquisition - WebOS 565
Data Acquisition - WebOS 566
Acquired Data - WebOS 567
Supported Models - WebOS 567
WebOS Devices FAQ 567
Acquiring Data from PDAs 567
About Data Acquisition from PDA 568
Psion 16/32-bit Devices FAQ 571
Palm OS Devices FAQ 575
Acquiring Data from GPS Devices 589
Acquiring Data from Feature Phones 601
About Feature Phone Plug-ins 602
Acquiring Data from SIM Cards 639
Data Acquisition - SIM Cards 639
Acquired Data - SIM Cards 639
Supported Models (Card Readers) - SIM Cards 641
SIM Card Reader FAQ 643
Acquiring Data from Memory Cards/Mass Storages/e-
Readers/Portable Devices 644
Importing Data 647
Importing Data from Cellebrite UFED Cases 647
Importing Data from iOS Backup Files 648
- xvi -
Importing Data from RIM BlackBerry 1.x - 7.x Backup Files 650
Importing Data from RIM BlackBerry 10.x Encrypted Backup Files 651
Importing GPS and KML Files 652
Importing GrayKey Data 653
Importing GSM Tower Information 653
Importing Cloud Data 655
Extracting Authentication Data File 655
Importing Cloud Data 656
Imported Cloud Data 657
Cloud Data Importing FAQ 659
General Acquisition FAQ 659
- xvii -
Setup for a Drive-to-Drive Acquisition 680
Drive-to-Drive Acquisition 681
LinEn Evidence Verification 688
Window Menu 692
Console Window 692
Thread Monitor Window 693
Edit Menu 694
LinEn Command Line 696
Crossover Cable Preview or Acquisition 701
LinEn Manual Page 702
- xviii -
WinMagic SecureDoc Encryption Support 732
WinMagic SecureDoc Self Encrypting Drive (SED) Support 733
GuardianEdge Encryption Support 734
Supported GuardianEdge Encryption Algorithms 735
GuardianEdge Hard Disk and Symantec Endpoint Encryption Support 735
Symantec Endpoint Encryption Support 737
Symantec Endpoint Encryption 11 support 737
Sophos SafeGuard Support 738
Decrypting a Disk 738
Decrypting Sophos SGN-Encrypted Evidence Using a Challenge/Response
Session in EnCase 739
Obtaining Response Codes from the Sophos SGN Website 740
Completing the Challenge/Response Session 741
Utimaco SafeGuard Easy Encryption Support 741
Supported Utimaco SafeGuard Easy Encryption Algorithms 741
Utimaco Challenge/Response Support 742
Utimaco SafeGuard Easy Encryption Known Limitation 744
Dell Data Protection Enterprise (formerly Credant Mobile Guardian)
Encryption Support 745
Enabling an Examiner Machine to Identify and Decrypt Credant Files 745
Decrypting Credant Files Accessible on the Network 746
Decrypting Offline Dell Data Protection Enterprise/Credant Mobile
Guardian Files 746
Decrypting Dell Full Disk Encryption 748
Decrypting Credant Files on Microsoft EFS 749
McAfee Endpoint Encryption Support 749
Vera Encryption Support 750
Setting up the Vera Decryption Module 751
Decrypting Vera Files in Online Mode 751
Decrypting Vera Files in Offline Mode 751
APFS Encryption Support 753
Previewing APFS Encrypted Drives 754
S/MIME Encryption Support 759
- xix -
Troubleshooting a Failed S/MIME Decryption 759
PGP Whole Disk Encryption (WDE) Support 760
Obtaining Whole Disk Recovery Token Information 760
Obtaining Additional Decryption Key (ADK) Information 761
PGP Decryption using the Passphrase 761
NSF Encryption Support 762
Recovering NSF Passwords 762
Lotus Notes Local Encryption Support 762
Determining Local Mailbox Encryption 763
Parsing a Locally Encrypted Mailbox 763
Encrypted Block 763
Decrypted Block 764
Locally Encrypted NSF Parsing Results 765
Windows Rights Management Services (RMS) Support 766
RMS Decryption at the Volume Level 766
RMS Decryption at the File Level 767
RMS Protected Email in PST 767
Windows Key Architecture 767
Dictionary Attacks 768
Built-In Attacks 769
- xx -
RAM and Disk Slack 780
Other File Systems 781
ext2, ext3, UFS, and Other File Systems 782
Dismounting the Network Share 783
Changing the Mount Point 783
Accessing the Share 783
Using the EnCase VFS Name Column 783
Using Windows Explorer with VFS 784
Third Party Tools 784
Malware Scanning with VFS 784
Other Tools and Viewers 785
Temporary Files Reminder 786
VFS Server 786
Configuring the VFS Server 787
Restrict Access by IP Address 788
Connecting the Clients 789
Closing the Connection 789
Troubleshooting the Virtual File System 790
- xxi -
Mounting Non-Windows Devices 799
Accessing the Local Disk in Windows Explorer 799
Saving and Dismounting the Emulated Disk 799
Closing and Changing the Emulated Disk 801
Temporary Files Redirection 801
Third Party Tools 801
Using Third Party Tools 802
Boot Evidence Files and Live Systems with VMware 802
Initial Preparation 802
New Virtual Machine Wizard 803
Booting the Virtual Machine 804
VMware/EnCase PDE FAQs 805
PDE Troubleshooting 806
- xxii -
Support 823
Index 825
- xxiii -
- xxiv -
INTRODUCTION TO ENCASE FORENSIC
EnCase Forensic enables you to collect forensically sound data and conduct complex large
scale investigations from beginning to end.
l Acquire data in a forensically sound manner using software with an unparalleled record in
courts worldwide
l Investigate and analyze data from multiple platforms—Windows, Linux, AIX, OS X,
Solaris, and more—using a single tool
l Find information despite efforts to hide, cloak, or delete
l Easily manage large volumes of computer evidence, viewing all relevant files, including
deleted files, file slack, and unallocated space
l Create exact duplicates of original data, verified by hash and Cyclic Redundancy Check
(CRC) values
l Transfer evidence files directly to law enforcement or legal representatives
l Review options that allow non-investigators, such as attorneys, to review evidence with
ease
l Use reporting options for quick report preparation
EnCase Forensic
EnCase Forensic enables you to collect forensically sound data and conduct complex large
scale investigations from beginning to end.
l Acquire data in a forensically sound manner using software with an unparalleled record in
courts worldwide
l Investigate and analyze data from multiple platforms—Windows, Linux, AIX, OS X,
Solaris, and more—using a single tool
l Find information despite efforts to hide, cloak, or delete
l Easily manage large volumes of computer evidence, viewing all relevant files, including
deleted files, file slack, and unallocated space
l Create exact duplicates of original data, verified by hash and Cyclic Redundancy Check
(CRC) values
l Transfer evidence files directly to law enforcement or legal representatives
l Review options that allow non-investigators, such as attorneys, to review evidence with
ease
l Use reporting options for quick report preparation
CHAPTER 1
INSTALLING AND CONFIGURING ENCASE
Overview 29
System Requirements 29
License Manager 34
Installation Overview 35
Uninstalling EnCase 43
Reinstalling EnCase 43
Configuration Options 44
Overview
This chapter describes the process of installing EnCase Forensic and related components.
This chapter lists the default locations of installation directories and files and also provides
information about configuring EnCase settings.
System Requirements
Before you begin, make sure you have:
l Microsoft Windows 7, Windows 8.1, Windows 10 versions 1607, 1703, 1709, 1803, 1809,
1903, and 1909
l Microsoft Windows Server 2008 R2 SP1, Windows Server 2012 and 2012 R2, Windows
Server 2016, Windows Server versions 1803 and 1809
* 32GB RAM or more is recommended when running the Media Analyzer evidence processor
module.
OpenText recommends installing the Microsoft Visual C++ 2015 Redistributable Update 3 RC on
examination machines. Download the Microsoft Visual C++ 2015 Redistributable Update 3 RC
at https://www.microsoft.com/en-us/download/details.aspx?id=52685.
30 EnCase Forensic User Guide Version 20.2
l 2 core processor
l 4 GB RAM
l 40 GB Spindle or SSD
For best performance based on specific workloads, examination computers should meet or
exceed the following hardware and software requirements:
CPU Core i5
CPU Core i7
CPU Core i5 M
Memory 8 GB
Memory 32 GB
License Manager
The License Manager acts as a software license repository and server. The License Manager
(previously referred to as "NAS") provides license management services. In addition to being
delivered by License Manager, licenses can also be delivered by physical security key (dongle)
or as a software license tied directly to the workstation. The License Manager is a standalone
application that can be installed at the same time as the SAFE or independently depending on
your preference.
When you run EnCase on a computer, it first searches for a physical security key or local
software license for licensing information unless network-based licensing is enabled. To enable
an Examiner computer to use software licensing through License Manager, you must first
CHAPTER 1 Installing and Configuring EnCase 35
install License Manager and configure Examiner machines. Once configured, individual
workstation access to License Manager can easily be enabled or disabled within the EnCase
application. See the SAFE User Guide for installation and configuration instructions. If no valid
security key or software license is found, EnCase opens in Acquisition mode.
For more information about implementing or managing the License Manager and the SAFE,
see the SAFE User Guide.
Installation Overview
The EnCase Forensic Examiner is the primary application used to conduct investigations. Other
components provide additional functionality.
Select the installation option that matches how you intend to use EnCase Forensic:
l If you plan on deploying EnCase Forensic on one or more examiner machines and intend
to manually install and manage physical security keys (dongles) or software licenses for
each machine, use the standalone installer for EnCase Forensic for individual examiner
machines. See Installing EnCase Forensic Examiner below.
l If you plan on using EnCase Forensic on multiple machines and want to centralize EnCase
licensing, you must install License Manager on a machine on your network to hold and
serve your software licenses. You can install License Manager on a dedicated machine, or
on an examiner machine. Physical security keys and machine-specific electronic licenses
can be used in conjunction with software licenses served by License Manager.
o To install EnCase Forensic Examiner on individual machines, see Installing EnCase
Forensic Examiner below.
o To install License Manager on a machine on your network, see Installing the
SAFE and License Manager in the SAFE User Guide.
1. Open the EnCase Examiner installation file. If you have a security key, do not insert it until
after installation is complete.
2. Accept the default installation path (C:\Program Files\EnCase20), or enter your
own installation path and click Next.
o Accepting the default installation path overwrites any existing program files, logs,
and drivers.
o Entering your own installation path creates new files and artifacts.
36 EnCase Forensic User Guide Version 20.2
3. The EnCase License Agreement is displayed. Read it and click the I Agree and accept
checkbox. Click Next.
4. The installation path is displayed. Depending on your installation history, the following
checkbox options display:
o Install HASP Drivers installs the latest version of the HASP security key (dongle)
drivers. We recommend selecting this checkbox if you are upgrading from a pre-
vious version of EnCase, or if you are working in an environment using a mix of both
Sentinel/Aladdin HASP drivers and Codemeter security keys. This checkbox is dis-
played and is checked by default if you do not have HASP drivers installed. If you are
reinstalling and have already installed the HASP drivers and the checkbox is present,
leave the box unchecked.
o The Install CodeMeter Drivers checkbox is displayed and is checked if you do not
have a previous version of EnCase installed. We recommend installing CodeMeter
drivers.
o Reinstall CodeMeter Drivers and Reinstall HASP Drivers may display if the installer
detects you have previous versions of the drivers installed. CodeMeter drivers are
always reinstalled. HASP drivers can be reinstalled if desired.
8. Now that your license is activated, download and install the latest certificate files. See
Downloading and Installing Certificate Files.
All EnCase users must have administrator permissions to view local devices on Windows
computers running Vista operating systems and above.
CHAPTER 1 Installing and Configuring EnCase 37
1. From within EnCase Forensic, click the help icon in the upper right corner, then click
Activate Electronic License in the dropdown menu. The Activate Electronic License dialog
is displayed.
Note: If you already have an active electronic license installed, a message is
displayed. Click OK to remove the active current license, or Cancel to retain it.
2. In the License Key field, enter your EnCase Forensic product serial number. Your serial
number is located on the OpenText My Support Product Activation Page under the Guid-
ance product section.
3. Click Next. The second Activate Electronic License dialog is displayed.
38 EnCase Forensic User Guide Version 20.2
4. Click Next. The *WibuCmRaC license activation file is generated. The third Activate Elec-
tronic License dialog is displayed.
Note: Do not click Finish until you have completed the steps below.
5. On a machine with access to the Internet, navigate to the OpenText My Support Product
Activation Page and log in to your OpenText My Support account. The Product Activation
page is displayed.
CHAPTER 1 Installing and Configuring EnCase 39
6. Under the Guidance product section, filter the list of available serial numbers using the
search button . The product licenses linked to your product serial number display.
o If the Guidance product section does not appear, you may need to link the pur-
chasing account to your personal account under My Accounts > View Accounts
from the OpenText My Support home page. For additional assistance, contact
OpenText Support.
7. Click the Produce License Key icon in the CertGenElectronic row under your product
serial number. The Produce License Key dialog is displayed.
40 EnCase Forensic User Guide Version 20.2
8. Click Add files and locate the .WibuCmRac license request file that you created.
9. Click Submit. A dialog is displayed, indicating that the license has been successfully cre-
ated.
10. Click Download File to download the corresponding .WibuCmRaU license file.
o If the above process was performed on a separate machine from the one des-
ignated to run EnCase Forensic, copy your .WibuCmRaU license file to the
machine running the license activation process.
11. Return to the desktop application running the license activation process.
Note: The *.WibuCmRaU license update file path is automatically generated and
may not accurately reflect the location of the license update file.
12. Use the browse button to locate the *.WibuCmRaU license update file that was down-
loaded. The *.WibuCmRaU license update file path is updated
13. Click Finish to complete the activation process.
CHAPTER 1 Installing and Configuring EnCase 41
14. Now that your license is activated, download and install the latest certificate files. See
Downloading and Installing Certificate Files.
Certificate files are delivered in the compressed file archive CertGenCertificate.zip. This
archive includes two files:
1. On a machine with access to the Internet, navigate to the OpenText My Support Product
Activation Page and log in to your OpenText My Support account. The Product Activation
page is displayed.
2. Under the Guidance product section, filter the list of available serial numbers using the
search button . The product licenses linked to your product serial number display.
42 EnCase Forensic User Guide Version 20.2
o If the Guidance product section does not appear, you may need to link the pur-
chasing account to your personal account under My Accounts > View Accounts
from the OpenText My Support home page. For additional assistance, contact
OpenText Support.
3. Click the Download File icon in the CertGenCertificate row under your product serial
number. CertGenCertificate.zip is saved to your machine.
o If the above process was performed on a separate machine from the one designated
to run EnCase Forensic, copy CertGenCertificate.zip to the machine running
EnCase Forensic.
4. Extract the contents of CertGenCertificate.zip to the ...\Certs folder under the EnCase
Forensic installation folder.
o The default certificate path is C:\ProgramFiles\EnCase8\Certs\.
1. On the EnCase Home page, click the question mark in the upper right corner, then click
Activate Electronic License. The Activate Electronic License dialog is displayed.
2. Click Back. In the dialog that is displayed, make the corrections to the license key number
CHAPTER 1 Installing and Configuring EnCase 43
Click OK to remove the active license or Cancel to retain the current active license.
Uninstalling EnCase
The EnCase uninstaller removes the corresponding version of EnCase from your computer.
To uninstall EnCase:
1. Make backups of evidence and case files prior to making modifications to any software
on an examination machine.
2. Close any open versions of EnCase.
3. Open the Windows Control Panel and click Uninstall a Program under Programs.
4. Select the EnCase version to remove and click Uninstall/Change.
5. The EnCase uninstall wizard runs and the first screen is displayed.
6. Enter or navigate to the installation location in the Install Path field. The default for the
current version is C:\Program Files\Encase8.
7. Click Next.
8. Select Uninstall and click Next. A progress bar is displayed during the uninstall process.
9. The last page of the uninstall wizard is displayed. Select Reboot Later or Reboot Now and
click Finish. A reboot completes the uninstallation process.
Reinstalling EnCase
Use the EnCase Installation Wizard to reinstall EnCase. Reinstallation creates a new log file and
reinstalls the following items:
44 EnCase Forensic User Guide Version 20.2
l Application files
l Registry keys
l Needed user files
l Default configuration files
Note: Any modified EnScript files are overwritten during reinstallation. If you want
to keep modified EnScript files, move them to another folder prior to reinstallation.
l Licenses
l Certificates
l User settings
When reinstalling EnCase, make sure that your security key is inserted. If support on the
security key has expired, a warning message is displayed.
Configuration Options
You can configure options for EnCase according to your needs or preferences, using the
Configuration Options tabbed dialog. Each tab allows you to select a panel that controls a
group of options, described in the following sections. To access the Configuration Options,
select Options from the Home tab.
Global Options
The Global tab contains settings that apply to all cases.
CHAPTER 1 Installing and Configuring EnCase 45
In the Picture Options box, Enable Picture Viewer allows graphics to be displayed in various
views.
Enable ART Image Display determines whether to display legacy ART image files. When
EnCase Forensic encounters corrupt ART image files, application problems can occur. Enabling
this setting minimizes the impact of corrupted ART files.
Note: Rendering of ART files depends on the version of Internet Explorer installed.
Current versions of Internet Explorer do not support ART files. If your version of
Internet Explorer does not support ART files, EnCase Forensic cannot render them.
Invalid Picture Timeout (seconds) indicates the amount of time EnCase Forensic attempts to
read a corrupt image file before timing out. After a timeout occurs, the corrupt file is sent to
the cache and no attempt is made to re-read it.
Force ordered rendering in Gallery forces images to display in order, from left to right,
sequentially by row. If you leave this box unchecked, images display in a gallery view as they
become available. Although images display in order, the former view takes longer to complete,
whereas images that display when rendering is not forced but not in order display more
rapidly.
46 EnCase Forensic User Guide Version 20.2
In the Code Page box, Change Code Page lets you change the default value of the code page
from Western European (Windows) to another available code page. Set the global code page
to display foreign language characters correctly.
Show True indicates a value of true in table columns displayed in the Table tab of the Table
pane. The default indicator is a bullet, which you can change to a different character.
Show False indicates a value of false in table columns displayed in the Table tab of the Table
pane. The default indicator is a blank space, which you can change to a different character.
Default Char specifies the character that EnCase Forensic uses to indicate that a box or cell is
checked.
Flag Lost Files specifies whether the disk map shows lost clusters. Lost clusters are clusters
that EnCase Forensic cannot determine as being used even though the file system indicates
them as being used.
Detect FastBloc Hardware determines whether to search for legacy FastBloc hardware write
blockers.
Detect Tableau Hardware determines whether to search for Tableau write blockers.
Do not verify evidence when opened suppresses verification when opening an evidence file.
Run Shell Extensions for LNK Files enables EnCase to extract more data from .lnk files, which
is displayed as IDList Data in the Report tab. Be aware that this option extracts LNK data locally,
not from the acquired evidence. If you want to use this option on evidence data, you must run
EnCase on the machine that contains the LNK files of interest.
Require Case Information ensures that you can only log into the SAFE if all open and active
cases contain a case number. If you have unsaved cases, SAFE login fails and an error message
is displayed until all cases are saved.
Save Blue Checks causes blue checks to persist after closing a case or exiting EnCase Forensic.
Selecting this option may affect performance depending on how many blue checks are active
when you close the case.
CHAPTER 1 Installing and Configuring EnCase 47
Allow Live APFS Snapshot enables EnCase Forensic to accurately parse APFS data by creating
a snapshot. The snapshot takes up very little space and remains on the device until the parsing
of the data is complete, at which point the snapshot is removed. Clearing this option may
result in inconsistent and potentially unusable results.
Date Options
Customize date/time information associated with a case using the Date tab in Options.
Display time zone on dates includes the time zone in date/time columns.
l MM/DD/YY (07/25/18)
l DD/MM/YY (25/07/18)
l Other lets you specify your own date format.
l Current Day displays the current date in the specified date format.
Use License Manager for licensing: Check this box to indicate use of License Manager to run
the copy of EnCase on your computer.
License Manager Key Path: Specifies the full path of the user's licensing file. The license file for
general licensing of EnCase is default.nas.
License Manager .SAFE Key Path: Enter the full path of the location of the EnCase SAFE public
key file. This SAFE token file has a file signature of .SAFE and is found on the License Manager.
CHAPTER 1 Installing and Configuring EnCase 49
License Manager Address: Enter the IP address or machine name of the computer running the
License Manager. If you are using a port other than 4446, precede the port number with the
computer's IP address (for example, 192.168.1.34:4446).
Status: Displays the name or IP address of the computer on which the EnCase licensing files
currently reside.
Create User Key...: Opens the Create User Key dialog. Do not use this button unless you are
creating separate licenses for each computer belonging to your License Manager setup. For
more information about using individual licenses, see the SAFE User Guide.
Color Options
Use the Colors tab to change the default colors associated with various case elements. This
dialog shows the current foreground and background colors for the case element.
Font Options
Use the Fonts tab to customize the fonts used for EnCase user interface items, and in data
panels and reports.
l Shared scripts
l Filters
l Searches
l Conditions
l Keywords
There are three ways Help can be delivered, as shown on the Help Service tab in the Options
dialog:
52 EnCase Forensic User Guide Version 20.2
1. Online - This is the default option for users with an Internet connection. The Help page
URLs are dynamically generated and expire after 24-36 hours. If a user shares a link to a
Help topic, it will only work temporarily.
2. Private Help Server (PHS) URL - This is for those companies whose users are not con-
nected to the Internet. You will need to specify the path to the PHS in the Options dialog:
http://<servername>:<port>/OTHelp/mapper
The Private Help Server Administration Guide has step-by-step instructions on how to set
up a PHS, and consists of the following sets of tasks:
1. Prepare a Microsoft Windows server.
2. Download and install a PHS.
3. Add Help files to the PHS.
4. Configure the application to point to the PHS (in the Options dialog).
3. PDF User Guide Path - Users who are not connected to the Internet and do not have a
Private Help Server configured can open a PDF version of a User Guide that has been
downloaded from My Support. Specify the path to this document in the Options dialog.
CHAPTER 1 Installing and Configuring EnCase 53
Debug Options
Use the Debug tab to specify debugging information and options.
The Startup panel displays operating system, application, and session information about your
computer and about EnCase.
If the pane is empty, click Show Startup Log to display the information. The information is
useful for troubleshooting purposes.
Click Show Logging to view trace log message for various operations.
System Cache specifies the amount of physical memory for caching reads and writes of files on
disk. The default value is 20 percent of the computer's physical memory (RAM).
l Minimum (MB): The minimum size of the system cache in Megabytes; the default value
is 1.
l Maximum (MB): The maximum size of the system cache in Megabytes. The default value
depends on the amount of physical memory available on the computer. You can manu-
ally set this value up to the maximum amount of physical memory available (although
this is not recommended).
54 EnCase Forensic User Guide Version 20.2
l Controlled by EnCase: Clicking this box allows EnCase to control the size of the system
cache (recommended).
l Do not warn at startup: If you check this box, EnCase will not display warning messages
when possible system memory issues occur.
l Set Defaults: Click this button to reset the system cache values to their default values.
Debug Logging allows you to select which logging action to take in the event of a crash:
1. In a case, click the Evidence tab to view a list of your devices in the Table tab.
2. Click the name of the device you want to modify.
3. From the Device menu select Modify time zone settings. The Time Properties dialog is
displayed.
CHAPTER 1 Installing and Configuring EnCase 55
Application Folder
The application folder contains files used by EnCase. User data and user configuration settings
are not saved in this location. The default path for Windows 7, Windows 8, and Windows Vista
is \Program Files\EnCase8.
User Data
User-created files and backup user data are stored by Windows 7, Windows 8, and Windows
Vista in the following default folder: \Users\<Username>\Documents\EnCase. The current
path used to store user data is displayed under Paths on the EnCase home page.
Case Backup
Backup case data are saved in the following location for Windows 7, Windows 8, and Windows
Vista operating systems: \Users\<Username>\Documents\EnCase\Cases\Backup.
Case Folder
Case files are stored in the following default location for Windows 7, Windows 8, and Windows
Vista operating systems: \Users\<Username>\Documents\EnCase\Cases\<Case
Name>.
<Case
EnCase case file
Name>.Case
Evidence Cache
The evidence cache folder contains the cache, index, and Evidence Processor results for a
device. The default location for Windows 7, Windows 8, and Windows Vista operating systems
is: \Users\<Username>\Documents\EnCase\Evidence Cache\<Hash>.
58 EnCase Forensic User Guide Version 20.2
The current path used to store user application data is displayed under Paths on the EnCase
home page.
EnCase requires that these data locations have both read and write access. If Windows is set
up so that either of these locations is on a read-only network share, or on a hard drive which is
read-only and at a separate location, EnCase cannot store its settings correctly and cannot
function properly.
To accommodate situations where you cannot change these locations, and the Windows store
locations are read-only, EnCase allows you to change these locations for the EnCase
application. You can change these locations by selecting Tools > Options > Data Paths tab. The
Options dialog is displayed as shown here:
CHAPTER 1 Installing and Configuring EnCase 59
The User Data Folder is the default location for data such as cases, conditions, filters, logs and
templates. The User Application Data Folder stores program settings and other configuration
files.
l \Users\All Users\AppData\Roaming\EnCase
l \Users\All Users\AppData\Roaming\EnCase\EnCase8-<#>
The current path used to store global application data is displayed under Paths on the EnCase
home page.
Item Description
Logos Default report logo
60 EnCase Forensic User Guide Version 20.2
Item Description
Config License Manager and other global configuration files
The processor manager module in EnCase Examiner enables you to manage, distribute, and
monitor evidence processing jobs across your network. For information on using the
processor manager, see Processor Manager on page 210. The processor manager and each
processor node must have access to the shared drive where the evidence file and the cache are
stored.
You can process evidence on any machine on your network, including other examiner
machines. To enable a machine as an evidence processor, open the EnCase Processor Node
executable file. This file installs the following two components:
l EnCase Processor Node - Enables a machine to act as an evidence processor and accept
work sent from the machine you use for processor management and examining evid-
ence.
l EnCase Processor Server (EnServer) - A service that runs on a machine that enables com-
munication between the node and the Processor Manager.
Once installed and configured, the machine will appear as an available node in your EnCase
Examiner processor manager.
Note: Installing the evidence processor node on your local machine enables it to be
used as a node by another examiner machine on your network.
CHAPTER 1 Installing and Configuring EnCase 61
1. Download the EnCase Processor Node zip file and extract its contents.
2. Open the Evidence Processor Node executable file. The self-extractor dialog is displayed.
3. Click Setup. The Setup dialog is displayed.
4. Click Next. The Destination Folder dialog is displayed.
5. Accept the default path or click Change to enter another path, then click Next. The
Configuration dialog is displayed.
o Give the node a meaningful name. This name is displayed in the Processor Node
column of the Processor Manager tab.
o Enter the number of the port you want to use. The default is 443.
62 EnCase Forensic User Guide Version 20.2
o Specify the drives for the Evidence File Destination, the Evidence File Cache, and the
Case File Destination.
o All paths must be specified in UNC format.
o For the Evidence File Cache, use the fastest I/O available.
o For detailed information about system requirements, see System Requirements on
page 29.
Note: You can change these configuration settings after installation using the
processor node Edit dialog. See Configuring Processor Nodes on page 212.
1. The EnCase Server Edition dialog is displayed after the processor node is installed.
Note: The EnCase Server Edition dialog may display behind another open dialog. If
the process seems to be stuck after installing the processor node, look for the EnCase
Server Edition dialog.
CHAPTER 1 Installing and Configuring EnCase 63
2. Accept the default install path or browse to another path, then click Next. The End User
License dialog is displayed.
3. Select I agree and accept, then click Next. The Options dialog is displayed.
o Select Run service as user if you do not want to run the service as a local system
account.
Enter a username and password.
The user specified should have read permission to evidence and read/write per-
mission to evidence caches to be processed by this Evidence Processor Node.
64 EnCase Forensic User Guide Version 20.2
You may also see an error stating "...restarting script...EnServer." This is displayed when you
manually start the EnCase Processor Server service.
All of the logs listed above should be present; if not, EnCase Processor Server started, then
stopped, and is offline.
CHAPTER 2
USING PATHWAYS TO STREAMLINE
WORKFLOWS
Pathways Overview 67
Custom Pathways 74
66 EnCase Forensic User Guide Version 20.2
CHAPTER 2 Using Pathways to Streamline Workflows 67
Pathways Overview
Pathways provide step by step guidelines to walk you through specific workflow scenarios.
Each Pathway contains links that take you to individual steps in the workflow process.
Pathways are based on the curriculum taught by our award-winning training department, and
are designed to help examiners of any level efficiently navigate an investigation. Pathways are
not mandatory. You can exit a Pathway at any stage of your investigation.
l Home page
l Toolbar menu
If you exit the Pathway, or your workflow navigates you away from the Pathway, you can
always return to the Pathway from one of these two access points.
o Create a case
o Add evidence
o Audit your drive space
o Determine the time zone of your evidence
o Apply a hash library to your case
3. You can follow the steps for the case you have open, or you can start a new case by click-
ing Create a New Case. See Using a Case Template to Create a Case on page 87.
4. Once you create a case, the next step is to add evidence to it. Back on the Full Invest-
igation page, click Add Evidence to Your Case. The Add Evidence dialog is displayed.
5. Click the appropriate link and follow the instructions to perform any of the available add
evidence actions. This must be done before any processing is done on the evidence. See
Adding Evidence to a Case on page 90.
6. After evidence is added, the next step is to audit the space of all devices in the case. This
must be done before any processing is performed on the evidence. This process builds a
summary table in the bookmarks tab showing the usage of all devices in the case. Addi-
tional tables are built in the bookmarks tab for each device to account for all space on
each drive. See Audit Drive Space on page 145.
7. Now that your drive space is audited, the Pathway leads you towards setting a time zone
for your evidence. This step parses the System Registry Hive to determine the current
control set and then parses the current control set to retrieve the time zone information
for each of the selected evidence files. To preserve the forensic accuracy of the data, this
must be done before any processing is done on the evidence. In the Full Investigation dia-
log, click Determine the Time Zone of the Evidence. See Determining the Time Zone of
Your Evidence on page 270.
CHAPTER 2 Using Pathways to Streamline Workflows 69
8. On the Full Investigation page, click Apply Hash Library to Your Case. See Adding Hash
Libraries to a Case on page 336.
PROCESSING EVIDENCE
Once you have set up your case and added evidence, you can process it in a variety of ways.
Once you have processed your evidence with one of the processing profiles listed below, you
will be unable to reprocess it with another Pathway Profile. Any further processing should be
done using the Custom profile option.
Once a processing profile is selected, you can view its progress by double clicking the progress
bar on the bottom right of the screen.
l Process email
o File signature analysis
o Hash analysis (MD5 and SHA-1)
o Expand compound files
o Find email (except lost or deleted items)
o Index allocated text and metadata
o Skipping files in hash library and skipping slack
o System Information Parser without live registry
70 EnCase Forensic User Guide Version 20.2
l Select the view options to see different aspects of your evidence. These options only
work if email messages and/or internet artifacts were selected during processing. Select-
ing either one of these options takes you to the Artifacts tab.
o View email messages
o View Internet artifacts
CHAPTER 2 Using Pathways to Streamline Workflows 71
option.)
o Keyword searches (Selecting this option opens the Search view; select the Key-
GENERATING REPORTS
After you have found the information you need, you can generate reports in a variety of ways.
GETTING STARTED
To get started with a triage case, the pathway suggests three steps:
o Create a case
o Add evidence
o Apply a hash library to your case
3. You can follow the steps for the case you have open, or you can start a new case by click-
ing Create a New Case. See Using a Case Template to Create a Case on page 87.
4. Once you create a case, the next step is to add evidence to it. Back on the Preview/Triage
page, click Add Evidence to Your Case. The Add Evidence dialog displays.
5. Click the appropriate link and follow the instructions to perform any of the available add
evidence actions. See Adding Evidence to a Case on page 90.
6. On the Preview/Triage page, click Apply Hash Library to Your Case. See Adding Hash
Libraries to a Case on page 336.
7. The Apply Hash Library to Case dialog displays.
QUICK ANALYSIS
Once you have set up your case and added evidence, you can process it in a variety of ways:
GENERATING REPORTS
After you have found the information you need, you can:
l Generate a Triage report to easily share your findings in HTML format. See Triage Report
on page 438.
74 EnCase Forensic User Guide Version 20.2
Custom Pathways
Custom pathways are sequences of options that can be configured to match your specific
workflow. Options in a pathway can consist of EnScript instructions, filters, and conditions.
Headers can be added to provide help information.
1. In EnCase Forensic, navigate to the Pathways dropdown menu and select Create New.
The Custom Pathway dialog displays.
CHAPTER 2 Using Pathways to Streamline Workflows 75
o The left pane displays all available options (alphabetically) that can be added to a
custom pathway.
By default, this list is populated with the options found in the standard Full
Investigation and Preview/Triage pathways.
Options can be created by calling EnScript files, pre-configured filters,
EnPacks, conditions, and header help files.
o The right pane displays the options currently included in your new custom path-
way.
o To add options to your custom pathway, select an item from the left pane and click
Add.
o To remove options from your custom pathway, select an item from the right pane
and click Remove.
o Use the Up and Down buttons to rearrange options in the custom pathway you are
building. You can arrange options in a pathway in any order.
2. To add a new option to the Options list, click Add Option. The Add Pathway Option dis-
plays.
The new option displays in the left pane of the Custom Pathways dialog.
To delete a custom option, right-click on the option and select Delete.
3. When you finish building your custom pathway, click Save As. The Save Custom Pathway
dialog displays.
76 EnCase Forensic User Guide Version 20.2
Once saved, the pathway displays in both the Pathways dropdown menu and on the home
page.
1. Click Pathways, then click the name of the custom pathway you created.
2. The pathways you created display as links. Action links require a case to be open for them
to be active; if no case is open, the links are not clickable. Action link types are:
o EnScripts (*.EnScript)
o EnPacks (*.EnScript)
o Conditions (*.EnCondition)
o Filters (*.EnFilter)
Note that:
1. In EnCase Forensic, navigate to the Pathways drop down menu and select Edit/Delete
Pathway > Edit Pathway.
CHAPTER 2 Using Pathways to Streamline Workflows 77
o If only one pathway exists, the pathway displays in the edit dialog.
o If multiple pathways exist, the Select Custom Pathway dialog displays.
2. When done, click OK. The Custom Pathway dialog displays the custom pathway you have
selected.
3. Modify your custom pathway as desired.
4. When done, click Save As to create a new pathway with your updated changes, or click
Save to save the changes to your original pathway.
Your new custom pathway now displays in the Pathways dropdown menu and in the
Pathways area of the home page.
1. In EnCase Forensic, navigate to the Pathways drop down menu and select Edit/Delete
Pathway > Delete Pathway. The Select Custom Pathway dialog displays.
2. Select the pathway you want to delete and click Delete.
o A dialog displays confirming you want to delete this pathway. Click Yes.
78 EnCase Forensic User Guide Version 20.2
o After you confirm, the Delete Pathway dialog remains open so you can delete addi-
tional pathways if desired. When you finish deleting pathways, click Close.
Deleted pathways no longer display on the home page or the Pathways menu.
The header name is displayed in the workflow. When you click the ? icon next to the name, the
associated help file displays in a popup dialog.
Pathway headers are .txt files which can be added in the same way as other options.
1. From the Pathway Options list, click Add Option. The Add Pathway Option displays.
The header name displays within the structure of the pathway. When you click the ? icon next
to the name, the associated help file displays in a popup dialog.
Header files are .txt files that can contain some basic formatting.
The formatting of this template creates a help dialog that looks like this:
CHAPTER 2 Using Pathways to Streamline Workflows 81
82 EnCase Forensic User Guide Version 20.2
CHAPTER 3
WORKING WITH CASES
Overview 85
Launching EnCase 85
Case Operations 93
Case Portability 95
Overview
This chapter describes how to use EnCase to create and start work on a case. It explains the
major components of the user interface, and how to use them to take full advantage of
EnCase features.
The chapter's purpose is to get you started with EnCase case creation. This chapter:
l Explains how to use the main features of this digital forensic tool.
l Describes the structure used to gather and process case evidence.
l Guides you through the initial stages of case creation.
l Introduces you to the basics of using case templates.
l Describes the process of adding evidence to a case and setting case options.
l Shows how to work with cases.
l Describes the case portability feature.
In EnCase, a case is stored in a folder, with subfolders for case-specific information such as tags
and search results. The case folder and the components contained within that folder directly
associate the investigative work you perform with the evidence. As a result, the case folder
should not be directly opened or modified.
Launching EnCase
When you launch EnCase, the Home page is displayed.
86 EnCase Forensic User Guide Version 20.2
The Home page, like all EnCase pages, consists of several sections, each with a specific set of
functions. In descending order, they are:
1. Click New Case beneath the CASE FILE category on the Home tab.
2. The Case Options dialog is displayed. Use this dialog to select a case template and name
the case.
3. In the figure below, the #1 Basic template is selected.
4. Enter a case Name, then click OK.
88 EnCase Forensic User Guide Version 20.2
files were not created for a device, they are stored in this folder when the Evidence Pro-
cessor is run.
l Secondary evidence cache: EnCase allows you to specify a secondary location for a pre-
viously created evidence cache. This allows you to specify a folder on a network share or
other location to store cache files. Unlike the primary evidence cache folder, EnCase reads
previously created files from this location only. Evidence caches which do not exist in the
Secondary folder are stored in the Primary folder. Previously existing evidence caches in
the Secondary folder continue to be stored in the Secondary folder.
l Backup every 30 minutes: Click the checkbox to set up backups at 30 minute intervals.
Click the up/down arrows on the Maximum case backup size (GB) field to set the max-
imum case backup size.
l Backup location: The folder where case backup data is stored.
l Case information: Case information items are user configurable name-value pairs that
document information about the current case. Primarily, you use this user definable
information to insert into a Report. To create case information items, click the New but-
ton on the toolbar. To edit case information items, select an item and click the Edit but-
ton on the toolbar.
Click OK to apply the case options. The Home tab then displays a page for this particular case
with the case name at the top. This case page lists hyperlinks to many common EnCase
features and you can use it as the control center for this case. You are now ready to begin
building your case.
Case Templates
When you create a new case, EnCase displays a list of available templates. These are
.CaseTemplate files. EnCase supplies several predefined templates, using the pound sign
(#) as a prefix. Their names display in this box along with any saved templates.
Although you can configure a new case using the blank template (None), we recommend using
a template, as it simplifies the case creation process. Each case template contains a uniquely
configured set of the following elements:
You can also create your own templates by saving any case as a template. Afterwards, the new
template is displayed in the Templates list and is available for future use. If you intend to
create a number of cases with a similar structure, save one of them as a template and use it to
generate the other cases. You can share case templates with other users by sending them the
case template file.
If you click the Add Evidence link on the Case page, the page changes to one like that shown
below. At any time, you can use the back or forward buttons to help navigate through the
different Home tab pages.
CHAPTER 3 Working with Cases 91
The Add Evidence menu contains these selections and a selection to open the Evidence
Processor. For more information, see the Evidence Processor Overview.
l Add Local Device: Initiates the process of adding a local device attached directly to your
local computer. This can be the main system drive, a device attached through a Tableau
write blocker, any other device connected to an internal bus connection, floppy drives,
optical media, card readers, or any device connected to a USB port.
l Add Network Preview: Select one of two acquisition options: Add SAFE Network Pre-
view or Add Direct Network Preview.
l Add Evidence File: Specifies an evidence file to add to the active case. This can be an
EnCase Evidence file (E01 or Ex01), Logical Evidence file (L01 or Lx01), VMWare (vmdk), Vir-
tual PC file (vhd), or SafeBack (*.001) file.
l Add Raw Image: Adds a raw or dd image file of a physical device to the active case.
l Add Crossover Preview: Crossover cable acquisitions require both a subject and exam-
iner machine. This type of acquisition also negates the need for a hardware write blocker.
It may be desirable in situations where physical access to the subject machine's internal
media is difficult or is not practical. This selection is the recommended method for acquir-
ing laptops and exotic RAID arrays.
l Process Evidence: Allows automated processing of case evidence across a wide selection
of parameters. This option is available only when one or more evidence items are added
to the case.
The Evidence Processor includes features such as:
92 EnCase Forensic User Guide Version 20.2
There are additional options for acquiring mobile devices under Acquire Smartphone:
l Acquire from Device: Opens the Acquisition Wizard, which detects the mobile device you
have plugged in to your computer and walks you through the acquisition process.
l Acquire from File: Opens the Import Wizard, which allows you to import a backup file
from a mobile device.
l Acquire from Cloud: Opens the Cloud Data Import Wizard, which allows you to pull data
from Facebook, Google, or Twitter, provided you have authentication tokens, or the
user's account credentials.
l Primary evidence cache: Use the browse button to change this folder to use the Primary
evidence cache folder. This selection is disabled if you checked Use base case folder for
primary evidence cache when first creating the case.
l Secondary evidence cache: If your case requires a second cache, use the browse button
to change this folder to use the Secondary evidence cache folder.
To add or edit case information items, click the appropriate button on the Case information
toolbar.
You cannot change the Name or the Full case path; these exist for informational purposes
only.
Case Operations
Use the Case menu and the Case selections on the Case Home page to work with the
parameters of and perform actions on your case.
The Case Selections table below shows a list of basic operations for working with a case. Use
the menu items on the Case menu and the links beneath the Case section on the Case panel
for these operations.
Case Selections
Saves the current case file. The default file extension for a case file is Case. The
Save
default extension for a backup case file is cbak.
Save As Saves the case as an EnCase template to use with new cases. The file
Template... extension for a case template is CaseTemplate.
Create
Packages a case to share with other users or environments.
Package
Case Creates a backup of the current case. Alternately, it allows you to specify a
Backup different case file or a case backup location.
94 EnCase Forensic User Guide Version 20.2
Displays the Hash Libraries dialog, which provides a list of hash libraries and
Hash
hash sets used in the current case. Allows you to change libraries or enable
Libraries...
and disable hash libraries and sets.
Opens an existing case file. Note that you can have more than one case file
Open...
active at a time.
New
Opens the Case Options dialog so you can create a new case file.
Case...
Click OK. You can then reassociate the evidence to the new location when you drill into the
evidence or view the evidence for the first time. Saving the case after that commits the change.
1. On the Evidence tab, click the checkbox for the evidence file where you want to change
the path, then click Update Paths.
2. In the Update Paths dialog, choose an existing path from the dropdown menu.
3. In the New Path field, enter or browse to the new path.
4. Click OK.
CHAPTER 3 Working with Cases 95
Case Portability
The Case Package option offers a convenient way of sharing entire cases among users, or
porting a case to a different computer or environment.
An EnCase package can contain the entire contents of a case, including the evidence and cache
files, or a subset of case-related items. You decide which case items to include when saving a
case package.
1. On the Home page, click Case > Create Package. The Create Package dialog is displayed.
2. The Create Package dialog offers several options for including case-related material in an
EnCase case package:
o The default Copy option (shown above) includes only the Required Items for the
case file and the Primary Evidence Cache.
o If you click the Archive option, all Packaged Items are automatically checked.
Although you gain the advantage of packaging all evidence files and the secondary
evidence cache, the package size can be extremely large.
o If you click the Customize option, in the list of Packaged Items you can manually
check any combination of packaged items you want to include in the case package.
3. Save the case package to a folder. Either use the default folder path or click the browse
button to navigate to a different folder.
96 EnCase Forensic User Guide Version 20.2
Overview 99
Overview
This chapter describes how to back up your cases and their related items, and how to restore a
case from backup.
l Name
l Created
l Size
l Custom Name (if available)
l Comment (if available)
The dashboard shows a list of all available case backups and sorts them by the following types:
l Custom: This is a user created backup where you can provide a custom name and com-
ments. Custom backups are retained until explicitly deleted.
l Scheduled: A scheduled backup is created when you open a new case or schedule a
backup manually using the Create Scheduled option.
l Daily: Every scheduled backup that is closest to that day's local midnight time is copied
and stored as a daily backup.
l Weekly: Every daily backup that is closest to that week's Sunday local midnight time is
copied and stored as a weekly backup.
100 EnCase Forensic User Guide Version 20.2
l Monthly: Every daily backup that is closest to that month's first day at local midnight
time of the next month is copied and stored as a monthly backup.
l 48 scheduled backups
l Seven daily backups
l Five weekly backups
Monthly backups are kept until the maximum size allowed is exceeded. The oldest monthly
backups are deleted to stay under the maximum size allowed.
You can access the dashboard in three ways from the Case Backup option in the Case
dropdown menu:
l Use Current Case: Uses the backup location from the currently open and active case.
l Specify Case File: Reads from and uses the backup location from an unopened case file
through an open file dialog.
l Specify Backup Location: Uses the backup location specified by the user through a folder
dialog.
The last backup folder location, maximum amount of disk space, and enable/disable backup
are saved in the global settings and automatically populated when you create a new case.
l If you create a case with backup disabled, a dialog asks if you are sure you want to disable
backup for this case.
l A warning is displayed if the backup location is not a valid path.
l Choosing a backup and case folder on the same drive letter displays a warning asking if
you are sure you want to back up the case on the same drive as the case.
l Choosing a backup and evidence cache folder on the same drive letter displays a warning
asking if you are sure you want to back up the case on the same drive as the evidence
cache.
Note: It is good practice to have your backup in a different location from your
current data.
Automatic Backup
Since backups can take a significant amount of time, they occur in a background thread,
allowing you to continue with your work.
o Select or clear the Backup every 30 minutes checkbox. The box is selected by
default.
o Enter a Maximum case backup size (GB). The default is 50.
o Enter or browse to the Backup location.
4. Click OK.
To modify case backup options, click Case > Case Backup > Use Current Case. For more
information, see Changing Case Backup Settings on the facing page.
1. Click Case > Case Backup > Use Current Case. The dashboard is displayed.
2. Click Create Custom.
CHAPTER 4 Case Backup 103
Deleting a Backup
To delete a backup:
1. Go to the dashboard using any of the options in the Case > Case Backup dropdown
menu. In the Backups directory, open the folder containing the backup you want to
delete.
2. Blue check the backup or backups you want to delete, then click Delete.
3. A warning message is displayed.
4. To continue, click OK. The selected backups are deleted.
4. You can:
o Enable or disable backup every 30 minutes.
o Set the Maximum case backup size (GB). If you enter a size below the current case
backup size, monthly backups are deleted to get below the new value. If not enough
monthly backups are deleted, scheduled backup no longer occurs.
o Designate the backup location. Changing the backup location enables the Do not
import existing backups checkbox, giving you the option not to migrate existing
backups to the new location.
1. Click Case > Case Backup > Specify Case File. The Open File dialog is displayed.
2. Select the case file you want, then click Open. The dashboard is displayed for the case file
you selected.
1. Click Case > Case Backup > Specify Backup Location. The Browse for Folder: Case Backup
Location dialog is displayed.
2. Navigate to the location you want for the backup, then click OK.
l Case file
l Everything in the case folder, except:
o Export folder
o Temp folder
o Evidence files (.E01, .L01, .Ex01, and .Lx01)
l Primary evidence cache (only those evidence caches referenced in the case)
l Secondary evidence cache (only those evidence caches referenced in the case)
l Dates, times, and sizes for all files
106 EnCase Forensic User Guide Version 20.2
1. Open EnCase.
2. At the top left of the screen, click Case > Case Backup > Specify Backup Location.
3. Browse to the folder containing the backups, then click OK.
4. Select the case name in the left pane and click OK.
5. In the dashboard, select the folder in the Backups directory containing the backup you
want to restore.
6. Blue check a single backup, then click Restore.
7. The Restore Backup dialog is displayed. Click either Restore to original case locations
(default) or Restore to new locations, then click Next.
CHAPTER 4 Case Backup 107
o If you click Restore to original case locations, the Name, Location, and Full case
path fields populate automatically and you cannot edit them. All other options are
disabled.
o If you click Restore to new locations, the Name, Location, and Full case paths fields
populate and you cannot edit them. However, all other options are enabled, and
you can change any of them.
Overview 112
Overview
With EnCase, you can directly process and analyze storage device and evidence file previews
with some limitations; however, if you want to use all of EnCase's processing and analysis
features, you need to perform a storage device or evidence file acquisition and save the
evidence in a standard format.
With EnCase, you can reacquire and translate raw evidence files into EnCase evidence files that
include CRC block checks, hash values, compression, and encryption. You can also add EnCase
evidence files created in other cases. EnCase can read from and write to current or legacy
EnCase evidence files and EnCase logical evidence files.
With the LinEn utility, you can perform disk-to-disk acquisitions, and when you couple LinEn
with EnCase, you can perform network crossover acquisitions.
This chapter provides detailed information about all types of EnCase acquisitions.
Sources of Acquisitions
EnCase can acquire the following sources:
l Previewed memory or local devices such as hard drives, memory cards, or flash drives.
Note: It is not uncommon on live systems to have the on disk image of a file system
to differ from its current state. In this event, we recommend flushing the operating
system disk cache using the Sync command.
l Evidence files supported by EnCase, including current EnCase evidence files (.Ex01), cur-
rent logical evidence files (.Lx01), legacy EnCase evidence files (.E01), legacy logical evid-
ence files (.L01).
l DD images, SafeBack images, VMware files (.vmdk), or Virtual PC files (.vhd). You can use
these to create legacy EnCase evidence files and legacy logical evidence files, or you can
reacquire them as EnCase .Ex01 or .Lx01 format, adding encryption, new hashing options,
and improved compression.
l Single files dragged and dropped onto the EnCase user interface. These include ISO files,
which create .L01 or .Lx01 logical evidence files.
l Mobile Devices, using the Acquire from Device selection in the Acquire Mobile menu.
l Mobile backup files, using the Acquire from File selection in the Acquire Mobile menu.
CHAPTER 5 Acquiring Devices and Evidence 113
l Network crossover using LinEn and EnCase to create .E01 files or .L01 files. This strategy is
useful when you want to preview a device without disassembling the host computer. This
is usually the case for a laptop, a machine running a RAID, or a machine running a device
with no available supporting controller.
l Online email and file storage repositories, such as Microsoft Exchange, Microsoft
SharePoint, Dropbox, and Google Drive.
l LinEn for disk-to-disk acquisitions that do not require a hardware write blocker.
l WinEn for acquiring physical memory from a live Windows computer.
l Tableau Forensic Duplicators (TD1, TD2, and TD3).
Canceling an Acquisition
You can cancel an acquisition while it is running. After canceling, you can restart the
acquisition.
1. At the bottom right corner of the main window, double click the Thread Status line. The
Thread Status dialog is displayed.
2. Click Yes. The acquisition is canceled. You can restart it at a later time.
You can also cancel remote acquisitions using the Remote Acquisition Monitor.
See Monitoring a Remote Acquisition on page 1.
Legacy EnCase evidence files (.E01) are a byte-for-byte representation of a physical device or
logical volume. You can create and save logical evidence files in the .L01 format in order to be
compatible with legacy versions of EnCase (versions prior to EnCase 7). The .E01 format can be
password protected.
EnCase evidence files provide forensic-level metadata, the device-level hash value, and the
content of an acquired device.
Drag and drop an .E01 or .Ex01 file anywhere in the EnCase interface to add it to the currently
opened case.
Legacy logical evidence files (.L01) are created from previews, existing evidence files, or mobile
device acquisitions. These are typically created after an analysis locates some files of interest.
For forensic reasons, they are kept in a forensic container. Encryption is not available for legacy
logical evidence files. You can create and save logical evidence files in the .L01 format in order
to be compatible with legacy versions of EnCase (versions prior to EnCase 7).
When an .L01 or .Lx01 file is verified, the stored hash value is compared to the entry's current
hash value.
l If the hash of the current content does not match the stored hash value, the hash is fol-
lowed by an asterisk (*).
l If no content for the entry was stored upon file creation, but a hash was stored, the hash
is not compared to the empty file hash.
l If no hash value was stored for the entry upon file creation, no comparison is done, and a
new hash value does not populate.
Before you can acquire raw image files, you must add them to a case. Raw image files are
converted to EnCase evidence files during the acquisition process, adding CRC checks and hash
values if selected.
Single Files
To add folders and single files to a case, either drag and drop them onto the EnCase interface
using Windows Explorer, or using the Edit Single Files dialog. Once you add a file or folder to a
case, the evidence page displays an item in the table for Single Files. Files and folders display in
a tree structure subordinate to Single Files when displayed in the Entries view.
Note: If you encounter difficulty adding single files from a mapped drive, try
dragging and dropping the file from the UNC path.
1. To protect the local machine from changing the contents of the drive while its content is
being acquired, use a write blocker. See Using a Write Blocker on page 146.
2. Verify that the device being acquired shows in the Tree pane or the Table pane as write
protected.
116 EnCase Forensic User Guide Version 20.2
EnCase Forensic collects the emails from these services into a logical evidence file, which can be
imported directly into your case.
Configuration for your collection varies depending on version and whether the repository is
cloud-based or on-premises. Credentials used for authentication are for the service account,
not the user whose emails you are collecting.
For the latest versions of all supported software, refer to the most current EnCase Forensic
Release Notes.
Mail is collected from the top level folders and their subfolders, including user-defined folders.
The predefined folders include: Inbox, Outbox, Sent, Drafts, Deleted Items, Junk Email,
Quarantine, and Archive. In-place Archives may also optionally collected.
l Appointments and meetings (with the exception of meeting messages, meeting requests,
meeting cancellations, and meeting responses)
Access to a user email requires a service account with membership in the appropriate role
group and with the correct permissions. This service account performs the acquisition of the
user's email. To configure a service account, see Configuring for collections from Exchange 2013
and later on page 119.
1. Create or open a case and click Add Evidence > Acquire > Email from the case home
page. The Acquire Email dialog is displayed.
2. Select Exchange Server 2013 or Later from the drop down box.
Note: To acquire data from a cloud repository you must click the checkbox to
acknowledge that additional authorization may be needed to acquire data from
cloud-based storage.
4. Double-click the name or value in each row of the table on the right to set or change a
value.
The box to the right of the table provides information about the highlighted name, its
description, whether or not a value is required or optional, and the name of the con-
nector used by the service.
o Service URL - The address of your Exchange server. Enter the address of your
Exchange server if your organization has Exchange server on premises. Use the
default value if your Exchange server is hosted by Microsoft in the cloud.
o Administrator Login - Enter the login of the service account.
o Administrator Password - Enter the password of the service account.
118 EnCase Forensic User Guide Version 20.2
o Mailbox to investigate - Enter the user email address you are collecting email
from.
o Ignore Certificate Errors - Ignore certificate errors encountered when connecting
(Default: 5)
o Maximum Delay - The maximum delay in milliseconds for timeouts in exponential
7. Enter or browse to the path for the folder you want the output files to be saved
in. Clicking the browse button displays the Output Evidence File dialog.
CHAPTER 5 Acquiring Devices and Evidence 119
Configuring the Service Account for Collection from Exchange 2013 and
Later
You must use a user account that is email enabled because a collection job requires an account
with a mailbox.
A service account is required to access and acquire email from Microsoft Exchange 2013 or
Later or Microsoft Exchange Office 365.
1. Add the service account via the command line. The following command adds
serviceaccount1 to the Discovery Management role group:
When collecting from a Microsoft Exchange server (either on premises or in the cloud) it is
possible for the server to delay, or throttle, the data requests. Throttling is governed by set
policies and parameters on the server. These policies and parameters can be modified for the
on-premises servers. For cloud-based repositories, however, Microsoft alone decides what the
governing policies for throttling will be. To collect complete data sets from Exchange servers
without interruption, the throttling functionality waits for a set period of time before retrying a
given call if it encounters a throttling error. After the initial delay has expired, the connector
tries the throttled call again. If it is throttled again, the second wait period is twice the size of
the initial delay. Once the second wait period has expired, the connector tries the throttled call
yet again. This pattern continues until maximum delay is reached, which is the total amount of
wait time. If the call is still throttled once the maximum delay has been reached, an error
message is returned. Otherwise the entire throttling functionality works transparently.
The waiting period is configurable through global settings of EnCase Forensic. The waiting
period can also be configured through case settings. The initial and maximum throttling delays
are set to default values of 5 and 315 seconds, respectively, and are the optimal values for
most collections.
The waiting period can be configured in the Email Properties dialog when setting up an
acquisition from Microsoft Exchange 2013 or Later. The initial and maximum throttling delays
are set to default values of 5 and 315 seconds, respectively, and are the optimal values for
most collections.
CHAPTER 5 Acquiring Devices and Evidence 123
Data Types
Mail is collected from the top level folders and their subfolders, including user-defined folders.
The predefined folders include: Inbox, Outbox, Sent, Drafts, Deleted Items, Junk Email,
124 EnCase Forensic User Guide Version 20.2
Quarantine, and Archive. The collector also retrieves Recoverable Items, including its
subfolders, excluding Audits. It may optionally collect In-Place Archives and its subfolders Top
of Information Store, and Recoverable Items and their subfolders.
You can collect the following item types from Office 365 Exchange servers:
l Events on calendars
1. Create or open a case and click Add Evidence > Acquire > Email from the case home
page. The Acquire Email dialog is displayed.
2. Select Microsoft Office 365 from the drop down box.
Note: To acquire data from Microsoft Office 365 you must click the checkbox to
acknowledge that additional authorization may be needed to acquire data from
cloud-based storage.
4. Double-click the name or value in each row of the table on the right to set or change a
value.
The box to the right of the table provides information about the highlighted name, its
description, whether or not a value is required or optional, and the name of the con-
nector used by the service.
o Tenant - Enter your organization's tenant name. The format is
<tenantname>.onmicrosoft.com.
o Client ID - Enter the Client ID associated with the tenant account.
o Client Secret - Enter the Client Secret associated with the tenant account.
o Mailbox to investigate - Enter the user email address you are collecting email
from.
o Ignore Certificate Errors - Ignore certificate errors encountered when accessing
backoff.
5. When you have set all values, click Test Connection. A valid connection is required. When
a connection is confirmed, the Next button becomes active.
6. Click Next. The Output Options dialog is displayed.
126 EnCase Forensic User Guide Version 20.2
7. Enter or browse to the path for the folder you want the output files to be saved
in. Clicking the browse button displays the Output Evidence File dialog.
Obtain the Client ID and Client Secret by registering a new application on the
portal.azure.com site. The Client ID is called Application (client) ID within Azure
and has the format, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
Add a permission to your application. Select the Microsoft Graph API, and the Application
permissions type. Add the following permissions: Mail.Read, Mail.ReadBasic,
Mail.ReadBasic.All, Calendars.Read, and User.Read.All. Once the permissions are
added, grant admin consent to the application.
Once the application is ready, use the Client ID, Client Secret, and Tenant value to collect from
email accounts and/or sites in this tenant.
When collecting from an Exchange Server it is possible for the server to delay, or throttle, the
data requests. Throttling is governed by set policies and parameters on the server. These
policies and parameters can be modified for the on-premises servers. For cloud-based
repositories, however, Microsoft alone decides what the governing policies for throttling will
be. To collect complete data sets from Exchange servers without interruption, the throttling
functionality waits for a set period of time before retrying a given call if it encounters a
throttling error. After the initial delay has expired, the connector tries the throttled call again. If
it is throttled again, the second wait period is twice the size of the initial delay. Once the
second wait period has expired, the connector tries the throttled call yet again. This pattern
continues until maximum delay is reached, which is the total amount of wait time. If the call is
still throttled once the maximum delay has been reached, an error message is returned.
Otherwise the entire throttling functionality works transparently.
The waiting period can be configured in the Email Properties dialog when setting up an
acquisition from Exchange Office 365. The initial and maximum throttling delays are set to
default values of 5 and 315 seconds, respectively, and are the optimal values for most
collections.
128 EnCase Forensic User Guide Version 20.2
EnCase Forensic collects the files from these services into a logical evidence file, which can be
imported directly into your case.
Configuration for your collection varies depending on version and whether the repository is
cloud-based or on-premises. Credentials used for authentication are for the service account,
not the user whose documents you are collecting.
For the latest versions of all supported software, please refer to the most current EnCase
Forensic Release Notes.
You can collect document and picture libraries, and their subtypes, from SharePoint 2013 or
later. Both online and on-premises servers are supported.
If the user does not have Administrative privileges (Full Access), the SharePoint administrator
must give the user the following permissions (by adding a new Permission Policy Level):
CHAPTER 5 Acquiring Devices and Evidence 129
List Permissions:
l Add Items
l Edit Items
l Delete Items
l View Items
l Open Items
l View Versions
l Delete Versions
Site Permissions:
l Browse Directories
l View Pages
l Use Remote Interfaces
l Open
When collecting from on-premises SharePoint 2013 and SharePoint 2016 servers, you can use
integrated Windows authentication for the current logged in user. Clicking the Default
Authorization check box means the security context of the current Windows logged in user is
used to authenticate access to the SharePoint server. These are the Windows credentials (user
name, password, and domain) of the user running the application.
1. Create or open a case and click Add Evidence > Acquire > Storage from the case home
page. The Acquire Storage dialog is displayed.
2. Select SharePoint 2013 or Later from the drop down box.
Note: To acquire data from a cloud repository you must click the checkbox to
acknowledge that additional authorization may be needed to acquire data from
cloud-based storage.
4. Double-click the name or value in each row of the table on the right to set or change a
value.
The box to the right of the table provides information about the highlighted name, its
description, whether or not a value is required or optional, and the name of the con-
nector used by the service.
o Service URL - The address of your SharePoint server. Enter the address of your
Exchange server if your organization has Exchange server on premises. Use the
default value if your Exchange server is hosted by Microsoft in the cloud.
o Login - Enter the login of the service account.
o Password - Enter the password of the service account.
o Collect Document Versions - Collect all versions of the document (Yes/No).
o Is Online Repository - Is the repository you are collecting online? (Yes/No).
o Is Default Authorization - Use the default authorization? (Yes/No).
o Use SSL - Use Secure Socket Layer protocol (Yes/No).
o Repository URL - The URL of the repository you are collecting. (for example,
/sites/teamsite1)
o Ignore Certificate Errors - Ignore certificate errors encountered when connecting
7. Enter or browse to the path for the folder you want the output files to be saved
in. Clicking the browse button displays the Output Evidence File dialog.
You can collect document and picture libraries, and their subtypes, from SharePoint Office 365
OneDrive.
1. Create or open a case and click Add Evidence > Acquire > Storage from the case home
page. The Acquire Storage dialog is displayed.
2. Select SharePoint Office 365 OneDrive from the drop down box.
Note: To acquire data from a cloud repository you must click the checkbox to
acknowledge that additional authorization may be needed to acquire data from
cloud-based storage.
4. Double-click the name or value in each row of the table on the right to set or change a
value.
The box to the right of the table provides information about the highlighted name, its
description, whether or not a value is required or optional, and the name of the con-
nector used by the service.
o Tenant - Enter your organization's tenant name. The format is
<tenantname>.onmicrosoft.com.
o Client ID - Enter the Client ID associated with the tenant account.
CHAPTER 5 Acquiring Devices and Evidence 133
o Client Secret - Enter the Client Secret associated with the tenant account.
o Collect Document Versions - Collect all versions of the document (Yes/No).
o Drive to investigate - Enter the user email address of the user OneDrive you are
collecting from.
5. When you have set all values, click Test Connection. A valid connection is required. When
a connection is confirmed, the Next button becomes active.
6. Click Next. The Output Options dialog is displayed.
7. Enter or browse to the path for the folder you want the output files to be saved
in. Clicking the browse button displays the Output Evidence File dialog.
134 EnCase Forensic User Guide Version 20.2
You can collect document and picture libraries, and their subtypes, from SharePoint Office 365.
1. Create or open a case and click Add Evidence > Acquire > Storage from the case home
page. The Acquire Storage dialog is displayed.
2. Select SharePoint Office 365 from the drop down box.
Note: To acquire data from a cloud repository you must click the checkbox to
acknowledge that additional authorization may be needed to acquire data from
cloud-based storage.
4. Double-click the name or value in each row of the table on the right to set or change a
value.
The box to the right of the table provides information about the highlighted name, its
description, whether or not a value is required or optional, and the name of the con-
nector used by the service.
CHAPTER 5 Acquiring Devices and Evidence 135
companyname.sharepoint.com/sites/teamSite1.
5. When you have set all values, click Test Connection. A valid connection is required. When
a connection is confirmed, the Next button becomes active.
6. Click Next. The Output Options dialog is displayed.
7. Enter or browse to the path for the folder you want the output files to be saved
in. Clicking the browse button displays the Output Evidence File dialog.
136 EnCase Forensic User Guide Version 20.2
To collect from SharePoint Office 365 and OneDrive, permissions are set in Microsoft Azure
using the Client Credentials (OAuth2 Client Credentials flow) security model. An Access Token is
created when you provide Tenant, Client ID, and Client Secret values. This token is included
with every SharePoint Office 365 API call for collection.
Obtain the Client ID and Client Secret by registering a new application on the
portal.azure.com site. The Client ID is called Application (client) ID within Azure
and has the format, xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
CHAPTER 5 Acquiring Devices and Evidence 137
Add a permission to your application. Select the Microsoft Graph API, and the Application
permissions type. Add the following permissions: Files.Read.All, Sites.Read.All, and
User.Read.All. Once the permissions are added, grant admin consent to the application.
Once the application is ready, use the Client ID, Client Secret, and Tenant value to collect from
sites and/or user accounts.
l Dropbox
l Google Drive
EnCase Forensic collects the files from these services into a logical evidence file, which can be
imported directly into your case.
Files collected from Dropbox and Google Drive file storage services require specific permissions
and configuration.
For the latest versions of all supported software, please refer to the most current EnCase
Forensic Release Notes.
1. Create or open a case and click Add Evidence > Acquire > Storage from the case home
page. The Acquire Storage dialog is displayed.
2. Select Dropbox from the drop down box.
Note: To acquire data from a cloud repository you must click the checkbox to
acknowledge that additional authorization may be needed to acquire data from
cloud-based storage.
4. Double-click the name or value in each row of the table on the right to set or change a
value.
The box to the right of the table provides information about the highlighted name, its
description, whether or not a value is required or optional, and the name of the con-
nector used by the service.
o Access Token - The access token generated when you create an application in
Dropbox.
o Personal Account - Is the account to investigate a personal account? Enter Yes for
5. When you have set all values, click Test Connection. A valid connection is required. When
a connection is confirmed, the Next button becomes active.
6. Click Next. The Output Options dialog is displayed.
CHAPTER 5 Acquiring Devices and Evidence 139
7. Enter or browse to the path for the folder you want the output files to be saved
in. Clicking the browse button displays the Output Evidence File dialog.
PERSONAL ACCOUNTS
The access token created by the Admin account can be used to collect from all the team
member accounts including the Admin team account. However this access token cannot be
used to collect from any member's personal account. To collect from a personal account, you
need to login as the owner of the personal account and create a separate application.
1. Create or open a case and click Add Evidence > Acquire > Storage from the case home
page. The Acquire Storage dialog is displayed.
2. Select Google Drive from the drop down box.
Note: To acquire data from a cloud repository you must click the checkbox to
acknowledge that additional authorization may be needed to acquire data from
cloud-based storage.
4. Double-click the name or value in each row of the table on the right to set or change a
value.
The box to the right of the table provides information about the highlighted name, its
description, whether or not a value is required or optional, and the name of the con-
nector used by the service.
o Cloud Service Account - The service account created to access Google Drive. See
(Yes/No).
o Ignore Certificate Errors - Ignore certificate errors encountered when accessing
7. Enter or browse to the path for the folder you want the output files to be saved
in. Clicking the browse button displays the Output Evidence File dialog.
CHAPTER 5 Acquiring Devices and Evidence 143
2. Create a project.
3. In the sidebar on the left, select APIs & auth.
4. Make sure the Drive API status is set to ON.
5. In the sidebar on the left, select Registered apps. This takes you to the application's cre-
dentials page.
6. Expand the Certificate section and select Generate Certificate. In the Generate Certificate
dialog that is displayed, select Download private key.
o After the download is complete, save the private key file. You will need this file to cre-
ate a Google Drive Source.
o Note the Client ID. You will need it to grant permissions.
o Note the email address of the service account. You will need it to create a Google
Drive Source in the EnCase product.
The service account now grants domain-wide access to the Google Drive API for all users of the
domain.
3. Enter a bookmark folder name or accept the default, then click OK.
l Tableau
l LinEn when the Linux distribution used supports Direct ATA mode
The application shows if a DCO area exists in addition to the HPA area on a target drive.
HPA is a special area located at the end of a disk. It is usually configured so the casual observer
cannot see it, and so it can be accessed only by reconfiguring the disk. HPA and DCO are
extremely similar: the difference is the SET_MAX_ADDRESS bit setting that allows recovery of a
removed HPA at reboot. When supported, EnCase applications see both areas if they coexist
on a hard drive.
Note: If you choose to remove a DCO, it will make a permanent change to the drive
controller of the device.
l Tableau T35es
l Tableau T35es-RW
l Tableau T4
l Tableau T6es
l Tableau T8-R2
l Tableau T9
l FastBloc FE
l FastBloc 2 FE v1
l FastBloc 2 FE v2
l FastBloc LE
l FastBloc 2 LE
l FastBloc 3 FE
CHAPTER 5 Acquiring Devices and Evidence 147
Computer investigations require a fast, reliable means to acquire digital evidence. These are
hardware write blocking devices that enable the safe acquisition of subject media in Windows
to an EnCase evidence file. Before write blockers were developed, non-invasive acquisitions
were exclusively conducted in cumbersome command line environments.
The hardware versions of these write blockers are not standalone products. When attached to
a computer and a subject hard drive, a write blocker provides investigators with the ability to
quickly and safely preview or acquire data in a Windows environment. The units are
lightweight, self-contained, and portable for easy field acquisitions, with on-site verification
immediately following the acquisition.
Media that Windows cannot write to are safe to acquire from within Windows, such as CD-
ROMs, write protected floppy diskettes, and write protected USB thumb drives.
Drive Control Overlay (DCO). Only Direct ATA Mode can review and acquire these areas.
Ensure LinEn is configured as described in LinEn Setup Under SUSE on page 678, autofs is
disabled (cleared), and Linux is running in Direct ATA Mode.
l Spanned
l Mirrored
l Striped
l RAID-5
l RAID-10
l Basic
Software RAID
EnCase applications support these software RAIDs:
CHAPTER 5 Acquiring Devices and Evidence 149
RAID-10
RAID-10 arrays require at least four drives, implemented as a striped array of RAID-1 arrays.
l As one drive.
l As separate drives.
l Spanned
l Mirrored
l Striped
l RAID 5
l Basic
The information detailing the types of partitions and the specific layout across multiple disks is
contained in the registry of the operating system. EnCase applications can read this registry
information and resolve the configuration based on the key. The application can then virtually
mount the software disk configuration in the EnCase case.
Acquire the drive containing the operating system. It is likely that this drive is part of the disk
configuration set, but in the event it is not—such as the disk configuration being used for
storage purposes only—acquire the OS drive and add it to the case along with the disk
configuration set drives.
To make a backup disk on the subject machine, use Windows Disk Manager and select Backup
from the Partition option.
This creates a backup disk of the disk configuration information, placing the backup on a CD or
DVD. You can then copy the file into EnCase using the Single Files option, or you can acquire
the CD or DVD and add it to the case. The case must have the disk configuration set drives
added to it as well. This process works only if you are working with a restored clone of a
subject computer. It is also possible a registry backup disk is at the location.
1. Select the device containing the registry or the backup disk and all devices which are
members of the RAID.
2. Click the Open button to go to the Entry view of the Evidence tab.
3. Select the disk containing the registry, then click the dropdown menu on the upper right
menu of the Evidence tab.
4. Select Device, then select Scan Disk Configuration.
At this point, the application attempts to build the virtual devices using information from the
registry key.
l RAID 1 (mirror)
l RAID 10
Note: EnCase Forensic Imager does not support partial reconstruction of RAIDs.
After parsing, all RAID devices must have full descriptors or the process will fail.
CHAPTER 5 Acquiring Devices and Evidence 151
Dynamic Disk
Dynamic Disk is a disk configuration available in Windows 2000, Windows XP, Windows 2003
Server, Windows Vista, Windows 2008 Server, Windows 7, Windows 8, and Windows 2008
Server R2. The information pertinent to building the configuration resides at the end of the
disk rather than in a registry key. Therefore, each physical disk in this configuration contains
the information necessary to reconstruct the original setup. EnCase applications read the
Dynamic Disk partition structure and resolve the configurations based on the information
extracted.
If the resulting disk configurations seem incorrect, you can manually edit them:
Note: The LinEn boot disk for the subject computer needs to have Linux drivers for
that particular RAID controller card.
152 EnCase Forensic User Guide Version 20.2
4. Acquire the disk configuration as you normally acquire a single hard drive, depending on
the means of acquisition. Crossover network cable or drive-to-drive acquisition is straight-
forward, as long as the set is acquired as one drive.
If the physical drives were acquired separately, or could not be acquired in the native
environment, EnCase applications can edit the hardware set manually.
l Stripe size
l Start sector
l Length per physical disk
l Whether the striping is right handed
You can collect this data from the BIOS of the controller card for a hardware set, or from the
registry for software sets.
When a RAID-5 consists of three or more disks and one disk is missing or bad, the application
can still rebuild the virtual disk using parity information from the other disks in the
configuration, which is detected automatically during the reconstruction of hardware disk
configurations using the Scan Disk Configuration command.
When rebuilding a RAID from the first two disks, results from validating parity are meaningless,
because you create the parity to build the missing disk.
1. Select Add Evidence File from the Add Evidence view of the Home tab, or click the Add
Evidence dropdown menu while in the Evidence tab and select Add Evidence File.
2. The Add Evidence File Dialog is displayed. Use the dropdown menu at the bottom right
corner of the dialog to change to the appropriate file extension for your evidence or
choose the All Evidence Files option.
3. Navigate to the location of your evidence and select the first file of the evidence set as
you would for EnCase evidence files, then click Open.
1. A FAT16 partition must exist on the examiner machine where you will Copy/Unerase the
DriveSpace volume. You can create a FAT16 partition only with a FAT16 operating system
(such as Windows 95).
2. Run FDISK to create a partition, then exit, reboot, and format the FAT16 partition using
format.exe.
3. Image the DriveSpace volume.
4. Add the evidence file to a new case and search for a file named DBLSPACE.000 or
DRVSPACE.000.
5. Right-click the file and copy/unerase it to the FAT16 partition on the storage computer.
6. In Windows 98, click Start > All Programs > Accessories > System Tools > DriveSpace.
7. Launch DriveSpace.
8. Select the FAT16 partition containing the compressed “.000” file.
9. Select Advance Mount > DRVSPACE.000, then click OK, noting the drive letter assigned to
it. The Compressed Volume File (.000) from the previous drive is now seen as folders and
files in a new logical volume.
10. Acquire this new volume.
11. Create the evidence file and add to your case. You can now view the compressed drive.
Reacquiring Evidence
When you have a raw evidence file generated outside an EnCase application, reacquiring it
results in the creation of an EnCase evidence file containing the content of the raw evidence file
and providing the opportunity to hash the evidence, add case metadata, and CRC block
checks.
You can move EnCase evidence files into a case even if they were acquired elsewhere. Make
sure all segments of the evidence file set are in the same folder. Using Windows Explorer,
navigate to the location of the EnCase evidence files. Drag the first file of the set onto the open
instance of EnCase and the remaining files will automatically be added, reassembling the
evidence in your new case.
CHAPTER 5 Acquiring Devices and Evidence 155
You may also want to reacquire an existing EnCase evidence file to change the compression
settings or the file segment size.
3. Drag and drop the raw images to be acquired. The raw images to be added are listed in
the Component Files list. For DD images or other raw images consisting of more than one
segment, the segments must all be added in their exact order from first to last.
4. Click the Generate true GUID checkbox for EnCase to generate a unique GUID if a match
is found.
5. Accept the defaults in the Add Raw Image dialog or change them as desired, then click
OK.
6. A Disk Image object is displayed in the Evidence tab.
7. You can reacquire this image as you would any other supported evidence or previewed
device.
Restoring a Drive
The following steps describe how to restore a drive.
Note: Before you begin, you first need to add evidence to the case.
CHAPTER 5 Acquiring Devices and Evidence 157
1. From the EnCase top toolbar, select the Evidence option from the View dropdown.
2. In the Table view, click the evidence file with the device you want to restore.
3. From the Device dropdown on the Evidence tab menu, select Restore. The Restore dialog
is displayed.
4. Click Next to collect local hard drives.
5. In the Local Devices list, click the drive you want to restore.
6. Click Next. The Drives dialog is displayed.
7. Select options for wiping and verification.
8. Click Finish.
9. A dialog is displayed asking you to verify the local drive selection. To verify you are restor-
ing to the correct drive enter Yes, then click OK.
The bar in the lower right corner of the screen tracks the progress of the restore.
Wiping a Drive
You can use the Wipe Drive utility in EnCase Forensic to completely overwrite a drive with a
wipe character you choose.
To wipe a drive:
1. From the EnCase top toolbar, select the Wipe Drive option from the Tools dropdown.
The Wipe Drive dialog is displayed.
2. Select Next to list local drives. A list of drives is displayed.
3. Click the checkbox of the devices to wipe and click Next. The Drives dialog is displayed.
4. Select the Verify wiped sectors checkbox to verify wiped sectors (checked by default).
5. Enter a wipe character hex value or use the 00 default value.
6. Click Finish to initiate the wipe process.
7. A dialog displays a warning that all information on the selected device(s) will be des-
troyed. Enter Yes in the text box and click OK.
EnCase initiates the drive wipe process. The bar in the lower right corner of the application
tracks the progress of the wipe.
158 EnCase Forensic User Guide Version 20.2
CHAPTER 6
PROCESSING EVIDENCE
Overview 162
Overview
The Evidence Processor is a component within EnCase that processes evidence files in a large
production environment. The Evidence Processor lets you run, in a single automated session,
a collection of powerful analytic tools against your case data. It can optimize the order and
combinations of processing operations while running this multi-threaded process.
The Evidence Processor runs unattended. As it works in the background, you can continue to
work with your case. The output of the Evidence Processor is stored on disk rather than
memory for each device, so you can process multiple devices across several computers
simultaneously. You can then bring all evidence back together into a case with no commingling
of evidence data. By storing cache files on disk, you can scale to much larger data sets. As you
reopen cases, you do not need to wait for data to resolve.
A standalone product, the EnCase Processor node, functions in the same way as the Evidence
Processor. Rather than installing separate instances of EnCase Investigator to perform
"processing only" on multiple machines, you can install separate EnCase Processor nodes
instead. For information on installing EnCase Processor, see Installing and Configuring EnCase
on page 27. All references to the Evidence Processor apply to EnCase Processor.
If you worked with a previous version of EnCase, you can continue to work cases using the
methodology you developed for that previous version.
l Folder recovery
l Hash analysis
l Compound file expansion
l Email search
l Internet artifact search
l Keyword search
l Index creation (not available for local previews)
l EnScript Module execution:
o Parsing system information
o Instant messaging
o File carving
o OtherEnScript modules
l If you are previewing a local or network device, you can run most Evidence Processor
options before you acquire it. Text indexing is not available from a preview. To run all Evid-
ence Processor options, you must acquire the device.
l We recommend installing 64-bit EnCase whenever possible. Large files may cause the 32-
bit version of EnCase Evidence Processor to run out of memory.
l Confirm that time zone settings are configured properly. Note that if no time zone is set
for the evidence, EnCase uses the time zone setting of the examiner workstation. For
more information, see Configuring Time Zone Settings on page 54.
After you add evidence to your case and configure the time zone settings:
1. Acquire the evidence. For more information, see Acquiring with the Evidence Processor
on page 1.
164 EnCase Forensic User Guide Version 20.2
2. Select the evidence you want to run through the Evidence Processor.
The lower left pane of the Evidence Processor window contains a table with these elements:
Use this pane for choosing tasks and configuring settings. The Evidence Processor retains
previously run settings.
File and edit settings for the Evidence Processor selections pane are located in its toolbar.
Setting Description
Split
Change the display format of the options pane.
Mode
Save
Save the current selection of settings as an Evidence Processor template.
Settings
Load
Load a saved template to run against the current data.
Settings
l Find email
Options Perform actions such as printing the results and changing the layout of the
menu Evidence Processor panes.
l If a task name is listed in blue, click the name to begin configuring the task.
l If a task name is listed in black, no further configuration options are available for that
task.
When you select Process for an already processed item, the right pane of the EnCase
Processor Options dialog displays previous processing settings.
166 EnCase Forensic User Guide Version 20.2
You can run modules over and over again with different settings each time. The results of each
run are added to the case.
Clicking an option displays information about that option in the right pane.
Clicking an option with a lock icon displays the settings for that option.
CHAPTER 6 Processing Evidence 167
4. In the Agent List area, select the operating systems you want to create agents for.
5. Select drop installers, if desired.
6. Enter an output path or browse to the destination folder you want to use.
7. Click Finish. A status bar is displayed indicating the progress of the agent creation. When
agent creation is complete, the dialog closes.
1. Click Add Evidence > Add Network Preview > Add Direct Network Preview.
2. The Logon dialog is displayed.
170 EnCase Forensic User Guide Version 20.2
3. Select the key you used to create the agents, enter the password, then click Next. The
Add Direct Network Preview dialog is displayed.
Note: If the desired public key does not display, right-click in the dialog and select
Change Root Path, then browse to the location containing the public key you
want to use.
o Get all physical memory enables the acquisition of the target's RAM.
o Get all process memory breaks up the memory usage by process. Process memory
is what the process currently has stored in RAM.
4. Enter an IP address or machine name and select a port number, then click Next.
CHAPTER 6 Processing Evidence 171
5. Select the device you want to add to the evidence image table, then click Finish.
5. When you are finished, click OK. The EnCase Processor Options dialog right pane reflects
the prioritization selections you made.
172 EnCase Forensic User Guide Version 20.2
The Evidence Processor also gives you the following options to designate only that evidence
which you specifically want processed:
l During first time processing you can turn File Signature Analysis on or off. The default is
on.
Note: If you disable File Signature Analysis, after processing, images will not display
in Gallery view.
CHAPTER 6 Processing Evidence 173
Recovering Folders
Running the Recover Folders task on FAT partitions searches through the unallocated clusters
of a specific FAT partition for the “dot, double-dot” signature of a deleted folder. When the
signature matches, EnCase can rebuild files and folders that were in the deleted folder.
This task can recover NTFS files and folders from Unallocated Clusters and continue to parse
through the current Master File Table (MFT) artifacts for files without parent folders. This
operation is particularly useful when a drive was reformatted or the MFT is corrupted.
Recovered files are placed in the gray Recovered Folders virtual folder in the root of the NTFS
partition.
Because this process requires significant processing resources, process time may be
unacceptably long. If this process is not critical for your analysis, you can disable it.
Note: New encryption products and uncommon encryption products may not be
detected.
174 EnCase Forensic User Guide Version 20.2
Analyzing Hashes
A hash is a digital fingerprint of a file or collection of data, commonly represented as a string of
binary data written in hexadecimal notation. In EnCase, it is the result of a hash function run
against any mounted drive, partition, file, or chunk of data. The most common uses for hashes
are to:
l Identify when a chunk of data changes, which often indicates evidence tampering.
l Verify that data has not changed, in which case the hash should be the same both before
and after verification.
l Compare a hash value against a library of known good and bad hashes, seeking a match.
The Evidence Processor's hash analysis setting allows you to create MD5, SHA1, SHA256, and
SHA512 hash values for files, so you can use them later for the reasons described above. When
you click the Hash Analysis hyperlinked name, the Edit Settings dialog is displayed, allowing
you to check whether to run either or both of these hashing algorithms.
Analyzing Images
You can use EnCase Forensic to analyze images and tag them with categories to help with an
investigation.
You can use the optional Media analysis module to analyze images and place them into
categories for further analysis. To purchase a license to use the media analysis module, contact
OpenText customer service. Media analysis scans the images in your evidence and assigns a
confidence level score indicating how closely each image matches pre-defined categories. The
confidence level score falls on a scale from 0.00 to 100.00. The higher the number, the greater
the confidence that an image falls into a pre-defined category.
Processing your evidence with the Media analysis module assigns confidence level scores to all
supported images for the following categories:
Supported image formats include BMP, JPG/JPEG, TIF/TIFF, PNG, GIF, TGA, PCX.
1. From the Evidence tab in EnCase Forensic, select the evidence you want to process.
2. Click Process Evidence in menu bar. The Evidence Processor Options dialog is displayed.
3. Under EnCase Processor Options, select the Media analysis Enabled checkbox.
4. Click OK.
176 EnCase Forensic User Guide Version 20.2
When processing is complete you can analyze the images by category. To filter images by
confidence level or view images in table format, see Viewing Media Analysis Data on page 282.
You can also triage images quickly using the Media analysis module in the Evidence view.
1. From the Evidence view, select entries for media analysis from the Tree or Table pane.
2. Right-click on one of the selected images to display the context menu.
3. Select Entries > Media Analysis.
EnCase Forensic begins processing the selected images. When processing is complete, view the
media analysis attributes of selected images using the Media Analyzer Viewer EnScript, or
select an individual image and view the Media Analyzer attributes in the Attributes tab of the
View pane.
Entropy values range from 0 to 8. Values at the lower end of the range reflect less randomness;
values at the higher end reflect greater randomness. Entropy values generated by EnCase are
displayed in a column in Table view. Each entropy value consists of eight digits, for example
3.1577005.
Entropy analysis can be performed on an entire evidence set using Evidence Processor or on
selected files by running Hash\Sig Selected.
1. Check the folders containing the files for which you want to generate entropy values,
then right-click on a selected item to display the context menu. Select Entries > Hash\Sig
Selected.
2. The Hash\Sig Selected dialog is displayed.
File extensions are the characters following the dot in a file name (for example, signature.txt).
They indicate the file's data type. For example, a .txt extension indicates a text file, and a .bmp
extension indicates a bitmap image file. Standardized file types have unique signature-
extension associations. For example, BM is the file signature for all .bmp files.
The signature analysis process flags all files with signature-extension mismatches according to
its File Types tables. To view the Evidence Processor File Types table, click the View menu of
the Home page and select File Types. For more information, see Adding and Modifying File
Signature Associations on page 313. Signature analysis is always enabled so that it can support
other Evidence Processor operations.
recovery condition to select and recover specific modified or deleted files, or you can recover a
full volume. Volume shadow copies enable volume analysis over time. Volume shadow copy
functionality requires the file system to be NTFS.
1. Select Tools > Analyze Volume Shadow Copies. A dialog displays a table of shadow copy
volumes and file recovery options.
2. Select the checkboxes next to the volume or volumes you want to process from the
table.
3. Select Recover Modified / Deleted Files to recover a portion of a shadow copy volume
or Recover Full Volume to recover an entire volume.
4. Check Enable Recovery Condition and a condition button to apply a condition during file
recovery.
o Load Condition - load a pre-existing condition from the default EnCase Conditions
folder or browse to locate another condition.
o Edit Condition - edit an existing condition using the Conditions editor.
o New Condition - create a new condition in the default EnCase Conditions folder.
5. Select the maximum total size of the evidence file or use the default 0 value for no file size
limit.
6. Click the File Settings button to change output file settings. The Default Output Options
dialog displays.
180 EnCase Forensic User Guide Version 20.2
EnCase Forensic recovers and adds the volume shadow copies to your case as evidence files.
1. Select a logical volume containing snapshots. The existence of a $Snapshots folder indic-
ates there are snapshots for that volume.
2. Right-click on the volume with the snapshots you want to view. Select Device > Analyze
APFS Snapshots.
CHAPTER 6 Processing Evidence 181
3. A dialog displays the available snapshots. Select a snapshot and click Process to process
the volume.
4. The Recover Full Volume dialog is displayed and asks you to confirm restoration of the
volume. Click Yes. The processed volume in the $Snapshots folder becomes a link when
processing is complete.
5. Click the volume link to view its contents.
For archive files, EnCase extracts the compressed or archived files and processes them
according to the other Evidence Processor settings you chose. This includes nested archive
files or zip files within a zip file. Note that EnCase handles compound document types like
Microsoft Office Word separately.
l Apple Safari
l Google Chrome
l Microsoft Internet Explorer
l Microsoft Edge
l Mozilla Firefox
l Opera
l History
l Cache
l Cookies
l Bookmarks
l Bookmarks
l Cache
l Cookies
l Downloads
l History
CHAPTER 6 Processing Evidence 183
l Page Settings
l Top Sites
l Web Notes
Firefox Artifacts
As an enhancement to the Search for Internet history function, EnCase parses Firefox artifacts
stored in a SQLite database and displays them in the Artifacts tab.
l Cookies
l Downloads
l History
l Bookmarks
l Form data
l Internet keyword search terms
l Login data
Note: The Artifacts tab of an Internet history search for Mozilla Firefox artifacts is
displayed Frecency and Rev Host Name columns.
"Frecency" is a valid word used by Mozilla. Do not mistake it for "frequency." For more
information, see the Mozilla developer center article at https://developer.mozilla.org/en-
US/docs/Mozilla/Tech/Places/Frecency_algorithm.
The value displayed in the Frecency column is the score Mozilla gives to each URL. It includes
how frequently a person visits the site and how recently the user visits the site. EnCase
displays this value as it is stored in the places.sqlite file.
Mozilla stores a URL's host name in reverse. EnCase displays it as such in the Rev Host Name
column.
184 EnCase Forensic User Guide Version 20.2
l Google
l Bing
l Yahoo
l DuckDuckGo
l Twitter
l Amazon
l eBay
l Walmart
Login Data
EnCase Forensic parses login artifacts generated by Firefox Password Manager, including Login
Data and Disabled Logins. Encrypted elements, such as usernames and passwords, are parsed
but not decrypted.
l Login Data lists artifacts that are created when the user or system administrator has con-
figured Firefox Password Manager to save authentication records for specific websites.
l Disabled Logins lists artifacts that are created when the user or system administrator has
configured Firefox Password Manager to never save authentication data for specific web-
sites.
l Bookmarks
l Cache
l Downloads
l History
l Keyword Search
l Login Data
l Top Sites
CHAPTER 6 Processing Evidence 185
Note: EnCase does not provide the ability to recover Google Chrome Internet
artifacts from unallocated clusters.
Files in the Chrome browser cache that are compressed with the Brotli compression algorithm
are parsed by EnCase Forensic.
Safari Artifacts
OVERVIEW
Safari Versions 5 and 6 store Internet artifacts as:
This browser software identifies artifacts using the Find Internet Artifacts module.
l URL Name
l URL Host
l Expiration Date
l Resource Path
l Content Identifier
l Created Date
l Title/Name
l Version
l Safari Hash Value
l Storage Policy
l URL Name
l URL Host
l Request Object
l Last Modification Time
l Response Object
l Accept Ranges
l Cache Control
l Connection
l Creation Date
l Content Length
l Content Type
l Internet Artifact Type
l Expiration
l Server
l Vary
l Browser Type
l Message Size
l Via
l Requesting URL
l Referrer
l Origin
Opera Artifacts
The following Opera artifacts are parsed:
l History
l Cache
Finding Email
Select this setting to extract individual messages and attachments from email archives. Find
Email supports the following email types:
This setting prepares email archives for the use of email threading and related EnCase email
functionality during case analysis.
After processing completes, EnCase can analyze the messages and component files extracted
from the email archives, according to the other Evidence Processor settings you selected.
Note that if you are searching for a number and an application stores the number in a different
format, EnCase will not find it. For example, in Excel, if a Social Security number is entered
without dashes as 612029229, Excel stores it in double precision 64-bit format as
00008096693DC241.
Often, examiners have ready-made lists of keywords to use in their searches. You may also
want to add additional keywords to use in your searches.
l By clicking Raw Search All on the Evidence Tab when viewing evidence. This is the best
way to search through raw, non-indexed data.
l By clicking Raw Search when viewing entries.
o The targeted search only acts on items selected in the current view.
o To run a targeted search against two or more devices in your case, click Open in the
Evidence tab and select additional devices.
Wherever you access it, the Keyword list displays a list of existing keywords in the case:
CHAPTER 6 Processing Evidence 189
l Select Search entry slack to include file slack in the keyword search.
l Use initialized size enables you to search a file as the operating system displays it, rather
than searching its full logical size.
o In NTFS file systems, applications are allowed to reserve disk space for future oper-
ations. The application sets the logical size of the file larger than currently necessary
to allow for expected future expansion, while setting the Initialized Size smaller so
that it only needs to parse a smaller amount of data. This enables the file to load
faster.
o If a file has an initialized size less than the logical size, the OS shows the data area
between the initialized size and logical size as zeros. In actuality, this area of the file
may contain remnants of previous files, similar to file slack. By default, EnCase dis-
plays, searches, and exports the area past the initialized size as it appears on the
disk, not as the OS displays it. This enables you to find file remnants in this area.
o Select Initialized Size to see a file as its application sees it and the OS displays it.
o Note that when a file is hashed in EnCase, the initialized size is used. This means that
the entire logical file is hashed, but the area past the initialized size is set to zeros.
Since this is how a normal application sees the file, this enables users to verify file
hashes with another utility that reads the file via the OS.
l Select Undelete entries before searching to undelete deleted files before they are
searched for keywords.
l Select Skip contents for known files to only search the slack areas of known files iden-
tified by a hash library.
l Add Keyword List opens a dialog where you can enter a list of words and assign certain
properties to them as a group. See Creating a New Keyword List on page 191.
l Double-click a keyword, or click Edit, to open the keyword so you can modify its prop-
erties.
l Highlight a keyword and click Delete to remove it from the list.
l If a path box is displayed at the top of the dialog, that path and name is where the search
is stored.
3. Enter the search expression and name, and select the desired options:
o Search Expression is the actual text being searched. Use a character map to create a
non-English search string if your keyboard is not mapped to the appropriate non-Eng-
lish key mapping.
o Name is the search expression name listed in the folder.
o ANSI Latin - 1 searches documents using the ANSI Latin - 1 code page.
o UTF-8 meets the requirements of byte-oriented and ASCII-based systems. UTF-8 is
defined by the Unicode Standard. Each character is represented in UTF-8 as a
sequence of up to four bytes, where the first byte indicates the number of bytes to fol-
low in a multi-byte sequence.
Note: UTF-8 is commonly used in Internet and web transmission.
o UTF-7 encodes the full BMP repertoire using only octets with the high-order bit clear
(7 bit US-ASCII values, [US-ASCII]). It is deemed a mail-safe encoding.
Note: UTF-7 is mostly obsolete, and is used when searching older Internet content.
o Unicode: select if you are searching a Unicode encoded file. Unicode uses 16 bits to
represent each character. Unicode on Intel-based PCs is referred to as Little Endian.
The Unicode option searches the keywords that display in Unicode format only. For
CHAPTER 6 Processing Evidence 191
4. Open the Code Page tab to change the code page to use a different character set.
5. To test a search string against a known file, click the Keyword Tester tab.
o Locate a test file containing the search string, enter the address into the Test Data
field, and click Load. The test file is searched and is displayed in the lower tab of the
Keyword Tester form.
o Hits are highlighted in both Text view and Hex view.
1. From either location, from the New Keyword dialog click Add Keyword List. The Add Key-
word List dialog is displayed.
192 EnCase Forensic User Guide Version 20.2
4. Drill down in the process and select the Memory entry in the Table pane, then use Raw
Search Selected to search for keywords.
Note: Because of the time it takes to search for 64-bit processes, we recommend
not searching through Unused Disk Area.
Creating an Index
Using the Evidence Processor to index your data enables you to search across all types of
information and view results in email, files, mobile devices, and any other processed data in
one search results view. All files, emails, and module output can be indexed, including EnScript
CHAPTER 6 Processing Evidence 193
Generating an index can take time. Once generated, however, searching content becomes
nearly instantaneous. We recommend always indexing your case data.
l File slack: the area between the end of a file and the end of the last cluster used by that
file.
l Unallocated space: the sectors not associated with an allocated file: the free space of a
disk or volume.
o Unallocated space consists of either unwritten-to sectors or previously written-to
sectors that no longer have historical attribution data associated with them. All
these sectors are aggregated into Unallocated Clusters.
o Unallocated Clusters are then divided into multiple sections, and these sections are
indexed with shared metadata. If a word at the end of one section of text spans to
another section of text, that word is skipped and not included in the indexed sec-
tions of text.
o Sectors not assigned to any partition fall under Unused Disk Area. The Evidence Pro-
cessor handles these sectors and Unallocated Clusters similarly.
1. From the Evidence tab, select the evidence you want to process and select Process Evid-
ence > Process from the menu bar. The EnCase Processor Options dialog is displayed.
2. Select the Index text and metadata checkbox to enable indexing, then click the Index text
and metadata link. The Edit dialog is displayed.
194 EnCase Forensic User Guide Version 20.2
The indexing engine in EnCase Forensic uses the following delimiters for all analyzers by
default. There is no need to add a delimiter if it is in this list.
!#$%&()*+,-\/;<=>?@[]^`{|}~
CHAPTER 6 Processing Evidence 195
1. From the Evidence tab, select the evidence you want to process, then select Process Evid-
ence > Process from the menu bar of the Evidence tab. The EnCase Processor Options dia-
log displays.
2. Click the Index text and metadata link to display the Edit Index text and metadata dialog.
3. Enter one or more word delimiters without spaces in the text box.
4. Click OK.
Once your evidence is processed, all data will be indexed with the default word delimiters for
the language analyzer as well as any additional delimiters added during processing. Any
additional word delimiters entered during processing can be viewed by right-clicking on Index
text and metadata link in the EnCase Processor Options dialog. The table that displays lists all
current processing options.
The English language analyzer is selected by default. It is optimized for the English language
but indexes other Western languages as well.
196 EnCase Forensic User Guide Version 20.2
Select other language analyzers to create an index for that language or language group. If you
need to index and search evidence in a specific language, select the corresponding language
analyzer to create a unique index for that language.
EnCase Forensic creates an index for each language you select. Indexing additional languages
increases the time it takes to process your evidence. We recommend selecting only the
languages needed for your investigation.
l English
l Arabic
l Brazilian Portuguese
l Bulgarian
l Chinese (Simplified)
l Chinese, Japanese, and Korean
l Danish
l Dutch
l Finnish
l French
l German
l Greek
l Hindi
l Italian
l Norwegian
l Romanian
l Russian
l Spanish
l Swedish
l Turkish
To create indexes for more than one language, or to change the default language index:
1. From the Evidence tab, select the evidence you want to process, then select Process Evid-
ence > Process from the menu bar of the Evidence tab. The EnCase Processor Options dia-
log is displayed.
2. Select the Index text and metadata checkbox, then click the Index text and metadata
link. The Edit dialog is displayed.
CHAPTER 6 Processing Evidence 197
Creating Thumbnails
When you select the Thumbnail creation option, the Evidence Processor creates thumbnail
artifacts for all image files in the selected evidence. This facilitates image browsing.
Note: To make a copy of your custom code and modify it while still preserving the
original, use the Save As option in the dropdown menu.
Use the Standard options tab for both Windows and Linux evidence, with exceptions noted in
the user interface. They contain basic information categories for use in reports.
The Advanced tab scans for registry information on Windows devices only.
CHAPTER 6 Processing Evidence 199
When evidence processing is complete, you can also search NetShare and USB registry
information in the Artifacts tab. You can see the UNC path visit history, the history of
connected devices, and you can correlate USB devices to their drive letters.
When selected, this option performs a quick sweep against registry entries only resident in
memory (versus disk), reducing time taken to analyze live machines.
Note: In the Evidence Processor System Info Parser dialog, the Live Registry
Only checkbox is cleared by default.
File Carver
The File Carver module allows you to search evidence for file fragments based on a specific set
of parameters, such as known file size and file signature. It can also examine unallocated space.
It searches for file fragments anywhere on the disk. By default, the File Carver automatically
checks file headers for file length information and uses the actual number of bytes carved. You
can set specific parameters for carving a file (file size and destination) with the File Carver
Export Settings dialog. To add an additional file type to carve for, you must add an entry with
header information and, optionally, footer information, to the File Types table.
The File Carver is not designed to handle multiple headers and footers. Any file containing
more than one header and footer may produce inconsistent results.
Running the File Carver in Evidence Processor gives you three options: you can select from
either the full File Types table, from the optimized File Types table, or from both. You can blue
check entries and choose to search selected files. The HTML files that the module carves are
adjudicated to be HTML, based on certain keywords appearing in the files.
You can export carved files to disk so they can be loaded with native applications.
Note: When there is no file length information in the header, the footer or the
default length is used. The value of 4096 bytes is the default carve size when no
footer is provided and no default length is provided in the File Types table.
l .jpeg
l .ico
l .gif
l .png
File Carver does not separately carve thumbnails embedded within JPEG images. To carve out
the thumbnails embedded in JPEG images, you must add a file type to the File Types table that
contains the same information in the JPEG Image Standard fields, with two exceptions:
The File Carver changes the output name of files carved from E01/Ex01 files so that physical
sector and physical offset values are included in the name, in addition to the file offset values
already present. This requires no configuration.
CHAPTER 6 Processing Evidence 201
1. Select the Evidence tab and click the checkbox next to the evidence you want to process.
From the Process Evidence dropdown menu, click Process.
2. The Evidence Processor Current processing options screen is displayed. Select Modules >
File Carver. The File Carver window is displayed with your selected options.
3. Click OK.
A dialog is briefly displayed indicating the evidence processing has begun. The lower right
corner of the window displays a flashing green Processing indicator until evidence processing
completes.
l Entry condition filters which files EnCase processes, based on their entry properties.
l EVT condition restricts individual events on properties parsed from an EVT file (Event ID,
Event Type, Source, etc.).
l EVTX condition restricts individual events on properties parsed from an EVTX file (Event
ID, Process ID, Thread ID, etc.).
To enable a condition, select its checkbox. Click Edit next to the condition type to modify the
condition.
l Link files
l Recycle Bin artifacts
l MFT transaction logs
With these artifacts, you can search unallocated, all files, or selected files. Once the artifacts are
parsed, you can browse through the results in the Artifacts tab. You can also index the
artifacts so they are searchable. In addition, you can bookmark the artifacts.
202 EnCase Forensic User Guide Version 20.2
Unix Login
This module parses files with the names "wtmp" and "utmp," but also allows for processing by
condition.
You can process files by signature and use EnScript code to specify either entry or log event
conditions.
Running the Macintosh OS X parser in EnCase Evidence Processor creates a Logical Evidence
File (LEF).
o This parses the log file, creating artifacts for easy access and review.
l Software updates
o Last successful software update date
o Last attempt date
o Last result code
l Network connections
o MAC address of wireless network
CHAPTER 6 Processing Evidence 203
l Folders visited
l Favorite servers
Startup applications
l Saved searches
l Printing activity
Artifacts parsed are inserted into a SQLite database. Case Analyzer reports contain data for the
artifacts generated by the Macintosh OS X Artifact Parser module.
The following reports are created, based on the information collected by the Macintosh OS X
Artifacts Parser:
204 EnCase Forensic User Guide Version 20.2
l Multimedia
o OS X Recent Files Report
o OS X Saved Searches Report
l Network
o OS X Network Interfaces Report
l Operating System
o OS X Install Log Report
o OS X System Overview Report
Double Files
Double files are artifacts created by OS X.
The HFS+ file system supports extended attributes, such as Finder attributes and the location
of a file within the Finder coordinates X and Y. They are in the Attributes tab in EnCase.
CHAPTER 6 Processing Evidence 205
When OS X writes to a file system that does not support extended attributes (for example, FAT
or exFAT), a double file is created in the same location as the actual file that is written to store
the extended attributes the HFS+ needs. So if the file is ever copied back to an HFS+ formatted
drive, the attributes are included along with the file itself.
X:DateAdded
X:DateAdded indicates the time a file was added to the parent folder. For example,
X:DateAdded to the Trash folder represents the time the file was deleted.
Keychain Parsing
OS X keychains provide a secure way to store passwords, certificates, and notes. Whenever OS
X asks if you want to remember a password, it is stored in a keychain.
Once the keychain is parsed, you can view the contents as artifacts.
If a keychain's password is known, secrets in the keychain are parsed and stored in Secure
Storage in EnCase.
If credentials are parsed and stored in Secure Storage, EnCase automatically decrypts and
mounts the .dmg file.
1. View File Structure on a .dmg file: in the Entries dropdown menu, click View File Structure
and select the .dmg file.
2. The View File Structure dialog is displayed. Click OK. You do not need to enter a pass-
word.
3. The .dmg file mounts and its contents are decrypted.
206 EnCase Forensic User Guide Version 20.2
This information helps you identify the size and scale of the evidence to be
processed. A result set can contain items from multiple evidence files, all of
which will be processed.
Note: Because result sets can include items from multiple devices in various
processing states, locks do not display in processing options when selecting result set
processing. However, items that would normally be locked because they were
previously run on a device will still run, even if they do not have the lock item
present. In other words, once a lockable Evidence Processor option is run on a
device, all processing jobs that follow on that device will run the option, even if it is
not selected. The screenshot in Step 3 above explains that these previously
processed items are marked with asterisks, and those items will be reprocessed.
Note: Also, since locks do not display, some modules that are not supported in
certain instances will not run, even if they are selected. For example, indexing will
not run on items that come from a remote node, and Snapshot will not run on an
evidence file or a local drive.
CHAPTER 6 Processing Evidence 207
1. In the Results tab, select the result set you want to process.
2. Right-click, then click Process in the dropdown menu.
3. The EnCase Processor Options dialog is displayed.
To include all blue checked items in a device, highlight the device root first before
selecting the Create Results option.
Some examples of data types that allow creation of result sets include:
l Email archives
l Compound files (for example, .zip files)
l Internet artifacts
208 EnCase Forensic User Guide Version 20.2
Examples of data types that do not allow creation of results (because they are metadata only)
include:
l Snapshot data
l System Info Parser results
l Windows Artifact Parser results
l Windows Event Log Parser results
1. In the Tree and/or Table pane, blue check the items you want to include in the result set.
2. Right-click, and in the dropdown menu click Artifacts (or Entries, depending on the con-
text) > Create Results.
3. The Create Results dialog is displayed, showing the number of items selected.
Note: Use this option with caution, as it will remove all processing results for the
devices selected.
Note: This option is enabled only when you select Current Item and the evidence
is already processed.
2. Click OK. A warning message is displayed, asking if you want to continue and delete
previously processed output.
3. To continue, click Yes. EnCase will delete all caches related to the specified evidence
file.
Note: When you use the Overwrite Evidence Cache option, items in the result
sets and bookmarks belonging to the device will no longer resolve to the original item
GUIDs and will become invalid. You can delete the existing result sets and
bookmarks or maintain them as a reference for manual recreation.
EnScript Application UI
There are links on the Home and Case pages for EnScripts. There is also a package details page.
Home Page
On the Home page, there is an EnScripts link in the View section.
Click the link to go to the EnScripts page. This page displays the most recently used scripts.
210 EnCase Forensic User Guide Version 20.2
Case Page
On the Case page, there is an EnScripts link in the Browse section.
Processor Manager
The Processor Manager allows for distribution and control of evidence processing for one or
more EnCase Examiners or EnCase Processors.
With Processor Manager, you can simplify evidence processing and acquisition by:
l Queuing evidence in the jobs list to be processed. A job is defined as evidence combined
with processor options.
l Prioritizing execution of evidence to be processed.
l Distributing the processing workload across multiple processing nodes. Any available
node picks up the next job in the queue, so the evidence is processed as quickly as pos-
sible.
For a table showing terms and definitions for the Processor Manager, see Terms and
Definitions on page 217.
CHAPTER 6 Processing Evidence 211
You can also use a web browser from any machine that can connect to your processor node
and manually enter the processor node's URL.
Note: A warning may display in the web browser saying the site's security
certificate is not trusted. This is expected behavior, and you can click through the
message to proceed.
l The name of the processor node. The name cannot match any processor node already in
the list.
l Storage configuration (temp case files location, temp evidence files location, temp evid-
ence caches location).
l The number of maximum concurrent jobs.
l Whether to create heap dumps.
Note: You cannot edit a local machine node.
1. In the lower pane of the Processor Manager tab, select the node you want to edit, then
click Edit.
2. The Edit dialog is displayed. Enter your desired changes.
1. In the lower pane of the Processor Manager tab, select the node you want to delete. If
you want to delete more than one node, click the checkboxes for those nodes.
2. The Delete Processor Node dialog is displayed.
3. If a node or nodes are running jobs and you still want to delete them, click the Delete
node(s) even if there are currently running jobs checkbox.
4. Click OK.
Note that:
l You cannot delete the Local Machine processor node if a job is currently running on it.
l Jobs running on a remote processor node that is deleted and removed from the pro-
cessor list continue to run on the node. However, the job's status in Processor Manager
will change to "Processor Node is Unknown" and the processing state is set to "Pending."
If you add that processor node back into the list, the job's state and status are updated
to show the true status of the job running on that node: "Running," "Error," or "Com-
pleted".
l Process: Use this to combine evidence with processor options to create a job.
l Acquire: Use this to acquire evidence without processing it.
l Acquire and Process: Use this to acquire evidence first and then process it.
CHAPTER 6 Processing Evidence 215
5. The evidence files to be queued for processing, and the information that is displayed in
the right pane, depend on which What to Process radio button you select:
o Unprocessed Evidence Files: Includes all unprocessed evidence files in the case.
o Selected Unprocessed Evidence Files: Includes only the evidence files you selected
on the Evidence tab.
o Current Item: The item currently highlighted on the Evidence tab.
216 EnCase Forensic User Guide Version 20.2
o Result Set: Select this option to process a result set. For more information, see
Result Set Processing on page 206.
6. Click the Immediately queue the evidence checkbox if you want to put the selected
items in a job list to be executed by the next available node now. If you do not check the
box, the items are put in the Processor Manager in an On Hold status.
7. The Overwrite evidence cache option, if available, enables you to delete previous pro-
cessing results for the selected item and restart processing.
8. In the Options Label box, enter a label or accept the default, Processor Default Options.
9. The first option, Make local copies, copies the evidence to the assigned remote Pro-
cessor Node. The Processor Node displays:
o Temp evidence cache location.
o Temp evidence files location.
o Temp case files location.
Note: If Local Machine is the only processor node in the node list, the Make local
copies option is not available. This option is only available if there are remote
processor nodes in the node list.
l If there are network interruptions, there is no cache corruption because the cache is cre-
ated locally on the node before it is uploaded to the shared drive.
l If the network is slow, it does not impact processing because all processing is done locally
on the node before it is uploaded to the shared drive.
Once the processing completes, the cache is copied to the shared network drive. Then
the evidence file and cache are deleted from the remote node.
10. When you finish selecting what evidence to process and the processing options you
want, click OK.
11. A dialog displays showing that the evidence to be processed is loading.
For detailed information on other evidence processing options, see the following topics
in this book:
o Evidence Processor Prioritization on page 171. If you choose the Prioritization
option, EnCase puts two jobs into the Processor Manager job list. The first job is for
the prioritized items in the evidence. The second job is for all the remaining (that is,
not prioritized) items in the evidence that were not processed by the first job.
o Recovering Folders on page 173.
o Analyzing File Signatures on page 178.
o Analyzing Protected Files on page 173.
CHAPTER 6 Processing Evidence 217
Term Definition
Job Evidence combined with processor options.
All jobs in the Processor Manager. The job list is displayed in the Name column
Job List
of the top pane of the Processor Manager.
218 EnCase Forensic User Guide Version 20.2
Term Definition
Queue Jobs in the list to be processed.
Pause Stops distributing jobs to processor nodes (jobs that are executing will
Queue continue).
Processor
Name of a processor node (set during installation).
Node
1. Select the checkboxes for the jobs you want to move to the top.
2. Click Job Actions > Move to Top. The selected items are moved to the top of the list of
queued jobs.
1. Select the checkboxes for the jobs you want to increase in priority.
2. Click Job Actions > Increase Priority. The selected jobs move up in the list in the Priority
column and have a higher priority.
1. Select the checkboxes for the jobs you want to decrease in priority.
2. Click Job Actions > Decrease Priority. The selected jobs move down in the list in the Pri-
ority column and have lower priority.
1. Select the checkboxes for the jobs you want to move to the bottom.
2. Click Job Actions > Move to Bottom. The selected jobs are moved to the bottom of the
list of queued jobs.
l Queue
l Remove
l Hold
l Stop
l Change job priority
l Copy (Available on the right-click menu only: This option copies the text in the currently
highlighted field in the currently highlighted row.)
Note: These right-click actions only operate on the currently highlighted job;
however, actions in the Job Actions menu of the Processor Manager tab work for
all blue checked items.
1. Select the checkboxes for the jobs whose processing options you want to edit.
2. Click Configure > Edit Default Options. The EnCase Processor Options dialog is displayed
with the default processing options selected.
220 EnCase Forensic User Guide Version 20.2
1. Click Configure > Set Manager Name. The Manager Settings dialog is displayed.
2. Enter the manager name you want to use, then click OK.
Pause Queue
The Pause Queue button is a toggle. Use the Pause Queue button to pause submission of new
jobs to the Evidence Processor.
CHAPTER 6 Processing Evidence 221
1. Click Pause Queue once to pause submission of new jobs. Current jobs continue to
execute. The menu name changes to Resume Queue.
Clean List
The Processor Manager Clean List menu button removes all processed and failed jobs from
the job list. Processing, Queued, and On Hold jobs remain in the job list.
1. Click Clean List. A dialog is displayed asking you to confirm before removing all processed
and failed jobs from the job list.
2. Click Yes.
Performance Monitoring
Monitor evidence processor performance in the Processor Manager tab. Click on the name of
a job to display the following two tabs:
l The Evidence Processor Status tab is displayed, providing information on the job cur-
rently running. It shows what is executing within a given job from the node that is pro-
cessing the job, as well as basic memory information.
l The Performance tab displays the current state of the performance counters for the selec-
ted job.
222 EnCase Forensic User Guide Version 20.2
Click Back to return to the job list, click Refresh to instantly refresh the performance
statistics, or click the Auto Refresh checkbox to enable periodic updates of performance
statistics.
Queue
1. Select the job you want to queue for processing. If you want to queue more than one
job, click the checkboxes for those jobs.
2. Click Queue. If you clicked more than one checkbox, you have the option to queue only
the currently selected job or all the selected jobs.
3. From the dropdown menu, click Current Item or All Selected Items. The Queue Pro-
cessing Jobs dialog is displayed.
CHAPTER 6 Processing Evidence 223
Note: This dialog does not display if Local Machine is the only node in the node list.
o Select Next Available Processor Node to send the job to the most currently avail-
able Processor Node. This is the default.
o Select Local Machine to process the job locally instead of sending it to a Processor
Node.
o Select Specific Processor Node if you want choose a specific Processor Node to use
to process the job. The Select Processor Node button is then enabled. Click the but-
ton to open the Select Processor Node dialog.
o Select the Processor Node (in online status) you want to use, then click OK. Back in
the Queue Processing Jobs dialog, click OK.
4. An indicator in the bottom right corner shows which evidence is currently being pro-
cessed. You can double click this indicator at any time to go to the Processor Manager
tab.
224 EnCase Forensic User Guide Version 20.2
You can see processing details in the Event Viewer of the machine running the Processor Node.
You will see:
You will see logs each time an event begins (for example, processing starts and threads
created).
Hold
To place a job on hold:
Note: A job must be in Queued state to place it on hold.
1. Select the job you want to place on hold. If you want to place a hold on more than one
job, click the checkboxes for those jobs.
2. Click Hold. If you clicked more than one checkbox, you have the option to place only the
selected job on hold or all the selected jobs.
3. The Hold Job(s) dialog is displayed and asks if you are sure you want to place the job(s)
on hold. To continue, click Yes.
4. The state of the selected jobs changes to On Hold.
Stop
To stop a job:
1. Select the job in a running state that you want to stop processing. If you want to stop
more than one job, click the checkboxes for those jobs.
2. Click Stop. If you clicked more than one checkbox, you have the option to stop only the
selected job or all the selected jobs.
3. The Stop Job(s) dialog is displayed, asking you to confirm stopping the selected job(s).
Click Yes to continue.
4. The state of the selected jobs changes to Incomplete.
Force Stop
You can use Force Stop if a job fails to stop successfully. There is no specific amount of time
you should wait before deciding to use Force Stop. It depends on the evidence you are
processing and what processing has already occurred at the time you tried to stop the job.
Some evidence can take minutes to stop processing; however, it is safe to assume something
is wrong if the job does not stop after tens of minutes.
CHAPTER 6 Processing Evidence 225
1. Select the job you want to force stop. If you want to force stop more than one job, click
the checkboxes for those jobs.
2. Click Force Stop. If you clicked more than one checkbox, you have the option to force
stop only the selected job or all the selected jobs.
3. The Force Stop dialog is displayed and asks you to confirm termination of the job. Click
Yes to continue.
4. The state of the job changes to Incomplete.
Message Explanation
You may see this job status briefly when you start EnCase
and quickly switch to the Processor Manager tab.
Waiting for job
state from The status message is for jobs in the job list that EnCase
Processor last identified as running on a remote processor node. The
Node. job status is quickly replaced with either the actual job
status or "Waiting for Processor Node to come Online" if
the node is offline.
[processor
node name] is Jobs display this status when the processor node they are
not in the queued to or running on is deleted from the node list. The
Processor status goes away if the node is added back into the list.
Node list.
The chosen
Processor Jobs display this status when they are queued to a specific
Node cannot processor node, but the processor node cannot access
access the the job's evidence file over the network.
evidence file.
The chosen
Processor
Node cannot Jobs display this status when they are queued to a specific
access the processor node, but the processor node cannot access
primary the job's evidence cache over the network.
evidence
cache folder.
The chosen
Processor
Jobs display this status when they are queued to a specific
Node does not
processor node, but the processor node does not have
have the
the indicated third party EnScript module required by the
module
job.
[module
name].
CHAPTER 6 Processing Evidence 227
Message Explanation
No Processor
Node can Jobs queued to the next available processor node display
access both this status when none of the processor nodes can access
the evidence the job's evidence file and evidence cache over the
file and network. Jobs in this status remain in the Queued state
evidence and will run if the network access issue is fixed.
cache.
No Processor
Node has the Jobs queued to the next available processor node display
module this status when no processor node has the indicated
[module third party EnScript module required by the job.
name].
complete. (child)
l Acquire job (parent) and its corresponding
Not all
evidence was This message is displayed after attempting to queue jobs
queued. See if not all of the jobs were successfully queued. You can go
Job Status for to the Processor Manager tab to see which jobs failed to
more queue and why.
information.
228 EnCase Forensic User Guide Version 20.2
Message Explanation
Job [child job A child job displays this status if you try to queue the job,
name] cannot but its parent job is not currently queued, running, or
be queued processed at the time you try to queue the child job.
because
corresponding Examples of paired jobs are:
job [parent l Stage 1 job (parent) and corresponding Stage 2 job
Stage 2 jobs
must be
queued to the A Stage 2 job displays this status if you try to queue it to a
same different processor node than the one to which its parent
Processor job was queued.
Node as their
Stage 1 jobs.
The evidence
A job displays this status when you try to queue it, but
is already
there is another (non-parent) job for the same evidence
queued for
that is already queued.
processing.
The evidence
A job displays this status when you try to queue it, but
is already
there is another (non-parent) job for the same evidence
being
that is already running.
processed.
Running jobs
This message is displayed if you blue check a number of
must be
jobs in the job list, then click the Remove menu option,
stopped
and some of the blue-checked jobs are currently running.
before being
The running jobs are left alone. The other jobs are
removed from
removed.
list.
CHAPTER 6 Processing Evidence 229
Message Explanation
Priority of
[child job
name] job
cannot be This message is displayed if you attempt to increase a
increased child job's priority above that of its corresponding parent
above that of job.
corresponding
job [parent
job name].
Priority of
[parent job
name] job
cannot be This message is displayed if you attempt to decrease a
decreased parent job's priority below that of its corresponding child
below that of job.
corresponding
job [child job
name].
Message Explanation
Cannot edit
the options of
a Stage 2 job.
Edit the This message is displayed if you try to edit the processing
options of the options of a Stage 2 job present in the job list.
corresponding
Stage 1 job
instead.
There is
already a
Processor You see this message if you try to rename a node to a
Node with the name that matches a node already in the processor node
name list.
[processor
node name].
The specified
Processor
This message is displayed if you try to add a processor
Node is
node already in the processor node list.
already in the
list.
Processor
Node
This message is displayed if you try to add a processor
[processor
node that is either too new or too old compared to the
node name] is
version of EnCase you are using. This message also
not
displays the version number of the processor node and
compatible
the version number of your EnCase and indicates which
with this
one needs to be updated.
version of
EnCase.
Message Explanation
All Processor Jobs queued to the next available processor node display
Nodes are this status if all processor nodes go (or are) offline. The
offline. status goes away when at least one node comes online.
Local Machine
A job displays this status if you try to queue the job and it
is required but
requires the Local Machine (that is, because job's
is not
evidence is a preview), but the Local Machine is not in the
configured for
processor node list.
processing.
Evidence is
An acquisition job displays this status if you try to queue
already
the job but there is another acquisition job for the same
queued for
device or evidence file already in the queue.
acquisition.
You must
select a
This message is displayed if you try to queue a job to a
Processor
processor node that is offline.
Node that is
Online.
232 EnCase Forensic User Guide Version 20.2
Message Explanation
No valid
This message is displayed after the Processor Options
evidence
dialog closes if none of the evidence you selected for
images to
processing can be opened.
process.
Job not
present on A job displays this status if it started running on a
Processor processor node and then some time later the node loses
Node knowledge of the job. This can happen if the node is
[processor stopped (or crashed) and then restarted.
node name].
Message Explanation
This message is displayed if you try to edit the processor
node settings of the Local Machine node. In general, these
settings cannot be changed. However, you can enable the
Local Machine
Heap Dump option for the Local Machine in EnCase in the
cannot be
Tools > Options dialog (on the Debug tab). The next time
edited.
the Local Machine is started, it will run with heap dumps
enabled. To disable heap dumps for the Local Machine,
first disable it for EnCase, then restart EnCase.
Processor
A job displays this status if it was submitted to a remote
Node cannot
processing node for processing but the processing node
write to
does not have write access to the case’s network-shared
evidence
evidence cache folder.
cache folder.
Message Explanation
You cannot
rename a
This message is displayed if you try to rename a
Processor
processing node to either "Local Machine" or "Next
Node to
Available." These are reserved names used by EnCase.
[reserved
name].
Processing
crossover
preview is not This job status is displayed if you try to process a
supported. crossover preview.
Must acquire
and process.
Show Logging
The Show Logging option on the Debug tab of the Options dialog enables you to view log
messages for various operations.
l EnCase Forensic takes a best effort approach to processing evidence, so it may be com-
mon for output logs to record anomalies that are common to evidence processing.
l The evidence processing task duration may not match the task completion time because
this value is not known until the entire evidence file is processed.
5. Select one of these checkbox options from the Log Message Destinations area:
o Display in debug output
o Display in console
o Write to file
6. Click OK. Messages showing Processor Manager activity are sent to your chosen Log Mes-
sage Destination.
l Process
l Acquire, or
l Acquire and Process
If you choose Process, the EnCase Processor Options dialog is displayed with the preview listed
as the Current Item choice in the What to Process section of the dialog. If you choose Acquire
or Acquire and Process, the Acquire Device dialog is displayed instead and shows the
information for the preview.
You can only process preview evidence by the Local Machine processor node; therefore, Local
Machine must be present in your processor node list to process previews. Some types of live
previews have additional restrictions or require user actions before they can be acquired or
processed. The section below discusses each type of preview and what restrictions apply, if
any.
Crossover Previews
Processing of crossover previews is not supported. You must first acquire the crossover
preview to an evidence file and then process the evidence file.
238 EnCase Forensic User Guide Version 20.2
CHAPTER 7
BROWSING AND VIEWING EVIDENCE
Overview 241
Conditions 264
Overview
After creating a case and adding evidence, you can browse and manipulate your views of the
evidence in a wide variety of ways:
This chapter provides an overview of the EnCase interface and describes the ways you can
browse and view collected evidence.
l Tree pane
l Table pane
l View pane
Selections in the Tree pane affect the Table pane. Selections in the Table pane affect the View
pane.
l See Navigating the Tree Pane on page 243 for more information about the Tree pane.
l See Navigating the Table Pane on page 244 for more information about the Table pane.
You can change the way the panes of the screen are configured with the Split Mode button:
The Tree-Table view shows the Tree pane on the left, the Table pane on the right, and
the View pane on the bottom. This is the traditional EnCase entries view.
242 EnCase Forensic User Guide Version 20.2
The Traeble view combines the Tree and Table panes on the top, and retains the View
pane on the bottom. The view provides the ability to browse the folder structure in the
Name column.
The Tree view displays the Tree pane on the left and the View pane on the right. There is
no Table view. This is the suggested view for looking at email artifacts.
CHAPTER 7 Browsing and Viewing Evidence 243
EnCase uses three methods used to focus on specific files or folders. These methods have
different purposes:
Blue checks persist within a case. Blue checks are case specific and remain persistent in the
same tab where they were created.
l Navigating from Evidence view to Entry view or from Entry view to Evidence view.
l Navigating from Entry view to Record view (for example, viewing file structure on an
entry).
l Navigating from Entry view to Results view.
l Navigating from Results to Entry (within the same tab).
By default, blue checks do not persist if you end your session in EnCase.
244 EnCase Forensic User Guide Version 20.2
An option in the Tools > Options menu gives you the choice to allow blue checks to persist
after closing a case or exiting EnCase. This affects performance--it may take longer to open a
case if you select this--depending on how many blue checks are active when you close the
case.
See Working with Columns on page 247 for information on column management.
The Table pane includes columns with information about the displayed entries.
l VFS Name displays the name for files mounted with the EnCase Virtual File System (VFS)
module in Windows Explorer. This replaces the Unique Name column in previous versions
of EnCase.
l Original Path displays information derived from data in the Recycle Bin. This column
shows where files in the Recycle Bin originated when they were deleted. For deleted/over-
written files, this column shows the file that overwrote the original.
l Symbolic Link displays data equivalent to a Windows Shortcut in Linux and UNIX.
l Is Duplicate displays True (Yes) if the file is a duplicate of another.
l Is Internal indicates if the file is an internal system file, such as the $MFT on an NTFS
volume.
l Is Overwritten indicates if the first or more clusters of an entry were overwritten by a sub-
sequent object.
l Application is the application used to create the evidence file: EnCase, Agent, WinEn, or
WinAcq.
l EnCase Version is the version of the application used to create the evidence file.
Timeline view options allow you to see data in ranges of weeks, days, hours, and minutes. The
maximum number of weeks displayed is 104. The maximum number of minutes displayed is
1440.
CHAPTER 7 Browsing and Viewing Evidence 247
To sort by a column, double click the column heading. To institute a subsort, hold down the
Shift key and double click the column heading. You can sort columns up to five layers deep.
You can lock columns on the left side of the Table pane so they remain visible when scrolling
horizontally.
l To lock a column, click anywhere in the column and select Column > Set Lock from the
arrow dropdown menu on the right of the Table pane. The selected column and all
columns to its left are now locked.
l If columns are rearranged, all columns to the left of that position remain locked.
l To release the lock, click anywhere in the column and select Column > Unlock from the
arrow dropdown menu on the right of the Table pane.
You can enable or disable individual columns by selecting Column > Show Columns from the
arrow dropdown menu on the right side of the Table pane.
The list below shows additional columns available in the Search Results and Bookmark column
views. You can sort these columns like any other columns in EnCase. You must enable these
columns to include them in a view.
l Received (the time an email was received as identified by the email application)
l Sent (the time an email was sent as identified by the email application)
l Description (File, Archive, etc.)
l Action URL
l Icon URL
l Requesting URL
l URL Host
l URL Host Name
l URL Name
l True Path
l Item Path
l Symbolic Link
l Entry Modified
l Has Attachments
Click the hamburger menu icon at the far right of the table, then select Change Table Options.
From the dialog, select the display density you prefer. There are two options: compact and
comfort.
Select Show vertical gridlines to add more visual structure to the table.
By default, EnCase uses the appropriate viewer for each item selected whenever possible. To
keep the tabs from switching for different data types, click the Lock checkbox on the top right
of the View pane to lock the view to that tab.
The lower View pane provides several ways to view file content:
l The Fields tab displays all information available regarding an item. All fields shown on this
tab are indexed.
l The Report tab provides a readable, formatted view of metadata. This is the preferred
view for email.
l The Text tab displays files in ASCII or Unicode text.
o You can modify how text in this tab is displayed. See Changing Text Styles on
page 250.
o When viewing search results, select Compressed View in the Text tab to see only
lines with raw keyword search hits.
o Use the Previous/Next Hit buttons to move through hits in the file. If there are
no more hits in the file, the next item opens and the first hit is found.
CHAPTER 7 Browsing and Viewing Evidence 249
l The Doc tab provides native views of formats supported by Oracle Outside In technology.
l The Transcript tab displays the same formats as the Doc tab, but filters out formatting,
allowing you to view files that cannot display effectively in the Text tab.
o The Transcript tab displays the extracted text from the file.
o When viewing search results, select Compressed View to see only lines with
index query hits.
o Use the Previous/Next Hit buttons to move through hits within the file. If there
are no more hits in the file, the next item opens and the first hit is found.
l The Picture tab displays graphics files. If the highlighted file in the Table pane is an image
that can be decoded internally, EnCase lets you select the Picture view in the View pane
and displays the image.
l File extents shows sector information about the selected file. This works on entry evid-
ence only.
l The Permissions tab displays security permissions for a file, including the name and secur-
ity identification number (SID) of the user(s) who have permission to read, write, and
execute a file.
l Hash sets shows hash information for entry evidence only.
If you encounter a file type that EnCase does not have built-in capabilities to display, you can
add an external viewer for that file type.
1. From the Evidence tab, right-click on an evidence item and select Open with > File View-
ers. The Edit File Viewers list is displayed.
2. Click New. The New File Viewer dialog is displayed
250 EnCase Forensic User Guide Version 20.2
3. Click OK. The new file viewer is displayed in the Edit File Viewers list for you to use as
needed.
1. Click New to create a new text style. The New Text Style dialog is displayed.
o Unicode specifies little-endian Unicode. If you use UTF-7 or UTF-8, select Other, not
Unicode.
o Unicode Big-Endian specifies big-endian Unicode.
o Other lets you select from the Code Page list.
o Code Page contains a list of supported code pages.
3. Click OK to save the new text style and return to the Edit Text Styles dialog.
4. Click OK to make the new style available. The new text style is now applied to the Text tab
in the View pane.
1. On the Evidence tab, select View > File Types. The File Types tab is displayed.
2. Double-click the file type you want to associate the new viewer with.
3. The Edit File type dialog is displayed.
252 EnCase Forensic User Guide Version 20.2
o The Viewer area contains options for selecting the type of viewer to use:
Click EnCase to associate the built-in EnCase viewer with the file type you
define.
Click Windows to associate Windows with the file type you define.
Click Installed Viewer to associate an installed viewer with a file type. Use the
installed viewers tree to select the specific viewer.
o The Installed viewers tree lists the file viewers currently known to EnCase.
4. Click OK. All files of this file type are now associated with the selected file viewer.
1. On the Text or Hex tabs in the View pane, select the bytes you want to decode.
2. Click the Decode tab in the lower right pane and select from the list of decoding options.
3. View the decoded interpretations of your evidence:
l The Quick View decoder enables you to view common decode interpretations in
one screen.
o When populating the Quick View table, all bytes required to successfully
interpret the data are read.
o For example, if one byte is selected, and four bytes are required to decode a
32-bit integer, Quick View looks at the next three bytes to provide the
decoded interpretations.
l The View Types list displays specific decoded values, organized in a tree structure.
o With the exception of pictures, when viewing by Type, only the selected
bytes are interpreted.
o For example, if one byte is selected, and four bytes are required to decode a
32-bit integer, a decoded interpretation is not available.
o EnCase Forensic attempts to decode pictures from the selected starting
byte. The bytes for the entire picture do not need to be selected.
To return the View pane to the main window, close the View pane window.
254 EnCase Forensic User Guide Version 20.2
Using Views/Tabs
The View menu provides a variety of views of your information.
3. To change the color of the text, right-click the Foreground color and select the new color
from the dropdown menu. If the color you want is not an option, double click the fore-
ground color and select from the color palette.
4. To change the background color, right-click the Background color and select the new
color from the dropdown menu. If the color you want is not an option, double click the
foreground color and select from the color palette.
5. Click OK.
Evidence is information you can view and process in EnCase from a variety of sources:
EnCase parses these files as they come in. Each file is displayed as a device on the interface. All
parsed data from a device is stored in a device cache so it does not need to be reloaded each
time it is viewed.
The Evidence tab table view shows the evidence currently loaded into your case. Notice that
when you are viewing a list of evidence the View button is displayed as View: Evidence.
CHAPTER 7 Browsing and Viewing Evidence 257
Click any one of these pieces of evidence to open it more fully. Notice that when you are
viewing an expanded view of an entry, the View button is displayed as View: Entries.
Click the View button to move between the top level list of devices or see an expanded view of
specific evidence:
If you want to see all the evidence expanded into the same entry screen, go to the top level list
of devices, select all the evidence files you want to see, and click Open from the menu:
258 EnCase Forensic User Guide Version 20.2
The display changes to show the expanded view of all selected evidence entries.
The status bar at the bottom of the screen displays the full path of the highlighted item. This
can be useful when documenting the location of evidence found in unallocated space. If a
deleted/overwritten file is highlighted, it indicates the overwriting file.
Specific sector, cluster, and file information is presented in parentheses after the file path of
the selected item.
CHAPTER 7 Browsing and Viewing Evidence 259
Abbreviation Definition
PS physical sector number
CL cluster number
The status of any processing activity displays in the lower right of the status bar.
Disk view is available from the Entry view of the Evidence tab. To open Disk view, select Disk
View from the Device menu.
l The file selected in the table is highlighted in Disk view as dark blue squares.
l Allocated sectors display in light blue.
l Unallocated sectors display in gray.
Select Auto Extents to automatically highlight all the remaining extents that make up the file
associated with the selected sector. If Auto Extents is off, double click a sector to show the
remaining associated extents.
1. In the Evidence tab toolbar, click Change Caches. The Change Caches dialog is displayed.
2. To use the base Case folder for the primary evidence cache, select the corresponding
checkbox.
3. To change the location of the primary evidence cache, click the Primary evidence cache
ellipsis button, browse to the new location, and click OK.
4. To add a secondary evidence cache location, click the Secondary evidence cache ellipsis
button, browse to the new location, and click OK.
CHAPTER 7 Browsing and Viewing Evidence 261
5. Click Next. The Evidence Cache Preview dialog is displayed. Status is listed for each evid-
ence cache:
o Ready (Primary) means the new path contains a cache in the primary cache.
o Ready (Secondary) means the new path contains a cache in the secondary cache.
o Missing means the old location had a cache, but neither the primary nor secondary
locations have a cache for the evidence.
o None means there never was a cache for this device.
5. Click Finish. If any evidence items have a status of missing, a message is displayed inform-
ing you that a new evidence cache will be created for the missing evidence items. To pro-
ceed, click Yes.
All artifacts available in the case can be seen in the root of the Artifacts tab. Click View >
Artifacts to browse this list. These artifacts are grouped by evidence file, then by type. Click the
blue link to open a single artifact. Blue check artifacts and click Open in the toolbar to open
multiple artifacts in one view.
You can also access artifacts from the Entries view. Entries that you can expand and view in the
Artifacts tab display as blue links marked with a green plus sign in the Entries view.
If an entry does not display as a blue link, select it and click View File Structure from the
Entries dropdown menu. The View File Structure command automatically expands, or
mounts, the file. After initially mounting the file, you can see the expanded data in the
Artifacts tab as well.
Depending on the currently selected tab, different types of filters are available. For example,
the filters available for search hits are different from those available for entries.
262 EnCase Forensic User Guide Version 20.2
Both filters and conditions work the same way in terms of how they affect the items in the
Table pane.
1. From the lower right pane, open the Filter tab. The preconfigured filters are in the Default
folder.
2. Double-click the filter you want, then click Open. A Run Filter dialog is displayed.
4. Click OK to run the filter. Depending on which filter you selected, additional dialogs may
display. When a filter is running, the name of that filter shows in the lower right of the
status bar. When complete, the results display in the specified result location.
Creating a Filter
In addition to using the filters already provided, you can create your own filters.
CHAPTER 7 Browsing and Viewing Evidence 263
Note: You need a working knowledge of EnScript to make a new filter. If you do not
have this working knowledge, you may be able to create a condition to perform the
same function.
1. From the Filter tab, select New from the toolbar. The New Filter dialog is displayed.
2. Enter a new name for the filter, if desired.
3. Click OK. The New Filter tab is displayed, showing a source editor.
4. Enter EnScript code as required to accomplish your task. The newly created filter is dis-
played at the bottom of the filters list.
Editing a Filter
To change an existing filter's behavior, edit it.
1. Open the Filter tab in the lower right pane. A list of all customized and preconfigured fil-
ters is displayed. You may only edit customized filters.
2. Select the filter you want to edit and click Edit. The source code opens in a Filter tab.
3. Edit the code as needed.
To change the name of an existing filter, right-click the filter in the Filter tab and click Rename.
You may only edit customized filters. To edit a preconfigured filter, it must first be copied to
the User folder. Drag the filter to the desired folder while holding the control key or drag using
the right mouse button to make a copy. The copy may then be edited.
Note: Preconfigured filters cannot be edited because they may be updated by future
versions of EnCase.
Deleting a Filter
Default filters are read-only and you cannot modify or delete them. However, you can delete
any custom filter you created.
Sharing Filters
You can share your own filters, and use filters created by other EnCase users.
264 EnCase Forensic User Guide Version 20.2
1. Open the Filter tab in the lower right pane. A list of all customized and preconfigured fil-
ters is displayed.
2. Right-click the filter you want to export, then click Browse. A Windows Explorer window
opens.
3. Copy the appropriate filter.
4. Navigate to the place where you want to store the file and click Paste.
5. To import a filter created by someone else, use Browse to view the User folder in
Explorer, and place the new filter in that folder.
Conditions
Conditions are compilations of search terms that instruct EnCase to find certain data based on
a certain property of information.
Conditions are similar to filters in that they display only those entries matching a specific set of
criteria in the Table pane. Both conditions and filters are EnScript code that performs a filtering
process on your data.
The difference between filters and conditions is that creating a condition does not require that
you can program in EnScript. Through a special interface you can create them without coding
directly in EnScript.
Once you create a condition, you can run it on any evidence in the case.
1. From the lower right pane, open the Condition tab. The preconfigured conditions are in
the Default folder.
2. Double-click the filter you want to display the Run Condition dialog.
CHAPTER 7 Browsing and Viewing Evidence 265
4. Click OK to run the condition. Depending on which condition you selected, additional dia-
logs may display. When a condition is running, the name of that condition shows in the
lower right of the status bar. When complete, the results display in the specified result loc-
ation.
For any condition using a literal comparison (such as Matches), make sure
there are no spaces at the end of any value string.
4. When you finish, click OK to close the New Term dialog. The new condition is displayed in
the Edit condition dialog.
5. Repeat for as many conditions as you need. As you accumulate conditions, make sure
they display in the correct hierarchical order for greatest efficiency.
o When you run the condition, the terms are evaluated in the order in which they dis-
play.
o Conditions work from the top to the bottom, so the sequence in the condition tree
directly affects how well the condition works. To be most effective, for example,
place an extension search for all .docx files before a keyword search. This saves pro-
cessing time by not looking for keywords in files that may not even contain text.
Folders operate much like parentheses in mathematical problems, in that the
folder allows its contents to be grouped together based upon the logic.
Logic operators operate on the folder where they display and do not impact
the folders above or below them.
o To nest terms, right-click the parent condition folder in the tree and choose New
Folder. Place the nested terms inside the parent folder.
268 EnCase Forensic User Guide Version 20.2
o To toggle the AND/OR logic within the condition, right-click the term and select
Change Logic. This changes the AND operator to an OR, and vice versa.
o To negate the logic of a term, right-click the term and select Not.
Editing Conditions
1. Right-click the condition you wish to edit and select Edit from the menu.
2. The Condition dialog is displayed.
3. Edit the condition as needed.
To change the name of an existing condition, right-click the condition in the Condition tab and
click Rename.
You can only edit customized conditions. To edit a preconfigured condition, first copy it to the
User folder. Drag the filter to the desired folder while holding the control key or drag using the
right mouse button to make a copy. You can then edit the copy.
Note: You cannot edit preconfigured conditons because they may be updated by
future versions of EnCase.
Sharing Conditions
You can share your own conditions, and use filters created by other EnCase users.
1. Open the Condition tab in the lower right pane. A list of all customized and pre-
configured conditions is displayed.
2. Right-click the condition you want to export, then click Browse. A Windows Explorer win-
dow opens.
3. Copy the appropriate condition.
4. Navigate to the place where you want to store the file and click Paste.
5. To import a condition created by someone else, use Browse to view the User folder in
Explorer, and place the new condition in that folder.
Printing a Condition
The Report tab in the Condition dialog provides a plain text version of the condition. To print
or export this report, right-click in this tab and select Save As. The export dialog provides a
variety of options for saving the report.
CHAPTER 7 Browsing and Viewing Evidence 269
l To browse through Internet artifacts, expand an Internet node in the Tree pane of the
Artifacts tab. The Browser node contains the various Internet items. Use the Fields tab in
the lower pane to view the most information.
l To browse through Archives, expand the Archives node in the Tree pane of the Artifacts
tab and browse through the various Archive items in the Table pane. Use the Fields tab in
the lower pane to view the most information.
l To view all the results of the modules used for processing evidence, expand the Evidence
Processor Modules node in the Tree pane of the Artifacts tab and browse through the
various items, Use the Fields tab in the lower pane to view the most information.
l To view mobile device data, open the evidence file in either the Artifacts or Evidence tab.
The EnCase Mobile Investigator is the best way to view all mobile device information.
In the table pane, select the item you want to research and click Go To File. The view changes
to display the device where the entry is located. If you select an email attachment, you are
taken into the email file, with the email message containing the attachment selected.
If an item resides in a top level device, the file structure may not display any changes when you
click the Go To File button, because there are no additional levels above the top level.
3. Select the evidence you want time zone information for, enter a bookmark folder name
or accept the default name, then click OK.
4. The Registry Values with Time Zone Information dialog is displayed.
CHAPTER 7 Browsing and Viewing Evidence 271
5. In the left pane, click an item in the tree to see detailed time zone information in the right
pane.
6. Read the instructions in the dialog if you want to modify time zone settings. Click OK to
create a bookmark for each time zone entry.
272 EnCase Forensic User Guide Version 20.2
1. From the Evidence or Artifacts tabs, right-click the item you want to research, then click
Find Related.
2. Select whether you want to find related by name or by time.
o An appropriate dialog is displayed depending on what you select.
o If you are finding related information by name, a search dialog is displayed with
index, tag, and keyword options.
3. Click Save & Run to run the query. When you finish, the results display in the Results tab,
under the name of the query.
Browsing Images
The Gallery view of the Evidence or Artifacts tab provides a quick and easy way to view
images. This view is best used when viewing your evidence in a Tree-Table.
By default, images in Gallery view are sorted by extension. You can view image files with
incorrect extensions after they are processed using the Evidence Processor.
You can access all images within a highlighted folder, highlighted volume, or the entire case. If
a folder is highlighted in the Tree pane, all files in the folder display in the Table pane. Click a
folder's Set Include to select all files in that folder and files in any of its subfolders. Once
selected on the Table pane, any images in the selected files display in Gallery view.
l To reduce the number of images displayed in a row in Gallery view, right-click any image,
then click Fewer Columns.
l To increase the number of images displayed per row in Gallery view, right-click any image,
then click More Columns.
l To bookmark images in Gallery view, right-click the image and select the type of book-
mark to assign to it.
l To view ownership permissions for an image, select the image and click the Permissions
tab in the lower pane.
CHAPTER 7 Browsing and Viewing Evidence 273
By default, Gallery view displays files based on their file extension. For example, if a .jpg file is
renamed to .dll, it does not display in Gallery view until you run a Signature Analysis. Once the
signature analysis recognizes the file was renamed and that the file is actually an image, it is
displayed in Gallery view.
EnCase includes built-in crash protection, which prevents corrupted graphic images from
displaying in Gallery view. The timeout defaults to 12 seconds for the thread trying to read a
corrupt image file. You can modify the timeout on the Global tab of the Options dialog.
Corrupt images tracked in the Case file so they are recognized as corrupt the next time they are
accessed.
If the cache becomes full you can clear it: select the arrow dropdown menu in Evidence view
and select Clear invalid image cache.
When viewing images in the Gallery tab, click a thumbnail image to see its location in the
navigation trail at the bottom of the screen. To go to the location of the image, select the
thumbnail and click Go to file.
To tag or bookmark the image, select the thumbnail and tag or bookmark as required.
Viewing Evidence
We recommend using processed data for rapid searching and viewing of data within your case.
However, there are many ways to view, filter, and find unprocessed data.
From the File Types tab, you can add, delete, and disable file types.
l To delete a custom file type, select it in the File Types tab and click Delete.
l You cannot delete default and shared files types.
l Checking Disable causes that file type to be ignored.
1. From the View menu, select File Types. The File Types tab is displayed.
2. Click New. The New File Type dialog is displayed.
274 EnCase Forensic User Guide Version 20.2
o The Viewer area contains options for selecting the type of viewer to use:
Click EnCase to associate the built-in EnCase viewer with the file type you
define.
Click Windows to associate Windows with the file type you define.
Click Installed Viewer to associate an installed viewer with a file type. Use the
installed viewers tree to select the specific viewer.
The Installed viewers tree lists the file viewers currently known to EnCase.
3. Use the Header and Footer tabs to specify the header and footer code defining this file
type.
CHAPTER 7 Browsing and Viewing Evidence 275
o The header code is the definitive identifier of the type of file. Use it when comparing
against the file extension in a signature analysis.
o Use the footer code to identify the end of the file.
The Artifacts tab lists all mounted volumes and results from the Evidence Processor or other
activities. Therefore, Artifacts view can display multiple types of data:
EnCase supports viewing only one artifact type at a time. If more than one type is found in the
selected artifacts, the Open Item dialog is displayed, enabling you to choose the artifact type
you want to view. The default is Entries.
Note: In the Open Item dialog, only the radio buttons for the found artifact types are
enabled.
l By processing an evidence file, in which case any unencrypted 7-Zip files within are parsed
automatically
l By viewing individual 7-Zip files manually
276 EnCase Forensic User Guide Version 20.2
1. Right-click the 7-Zip file you want to see. In the dropdown menu, click Entries > View File
Structure.
2. EnCase parses the file and you can view its contents.
Note: If the file is protected or encrypted, a dialog displays asking for the password.
Macintosh Artifacts
EnCase Forensic supports a number of artifacts specific to the Macintosh environment.
Note: While loading existing evidence files that have HFS+ volumes in them, you
may notice that the values for Unique Offset changed for some entries. This is
expected behavior, caused by refinements in the offset computing algorithm. Unique
offsets still remain unique within the given device.
l Internal: The attribute size is less than 3802 bytes, and HFS+ stores the attribute inline
(that is, in the same storage place as its name and size).
l External: The attribute size is greater than 3802 bytes, and HFS+ stores the attribute as a
separate data fork
INTERNAL ATTRIBUTES
Most internal attributes are UTF-8 strings, while others are binary .plists or binary integers.
EnCase attempts to convert values to strings whenever possible; if that is not possible, EnCase
displays a hexadecimal representation of the data.
EXTERNAL ATTRIBUTES
External attributes are larger than 3802 bytes and have their own extents. For that reason, it is
impractical to display them as strings. Instead, EnCase displays them as additional streams of
the file they belong to. The file name is concatenated with the attribute name, separated by a
middle dot (∙) character.
EnCase recognizes directory hard links and displays them with an icon that is a combination of
a directory and a link. If more than one link points to the same file, these "sibling" links display
in the Attributes tab of the View pane.
278 EnCase Forensic User Guide Version 20.2
To go to the real directory a link points to, right-click the link and click Entries > Go to Linked
File in the dropdown menu. The directory displays in the Fields tab of the View pane, with the
name Original Path.
FINDER DATA
Finder data is an integral part of the HFS+ file system. This information resides in the catalog
file, along with the file name, size, creation date, etc.
These are saved in the Finder Info Flags field, which EnCase decodes and is displayed in the
Attributes tab of the View pane.
When EnCase displays Finder information, it decodes known flags and, if the background color
of a file or folder was altered, EnCase also decodes the color:
.DS_STORE
The .DS_Store file is created inside a directory only when a Mac OS X user visits the directory
using Finder. This means a directory may or may not have the .DS_Store file.
CHAPTER 7 Browsing and Viewing Evidence 279
If a .DS_Store file exists, EnCase processes it on the fly when you select the Attributes tab in
the View pane. It usually contains information about how to display items in Finder, the items'
locations in the Finder window, etc.
The .DS_Store tags are internal and therefore undocumented, but you can deduce what
some of them mean. For example, in the screenshot above:
l Iloc is the location information, 0x263 and 0x81 being X and Y axes of the item.
l logS is the logical size of the item.
l modD and moDD are modification time stamps.
l phyS is the physical size of the item.
If you are looking for a specific tag, EnCase provides that information.
IMMUTABLE PERMISSIONS
EnCase displays Mac files where permission is locked as Immutable.
l User
l Group
l Other
If a file or folder has an Access Control List assigned to it, EnCase uses the UUID associated with
users and groups, instead of the user ID or group ID.
In the image above, EnCase displays the root [System Administrator] ID as 0, the staff [root] ID
as 20.
280 EnCase Forensic User Guide Version 20.2
OS X DIRECTORY SERVICES
The Directory Services component of Mac OS X stores information about users and groups in a
set of *.plist files, with one file per user or group. EnCase displays these in the Table tab of the
Table pane. The paths to the file locations display in the Fields tab of the View pane.
l DMG
l Sparse Image
l Sparse Bundle
DMG
DMG is an Apple media file format (.dmg). Software distributed as Internet downloads use
DMG as the packaging solution. Characteristics of the DMG format include:
l Single file.
l Preallocated space. Even if the DMG does not contain any data, it still has the same size
as if it were full of files.
l Supports various file systems, including HFS+, and FAT. The type of file system put onto
the DMG alters its format (XML metadata for HFS+, raw data for FAT). EnCase has dif-
ferent code paths to handle both.
l Can be encrypted via Apple FileVault.
Sparse Image
Macintosh OS X uses the Sparse Image media format to encrypt user home directories.
Characteristics of the Sparse Image format include:
l Single file.
l Space is allocated by 1 MB chunks on demand, as the image data grows.
l Can be encrypted via Apple FileVault.
Sparse Bundle
Sparse Bundle is designed for efficient backups via the Apple Time Machine backup solution.
Characteristics of the Sparse Bundle media format include:
D:\Research\Mac\sparsebundle>tree /F /A sb200m.sparsebundle
D:\RESEARCH\MAC\SPARSEBUNDLE\SB200M.SPARSEBUNDLE
| Info.bckup
| Info.plist
| token
|
\---bands
0
10
18
2
c
Encrypting Media
All three types of media (DMG, Sparse Image, and Sparse Bundle) can be encrypted via either
AES-128 or AES-256. EnCase currently supports images encrypted with AES-128 only.
Apple uses its proprietary encryption scheme, FileVault, to encrypt the media.
282 EnCase Forensic User Guide Version 20.2
1. Open a case.
2. Drag and drop the container (for example, a DMG file) to EnCase. EnCase displays the file
in the Evidence tab.
EnCase supports other types of containers and encryption (if you have a valid password).
The easiest way to process evidence is to run it through the Evidence Processor.
Once evidence is processed, it can be opened and viewed in ways not possible before the
parsing and expanding processes are performed.
To process evidence with the media analysis module, see Analyzing Images on page 174.
CHAPTER 7 Browsing and Viewing Evidence 283
5. Select the All Categories checkbox to apply a confidence level threshold filter for all cat-
egories
or
Select the checkboxes for one or more individual categories to apply the filter to those cat-
egories.
284 EnCase Forensic User Guide Version 20.2
6. To change the confidence level of a category, double-click the Confidence Level of the cat-
egory and change the value in the dialog box that is displayed. Click OK to accept the
value.
7. Click OK to create the filter.
The selected images are filtered by the selected confidence level or levels.
The table displays filenames for all selected images, followed by the pre-defined media analysis
categories. Each image category contains a number ranging between 0.00 and 100.00 that
corresponds to the confidence level that the image falls into that category. The Media Analyzer
View table can be used with the Media Analyzer filter to display the results of the applied filter
if you choose.
Results can be exported by clicking the Options icon, selecting Save as, and saving results.
Note: The Media Analyzer Viewer table only displays supported images formats.
Files in unsupported image formats and files that are not images are skipped.
To see the file structure of a compound file (manually mount), click that file and select View
File Structure. You can also run the file through the Evidence Processor. That process creates
an evidence file you can click to open or view in the Artifacts tab.
l Registry files
l OLE files
l Compressed files
l Lotus Notes files
l MS Exchange files
l Exchange Server Synchronization
286 EnCase Forensic User Guide Version 20.2
When an EDB file is dirty, you can run several tests on it to determine whether the files are
merely out of sync, or are in fact corrupt and unusable. Before running these tests, acquire the
EDB database, including the entire bin and mdbdata folders. Make sure all codepages are
installed on your computer.
o Note that the three-character log file base name represents the first log file.
o Files are sequentially named, with E##.log being the first log file.
o Click Yes to run the repair.
4. Run a check (step 2) on the resulting EDB file. If the file is still in an inconsistent state,
attempt to repair the EDB file. This may result in the loss of some data currently in the
.log files. Run the repair as follows:
“C:\Exchange\BIN\Eseutil.exe” /p <database name> [options]
5. To parse the dirty EDB file, check Scan Dirty Database, then click OK.
Viewing Email
You can open .PST, .OST, and other types of mail storage files and view the individual emails
within. You can view the higher order of email folder structure on the Evidence tab. Once the
email is processed, you can double-click the storage file to drill down to the individual mail
messages.
The default view for Email is the Tree view. This shows the report in full screen, in as close to
native format as possible. Empty fields do not display in the report view. The Fields tab shows
all available metadata about the email and its collection, including the Transport Msg ID.
288 EnCase Forensic User Guide Version 20.2
Use the Search Results tab and Find Email to view data across multiple repositories. You may
also want to view all your indexed evidence and then show only items with an item type of
Email. You can further drill down by finding subsets of sender, date range, etc.
EnCase allows you to track email threads and view related messages. Before you can analyze
email threading, you must have already run the Evidence Processor against your case evidence
with the Find email option selected. To avoid displaying the same message multiple times,
EnCase removes duplicate messages in both the Show Conversation and Show Related email
views.
1. In the Artifacts tab, double-click the .PST or .OST file you want to search. The archive is
displayed in a new expanded tab.
2. Select an email to view in the View pane.
Viewing Attachments
In the tree view, email attachments display as children under the parent email.
EnCase allows you to view attachments on email messages that you select.
1. In the Evidence tab, select the message with the attachment that you want to view.
2. Click the Doc button in the View pane. EnCase displays the contents of the message
attachment.
Showing Conversations
Email threading is based on conversation-thread related information found in the email
message headers. EnCase uses email header metadata (including message ID and in-reply-to
headers) to reconstruct email conversation threads. Email conversation thread reconstruction
is done during processing, so conversations are not available on data that has not been
processed.
Different email systems use different methods of identifying conversations. For example:
EnCase can display conversations for all supported email types except AOL, because AOL
messages do not store thread-related information. However, the feature cannot always
reconstruct complete conversations when the conversations include messages from multiple
email systems. For example, EnCase cannot fully recreate a conversation where some users are
using Outlook, some are using Lotus Notes, and others Thunderbird.
If an email does not have any of the message header fields specified above, EnCase cannot
construct a conversation thread for it. Selecting such an email and clicking Show Conversation
results in a tree containing only the selected email.
Before you can analyze email threading, you must have already run the Evidence Processor
against your case evidence with the Find email option selected.
1. In the Evidence tab select an email or email store in the Table pane.
2. From the Find Related menu, select Show Conversation.
EnCase can show related emails for all supported email types. Since Show Related only looks
at the subject line of a message, the emails displayed may not all be related, depending upon
the uniqueness of the subject line.
1. In the Evidence tab select an email or email store in the Table pane.
2. From the Find Related menu, select Show Related Messages.
290 EnCase Forensic User Guide Version 20.2
Exporting to *.msg
The Export to .msg option for mail files and mail file attachments lets you preserve the folder
structure from the parsed volume down to the entry or entries selected. This option is
available for the highlighted entry or selected items.
1. In the Tree pane, select the email message(s) you want to export.
2. Right-click and select Export to *.msg. The Export Email dialog is displayed.
3. Click OK. View the folder structure in the Export folder. Double-click a message to view it
in read-only format.
CHAPTER 8
SEARCHING THROUGH EVIDENCE
Overview 293
Overview
EnCase Forensic provides three principal methods of searching through evidence:
l Index searches
l Tag searches
l Keyword searches through raw data
You can use these search methods by opening the Indexed Items, Keyword Hits, and Tagged
Items tabs from either the Home page of the case or from the View menu.
Index Searches
Index searching allows you to rapidly search for terms in a generated index, and is the
recommended search method in EnCase Forensic. Querying an index for your case or evidence
file locates terms much more quickly than using non-indexed queries. Unlike raw keyword
searches, indexing is linked with file transcript content so that text content contained with files
can be quickly and efficiently identified. You can also conduct metadata and field searches to
locate content with greater precision.
EnCase Forensic indexes evidence using a modified version of Lucene index and search
technology. You can search through the index using standard Lucene query syntax and most
Lucene search operators and term modifiers.
Indexes are generated using the Evidence Processor. An index can encompass all evidence in
your case.
l See Creating an Index on page 192 for information about creating and running index
searches.
l See Searching Indexed Data on the next page for a full list of search syntax options.
Note: Index search is a two step process. First, you index data using the Evidence
Processor. In the second step, you retrieve indexed data by executing a search in the
Indexed Items tab.
Tag Searches
EnCase also provides the capability to search for items that have been flagged with user-
defined tags. Using tags, you can search through collected evidence for all items that include
one or many tags. See Finding Tagged Items on page 305 for information about creating and
running tag searches.
294 EnCase Forensic User Guide Version 20.2
Note: Tagged searches are a two step process. First, you tag the data to be
searched. In the second step, you retrieve tagged data by executing a search in the
Tagged Items tab.
l See Retrieving Keyword Search Results on page 309 to view the results of a previously
executed keyword search.
l See Adding a New Keyword on page 189 to learn how to add a new keyword from the
Evidence Processor or when performing a raw search.
l See Creating a New Keyword List on page 191 to learn how to add a new keyword list.
Note: Keyword searches are a two step process. First, you perform a keyword
search on raw data. In the second step, you retrieve keyword data by executing a
search in the Keyword Hits tab.
Search through indexed data in the Indexed Items tab. The Indexed Items tab is divided into
four standard panes. The upper left pane is the query pane:
CHAPTER 8 Searching Through Evidence 295
l Query Actions Bar: Provides options to run a query entered in the Query Construction
Box, change the default language index, select a field to search, add a Boolean operator,
access online help, or access other options.
l Query Construction Box: Type or paste a query directly into the box below the Query
Action Bar. This box is used to create more complex queries.
l Quick Query Box: For a quick index search, enter a single word directly into the box
below the Query Construction Box.
l The Quick Query Results Table is found below the Quick Query Box and displays search
results of quick query words, number of hits, and number of items that contain the query
word. Related words are also displayed with hit and item count.
l Table Pane: When a query is executed, all items that contain the queried items display in
the table pane on the right.
l View Pane: Details of the item selected in the table pane can be viewed here.
1. Open the Indexed Items tab from either the Home page of the case or from the View
menu.
296 EnCase Forensic User Guide Version 20.2
2. Type your search query in the Query Construction Box, paste a query, or select available
query options from the Query Actions Bar.
The query actions bar provides tools for constructing a search query. Expand the left
pane to view all buttons and drop-down options. Right-click the mouse in the query
window to view these commands in the context menu.
3. To run the search query in the Query Construction Box, position your cursor in the text
box and click Enter, or click the Run button.
The Quick Query Box and Quick Query Results box automatically display the most recent
search term entered in the Query Construction Box. You can enter a term in the Query
Construction Box or Quick Query Box to instantly show all variations of the occurrence of that
term. Click a hyperlinked term in the Word column to show all occurrences of that term in the
right table pane.
Boolean Operators
Boolean operators allow for the combination of terms through the use of logical operators.
Boolean operators must be formatted in ALL CAPS. The following operators are supported:
OR
The OR operator is the default conjunction operator and is used when no other operator
is specified. The OR operator links two terms and finds matching documents if either
term is found in the document. The term || may also be used interchangeably with the
OR operator.
AND
The AND operator matches documents where both terms are present anywhere in the
text of a single document. The term && may also be used interchangeably with the
AND operator.
Use the + operator to make the term following it required. The term after the + operator
must exist in a document for it to be returned in a search.
A search for +Washington George returns documents that must contain the term
"Washington" and may contain "George".
NOT
The NOT operator excludes documents that contain the term after the NOT operator.
The term ! may also be used interchangeably with the NOT operator.
Note: The NOT operator must include at least one non-excluded search term.
Submitting a search with only a NOT operator returns no results. For example, the
search NOT "George Washington" returns no results.
-
CHAPTER 8 Searching Through Evidence 299
The - operator excludes documents containing the term after the - symbol.
Search terms are highlighted in the search results. Phrase searches highlight the individual
terms of the phrase as well as the whole phrase.
"George Washington Carver" searches for the exact phrase, "George Washington
Carver"
the index marks as responsive all items containing the word Bill within five words of either
Clinton or Gates.
the index marks as responsive all items containing both the words "Bill" and "William" within
five words of both "Clinton" and "Gates."
Grouping
Use parentheses to group clauses and control the Boolean logic of a query. How you use
parentheses determines the search order. Subqueries are performed first. For instance:
finds all items with either both the terms "George" and "Washington" or both the terms
"Abraham" and "Lincoln."
finds all items containing the term "George" and either the terms "Washington" or "Bush."
Alternatively:
finds all items containing both the terms "George" and "Washington", or the term "Carver".
You can join proximity queries (~x) to Boolean logic queries (AND, OR). For example:
finds all items containing the term "Delaware" that also contain the terms "George" up to
three words from "Washington."
FIELD GROUPING
You can use parentheses to group multiple single terms or phrases. For example:
returns documents where the from field contains both the search term "Carver" and the
phrase "George Washington."
Range Searches
Range searches locate matches where field values fall between the lower and upper bounds
specified in a range query. A range query with square brackets is inclusive. A range query with
curly brackets is exclusive.
logical_size:[500000 to 1000000]
subject:{allen TO zebra}
Date Searches
Search for items by date range using field syntax:
CHAPTER 8 Searching Through Evidence 301
last_accessed:[20170101 TO 20170102]
Search for a time range by appending the time in six-digit format to the bounding dates:
file_created:[20170101080000 TO 20170101130000]
The above term searches for any item with a creation date between January 01, 2017 08:00 and
January 01, 2017 13:00, including the bounding times and dates.
The ? operator stands as a placeholder for any single character. For instance, a search for:
c?t
results in hits in documents containing cat, cot, and cut, but not caught.
The * operator stands as a placeholder for any number of characters. For instance:
ind*
The [*] operator can also be used within a word. For instance:
in*ive
MULTIPLE WILDCARDS
A term can contain multiple wildcards (either * or ?), but cannot contain wildcards as the first
character of the term. For instance:
ind*a*a
c?t?
p*fi?y
*india*
?cat?
*fis?
Format
/regular expression/
Example
/[jb]ump/ finds all documents containing the words "jump" and "bump"
Proximity
The tilde ~ acts as a proximity operator when it follows a phrase containing two terms. Perform
a proximity search on two terms by enclosing the terms in quotes, appending the tilde ~ and
adding a numeric value. The numeric value represents the maximum number of words that
can exist between the two search terms for a positive hit to be returned. While proximity
search can return results where the second search term appears before the first search term,
the proximity value must be increased by two in order to account for counting through the
first word and locating the beginning of the second word.
Format
"searchterm1 searchterm2"~<value>
Example
"George Washington"~3 finds all documents where the word "Washington" appears
three words or less after the word "George" or where the word "Washington" appears
immediately before the word, "George"
"white house"~10 finds all documents where the word "house" appears ten words or
less after the word "white" or where the word "house" appears eight words or less
before the word, "white"
CHAPTER 8 Searching Through Evidence 303
Fuzzy Searches
The tilde ~ acts as a fuzzy search operator when it follows a single search term. The fuzzy
search operator returns results similar to the term. Append an optional integer from 0 to 2 to
specify the search tolerance. If no number is specified, a default value of 2 is used. The larger
the number, the broader the search.
Format
searchterm~
searchterm~<value>
Example
Search Fields
EnCase Forensic searches for terms in every indexed text field. You can restrict the fields you
search using the field name followed by a colon :. For example, to search for terms in the
subject line, use:
subject:George
subject:"George Washington"~2
To search in a specific Item Type, choose Item Type from the Field drop-down, and select
category you want to search. Search options include: None, Entry, File, Email, Document, and
Record. When you make a selection, the item type and corresponding number for the
category are entered in the query box. Enter the AND operator, followed by your query, and
click the Run button to conduct the Item Type search.
Search Fields
The following table lists supported fields.
304 EnCase Forensic User Guide Version 20.2
Individual Fields
Pattern Fields
Email Address
(<p:EmailAddress>)
Reserved Characters
EnCase Forensic supports escaping special characters that are used in query syntax. The
following characters must be escaped if you want to use them as part of a search:
+ - && || ! ( ) { } [ ] ^ " ~ * ? : \
For example, to search for (3-2=1):1, use the escape character before each special
character: \(3\-2=\)\:1
1. Open the Tagged Items tab from either the Home page of the case or from the View
menu.
2. Click on a tag directly to display all items with that tag in the table pane.
3. Select multiple tags and click View Selected to see items containing any of the selected
tags.
You can perform hashing and raw keyword searches on remote devices.
In order to maximize performance, you can search and hash these types of files remotely:
You cannot search and hash encrypted files (other than EFS) remotely.
o Use the path box at the top of the dialog to specify the name and location for the
search.
o Select Search entry slack to include file slack in the keyword search.
o Select Skip contents for known files to search only the slack areas of known files
identified by a hash library.
o Select Undelete entries before searching to undelete deleted files before they are
searched for keywords.
o Use initialized size lets you search a file as the operating system displays it, rather
than searching its full logical size.
In NTFS and exFAT file systems, applications are allowed to reserve disk space
for future operations. The application sets the logical size of the file larger than
currently necessary to allow for expected future expansion, while setting the
Initialized Size smaller so that it only needs to parse a smaller amount of data.
This enables the file to load faster.
If a file has an initialized size less than the logical size, the OS shows the data
area between the initialized size and logical size as zeros. In actuality, this area
of the file may contain remnants of previous files, similar to file slack. By
default, EnCase displays, searches and exports the area past the initialized size
308 EnCase Forensic User Guide Version 20.2
as it appears on the disk, not as the OS displays it. This lets you find file rem-
nants in this area.
Select Initialized Size to see a file as its application sees it and the OS displays it.
Note that when a file is hashed in EnCase, the initialized size is used. This
means that the entire logical file is hashed, but the area past the initialized size
is set to zeros. Since this is how a normal application sees the file, this lets
users verify file hashes with another utility that reads the file via the OS.
o Add Keyword List opens a dialog where you can enter a list of words and assign cer-
tain properties to them as a group. See Creating a New Keyword List on page 191.
o Split Mode lets you configure the layout of the dialog.
o New opens the New Keyword dialog where you can add a new keyword. See
Adding a New Keyword on page 189.
o Double-click a keyword, or click Edit, to open the keyword and modify its prop-
erties.
o Highlight a keyword and click Delete to remove it from the list.
To see search results while the search is in progress, click the Refresh icon on the Keyword Hits
tab.
If new search hits are available, the icon is displayed in green. If no new search hits are
available, the icon is disabled.
CHAPTER 8 Searching Through Evidence 309
The icon is dynamic: after clicking, it is disabled until more search hits are available. When
more search hits are available, the icon is enabled and is displayed again in green.
1. Open the Keyword Hits tab from either the Home page of the case or from the View
menu.
2. A list of keywords is displayed. These are the keywords that have been previously
executed.
4. Select multiple keywords and click the View Selected button to see a combination of all
search results.
5. Choose View Items or View Hits from the View Selected dropdown to view keyword res-
ults by items or hits.
310 EnCase Forensic User Guide Version 20.2
l Use the Review tab to see a compressed list of metadata, keyword item, and index search
hits.
o This tab combines information found on the Fields, Transcript, and Text tabs, show-
ing fields and individual lines containing search hits.
o Click the linked Search Hits line number to view the search hit on that line in context.
o Use the Next/Previous Item buttons to click through each item in the list.
l Content hits are also highlighted in the Transcript, Text, and Hex tabs while metadata hits
are highlighted in the Fields tab.
o Click Compressed View on the Transcript, Text, and Hex tabs to see only the lines
containing highlighted search hits.
o Use the Next/Previous Hit buttons to click through each hit in the file. If there are
no more hits in the file, the next item opens and the first hit is found.
For more information about viewing options, see Viewing Content in the View Pane on
page 248.
Note: Index hits with large numbers of characters that wrap over line breaks do not
display in the Review tab.
5. Select a saved search in the left pane. The results of that search display in the right Table
pane. Click individual items to see more information in the lower viewing tabs.
312 EnCase Forensic User Guide Version 20.2
Note: If you save search results when viewing by hits in the Keyword Hits tab,
only unique items are saved. For example, if you select ten hits that occur in one item
and three that occur in another, only the two unique items will be saved in the result
set. You can create keyword hit bookmarks if you wish to save individual keyword
hits. See Retrieving Keyword Search Results on page 1
When you export search results containing only entries or containing only artifacts, EnCase
generates a single LEF.
When you export search results containing both entries and artifacts, EnCase generates two
LEFs, one containing only artifacts and another containing only entries.
1. On the Indexed Items, Keyword Hits, or Tagged Items tab, select the items you want to
export.
2. Click Acquire > Create Logical Evidence File.
3. EnCase exports the items you checked to a LEF.
Note: If you choose both entries and artifact items, the records are exported to a
LEF named <UserCreatedName>.artifacts.L01.
File extensions are characters following the dot in a file name (for example, signature.doc).
They often indicate the file's data type. For example, a .txt extension denotes a text file, while
.doc indicates a document file.
The file headers of each unique file type contain identifying information called a signature. For
example, .BMP graphic files have BM as a signature.
CHAPTER 8 Searching Through Evidence 313
A technique often used to hide data is to attempt to disguise the true nature of the file by
renaming it and changing its extension. Because a .jpg image file assigned a .dll extension is not
usually recognized as a picture, comparing a file’s signature with its extension identifies files
that were deliberately changed. For example, a file with a .dll extension and a .jpg signature
should pique the interest of an investigator.
The software performs the signature analysis function in the background on all processed
evidence.
Information about results of a file signature analysis is displayed in Evidence tables, in the
Signature Analysis column:
l Match indicates data in the file header, extension, and File Signature table all match.
l Alias means the header is in the File Signature table but the file extension is incorrect (for
example, a JPG file with a .ttf extension). This indicates a file with a renamed extension.
The word Alias is displayed in the Signature Analysis column, and the type of file identified
by the file signature is displayed in the File Type column.
l Unknown means neither the header nor the file extension is in the File Signature table.
l !Bad Signature means the file's extension has a header signature listed in the File Sig-
nature table, but the file header found in the case does not match the File Signature table
for that extension.
Occasionally a file signature may not be in the table. Use this procedure to add a new one.
Before you do this, you need to know the file signature search expression. This is not
necessarily the same as the three letter file extension.
1. From the View menu, select File Types. The File Type table is displayed.
4. Click OK. The new file type and associated file signature are added to the table.
1. From the View menu, select File Types. The File Type table is displayed.
2. Double-click a file type. The Edit File Type dialog is displayed.
3. Click the Header tab to display the file signature information.
4. Change the Search Expression and other options as desired, then click OK.
Note: If you modify a built-in file type, it is marked as User Defined. EnCase does not
overwrite User Defined file types, even when you install a new version of EnCase.
1. On the Evidence tab, drill into the device where you want to run file signature analysis.
2. Blue check the specific files you want to run signature analysis on.
3. Click Entries. In the dropdown menu, click Hash\Sig Selected. The Hash\Sig Selected dia-
log is displayed.
316 EnCase Forensic User Guide Version 20.2
4. Select Verify file signatures to run signature analysis. You can also select other processes
to run concurrently.
5. Click OK.
Note: After running file signature analysis, you must refresh the device. Click the
Refresh button in the Entries toolbar.
You can copy both files and folders. Copying folders preserves their internal structure.
EnCase allows you to automatically navigate to the directory where your files are saved. Click
the Open Destination Folder checkbox on the Destination dialog to launch Windows File
Explorer with the export location.
CHAPTER 8 Searching Through Evidence 317
Copying Files
To copy files:
1. In the Evidence or Artifacts tab, click the Entries dropdown menu and select Copy Files.
2. In the Results, Indexed Items, Keyword Hits, or Tagged Items tab, click the Results drop-
down menu and select Copy Files.
3. The Copy Files dialog is displayed.
o Copy Files contains settings that determine the content of the evidence file to be
copied.
318 EnCase Forensic User Guide Version 20.2
Logical File Only performs the copy function on the logical file only, not includ-
ing the file slack.
Entire Physical File performs the copy function on the entire physical file,
including the logical file and file slack.
RAM and Disk Slack performs the copy function on both the RAM and disk
slack.
RAM Slack Only performs the copy function on the RAM slack only.
o The Character Mask settings determine what characters are written into the file or
files created by the copy function.
Select None if you do not want any characters masked or omitted from the file-
names of the resulting files.
Select Do not Write Non-ASCII Characters to mask or omit non-ASCII char-
acters from the filenames of the resulting files. All characters except non-ASCII
characters are retained.
Select Replace NON-ASCII Characters with DOT to replace non-ASCII char-
acters with periods in the filenames of the resulting files.
o Checking Show Errors causes the application to notify you when errors occur. This
prevents the unattended execution of the Copy Files operation.
o Copy displays the number of files to be copied, and the total number of bytes of the
file or files created.
o Path shows the path and filename of the file or files to be created. The default is My
Documents\EnCase\[case name]\Export.
o Split files above contains the maximum length, not exceeding 2000MB, of any file
created by the Copy Files function. When the total number of bytes in an output file
exceeds this value, the additional output continues in a new file.
CHAPTER 8 Searching Through Evidence 319
o Use Initialized Size determines whether to use the initialized size of an entry,
rather than the default logical size or the physical size. This setting is only enabled
for NTFS and exFAT file systems. When an NTFS or exFAT file is written, the initialized
size can be smaller than the logical size, in which case the space after the initialized
size is zeroed out.
6. Click Finish. The Copy Files operation executes. The resulting files are saved in the dir-
ectory specified in the Destination dialog.
Copying Folders
1. Select the folder or folders to copy.
2. Open the Copy Folders dialog:
o In the Evidence or Artifacts tab, click the Entries dropdown menu and select Copy
Folders.
o In the Results, Indexed Items, Keyword Hits, or Tagged Items tab, click the Results
dropdown menu and select Copy Folders.
o Path shows the path and filename of the file or files to be created. The default is My
Documents\EnCase\[case name]\Export.
o Replace first character of FAT deleted files with determines which character is
used to replace the first character in the filename of deleted files in the FAT file sys-
tem.
o Split files above contains the maximum length, not exceeding 2000 MB, of any file
created by Copy Folders. When the total number of bytes in an output file exceeds
this value, the additional output is continued in a new file.
o Copy only selected files inside each folder copies individual files selected within a
folder or folders.
o Checking Show Errors causes the application to notify you when errors occur. This
prevents the unattended execution of the copy operation.
o Open Destination Folder opens the selected folder when the copy action com-
pletes.
4. Click OK.
All file types can be packaged for review. Raw and indexed searches cull through the content
and metadata of pictures, email, and office documents. Metadata information is culled for
other file types.
The process for creating, reviewing, and returning a review package follows this work flow:
l The EnCase examiner searches and compiles a results list that is exported into a review
package.
l The reviewer receives and opens the review package.
l The reviewer browses through and analyzes the contents of the review package. Existing
tags can be used or the reviewer can create customized tags.
CHAPTER 8 Searching Through Evidence 321
l The reviewer exports the tagged review package and sends the exported file back to the
EnCase examiner. The export package contains only the GUIDs of the items, so it can be
emailed back as a small file without revealing any case information.
l The EnCase examiner imports the analyzed review package and views the tagged items in
EnCase.
o Only Checked Rows exports the selected rows in the current table view of the
search list. If a range of rows is selected, only checked rows within that range are
exported. When cleared, all rows in the current table view are exported.
o Show Folders exports items along with any relevant folder structure. When selec-
ted, all items are exported. When cleared, only items in the current table view are
exported. You must select this option when exporting selected items from multiple
folders to the review file.
322 EnCase Forensic User Guide Version 20.2
o Export Items exports files in their native formats as part of the review package.
EnCase exports all file types except raw File System entries (for example: $MFT, $Lo-
gFile or any '$*' files on NTFS file systems). Unallocated Clusters and Unused Disk
Area are not exported.
When you open the review web browser, the Review Export function displays hyperlinks
which, when selected, open the associated original files.
o Select the fields you want to export in the Fields list.
o By default, all tags are automatically exported for use by the reviewer. Clear the
checkboxes on the left for any tags you do not want to export.
o The Export Tag checkbox determines whether to export the tagging information
already entered on any of the items. When cleared, any tagging choices you made
are omitted from the review package. When checked, your tagging selections
remain intact.
o Enter or browse to the name and path for the export files.
3. Click OK. A status bar displays the export process. When the export process completes,
the review package window opens to allow the examiner to confirm its contents. Include
the ReviewPackage.hta and the accompanying \ReviewPackage.data folder when com-
piling the Review Package for distribution.
The review application displays two panes. The upper pane displays the items exported from
EnCase. The lower pane displays specific information about the currently selected item.
1. To open an .hta review package, double click the .hta file. The EnCase Document Review
window is displayed.
CHAPTER 8 Searching Through Evidence 323
2. Scroll through the items on top and use the lower pane to review their content.
3. Click the area of the tag column beneath the desired tag to tag or untag an item.
o You can expand the tagging column to see the names of tags.
o You can tag each item with as many tags as desired. Newly added item tags display a
plus icon.
o Click an existing item tag to delete it. A minus icon is displayed where the item tag
was before.
o Item tags added by the original examiner are included in the review package. Item
tags specified by the original examiner can be removed.
o When reviewing bookmarks, each bookmark is displayed on a separate row so sep-
arate tags can be applied to individual bookmarks. These bookmarks are aggregated
within the item when reviewed in EnCase.
4. To create a customized tag, click Create Tag in the menu bar. The Create Tag dialog is dis-
played.
o Enter the name for the tag in the Name text box.
o If you want to display a shorter name, enter it in the Display text box.
o Click OK to create the tag and close the dialog.
324 EnCase Forensic User Guide Version 20.2
5. To delete one or more tags, click Delete Tags in the menu bar. The Delete Tag dialog is dis-
played.
o Check the tag(s) you want to delete.
o Click OK to delete the tags and close the dialog.
6. Tags can always be reverted to their last saved state. The last saved state is the state the
tags were in when they were originally imported, or the state they were in the last time
the review package was exported with the Commit Changes checkbox checked.
To revert to the last saved tagging choices, click Revert in the menu bar. The Revert
dialog is displayed.
o Check each tag you want restored to its last saved state.
o Click OK to revert the tags and close the dialog.
1. To export a review package to be imported into EnCase, click Export in the menu bar. The
Export dialog is displayed.
o Check Commit Changes to save the current set of tags.
Committing changes updates the review package's last saved state.
The last saved state is then used as a baseline for future modifications.
2. Click OK. The review package is exported and saved as an .EnReview file in the desired loc-
ation.
3. Send the .EnReview file to the EnCase examiner to import back into EnCase.
Note: When a case is exported via Review Package, the HTA file displays a
maximum of 31 tags.
2. Enter the path where the .EnReview file is stored and click Next. A list of tags added to the
review package is displayed.
o Only tags with changes since the last saved change display in the list.
o Clear checkboxes for any tags you do not want to import.
o Item tags present when the review package was exported, then subsequently
removed by the reviewer, are removed in the examiner's case when you import the
returned review package.
o If multiple reviewers are analyzing the same review package, the same rules apply to
each .EnReview file.
If an item tag was present when the review package was exported, and one
reviewer removed it while another reviewer left if in, then the tag is removed in
the examiner's case when you import the returned review packages.
The order in which you import the review packages does not make a difference.
3. When you are done, click Finish. The tag changes in the review package are incorporated
into EnCase.
Note: Tags applied to separate bookmarks within a particular item are aggregated;
therefore, each item in EnCase displays all tags that were applied to all its bookmarks.
326 EnCase Forensic User Guide Version 20.2
CHAPTER 9
HASHING EVIDENCE
Overview 329
Overview
Analyzing a large set of files by identifying and matching the unique hash value of each file is an
important part of the computer forensics process. Using the hash library feature of EnCase,
you can import or custom build a library of hash sets, allowing you to identify file matches in
the examined evidence.
A hash function is a way of creating a digital fingerprint from data. The function substitutes or
transposes data to create a hash value. Hash analysis compares case file hash values with
known, stored hash values.
The hash value is commonly represented as binary data written in hexadecimal notation. If a
hash value is calculated for a piece of data, and one bit of that data changes, a hash function
with strong mixing property will produce a completely different hash value.
Hashing creates a digital fingerprint of a file. A fundamental property of all hash functions is
that if two hashes (calculated using the same algorithm) are different, then the two inputs are
different in some way. On the other hand, matching hash values strongly suggests the equality
of the two inputs.
Computer forensics analysts often create different hash sets of known illicit images, hacker
tools, or non-compliant software to quickly isolate known "bad" files in evidence. Hash sets
can also be created to identify files whose contents are known to be of no interest, such as
operating system files and commonly used applications. Hash sets are distributed and shared
among users and agencies in multiple formats. These formats include NSRL, EnCase hash sets,
Bit9, and others.
Until recently, the MD5 hash calculation was the hash set standard to identify a file. Large hash
distribution sets, such as the NSRL set, are now distributed using the SHA-1 hash calculation.
EnCase uses an extensible format for hash sets that allows:
Hashing Features
EnCase hashing features include the following:
330 EnCase Forensic User Guide Version 20.2
l Hash libraries that can contain multiple hash sets. Each set can be enabled or disabled.
l Ability to create as many hash libraries or hash sets as needed.
l Ability to report every match, if a hash belongs to multiple hash sets in a library.
l Ability for each case to use a maximum of two different hash libraries at the same time.
Note: When using the 32-bit Examiner to edit a large number of hash sets, you may
see an error message stating "Not enough storage is available to process this
command." This is a limitation of the 32-bit Examiner. We recommend using the 64-
bit Examiner.
To import hash sets from another library into an existing hash library:
1. Click Tools > Manage Hash Library. The Manage Hash Library dialog is displayed.
You can then browse to a library or enter Hashkeeper identification data to import individual
hash sets. To create new hash sets for this library, see Creating a Hash Set below.
Once created, you can add to hash sets on a case by case basis. Adding new files as time goes
by saves time and effort in subsequent investigations.
Hash sets (which contain individual hash entries) are located within hash libraries. Creating a
hash set is a two step process. The first step is to create an empty hash set in a library. The
second step is to add information to it.
3. In the Manage Hash Library dialog, click New Hash Set. The Create Hash Set dialog is dis-
played
4. Enter a Hash Set Name, and enter information for Hash Set Category and Hash Set Tags.
o You can use the hash set category to identify the type of hash set. Although the
most common values are Known and Notable, you can specify any single value. You
can use the category to find or eliminate files.
o Hash set tags allow you to specify multiple identifiers for a hash set. As with hash set
categories, you can use hash set tags to find or eliminate files.
5. When you are prompted to add the new hash set, click OK, then click OK again. The new
hash set is added to the list of ash Sets in the Manage Hash Library dialog.
1. Add the device or evidence from which you want to generate a hash value to a case.
2. Hash the files on the device by using the hashing feature of the Evidence Processor or
Hash Individual Files from the Entry > Entries menu item.
CHAPTER 9 Hashing Evidence 333
3. Using the Tree and Table panes, check those entries whose hash values you want to add
to the hash set.
4. On the Evidence tab, under Entries view, click the Entries dropdown menu and select
Add to Hash Library. The Add to Hash Libraries dialog is displayed.
5. Using the Hash Library Type dropdown menu, choose the hash library to add the hash
items to.
6. Select the Primary or Secondary hash library (see below for information on setting the
Primary and Secondary libraries), or Other, if you need to place the item in a different lib-
rary.
7. After you have selected a library, select one or more previously created hash sets (by
checking their boxes) from the Existing Hash Sets dialog. If you need to create a new
hash set, right-click in the Existing Hash Sets table and select New Hash Set. The New
Hash Set dialog is displayed.
8. In the Fields list, select the metadata fields you want to add to the hash library for the
selected items. Some fields are added by default; however, you can add other optional
fields. All fields added to the hash set are reported when a hash comparison matches a
particular hash set.
9. Click the Skip items with no MD5 or SHA1 checkbox to skip all blank items and allow the
import to proceed without manually locating and deselecting files with no hash values.
10. When you finish, click OK.
334 EnCase Forensic User Guide Version 20.2
Note: Adding additional fields does not increase the comparison time, but does
increase the size of the library.
4. In the Hash Library Type dropdown menu, choose the hash library (Primary, Secondary,
or Other) where you want to add results.
5. Select one or more previously created hash sets from the Existing Hash Sets list.
6. The Name, Logical Size, MD5, and SHA1 fields are included by default. Select any addi-
tional metadata fields you want to add to the hash library for the selected items from the
Fields list. All fields added to the hash set will be reported when a hash comparison
matches a particular hash set.
7. Click the Skip items with no MD5 or SHA1 checkbox to skip items with no MD5 or SHA1
available and allow the import to proceed without manually locating and deselecting files
CHAPTER 9 Hashing Evidence 335
1. On the home page, click Tools > Manage Hash Library > Open Hash Library.
2. Use the existing hash library, or click the browse button and select a different hash library
and click OK.
3. The Manage Hash Library dialog lists the hash sets in the hash library.
4. Click Query All. The Hash Library Query dialog is displayed.
5. Paste the value into the Hash Value field and click Query. Any matches display in the
Matching hash items table.
6. To obtain more detailed information about the matched hash item, click either Show
Metadata or Show Hash Sets.
336 EnCase Forensic User Guide Version 20.2
Hash set names and associations with individual entries are collected in the device cache after
you set up primary and secondary hash libraries for a case and process evidence. The top
three hash set names are pulled from this cache and display in a column in the Table pane.
1. Set up primary and secondary hash libraries. See Creating a Hash Library on page 330.
2. Select the evidence files for which you want to view associated hash sets.
3. Process the evidence. See Processing Evidence on page 159.
CHAPTER 9 Hashing Evidence 337
Cache information is preserved until you make a change in the hash library. Reprocessing the
evidence updates the hash set associations in the device cache.
1. Select the evidence files for which you want to view updated hash set associations.
2. Select Process from the Evidence ribbon. The EnCase Processor Options dialog is dis-
played.
1. From the home page, click Tools > Manage Hash Library.
2. In the Manage Hash Library dialog, click Manage Hash Items. The Viewing (Hash Set) dia-
log is displayed.
1. In the Viewing (Hash Set) dialog, check the boxes in the Hash Items column you want to
delete. This enables the Delete All Selected button.
2. Select the items you want to delete, then click Delete All Selected.
1. Click Tools > Manage Hash Library. The Manage Hash Library dialog is displayed.
2. Check the boxes next to the hash sets whose values you want to change.
3. Select Edit Selected from the Hash Sets menu bar. The Edit Selected dialog is displayed.
4. Select whether you want to change the existing category or tag for the hash sets, then
enter new value in the text box. Click the Hash Set Category checkbox or Hash Set Tags
checkbox and enter a new value in the corresponding text boxes.
5. Click Finish.
The latest version of NSRL RDS is available for download directly from the National Institute of
Standards and Technology in EnCase format via this link:
http://www.nsrl.nist.gov/Downloads.htm.
l Check case information against the Project VIC hash library by:
o Downloading the hash library
o Importing the hash library into EnCase
o Applying the hash library to your case
o Performing hash analysis
4. Double-click Primary or Secondary. In the Browse for Folder dialog, navigate to the Pro-
ject VIC hash library folder you created and click OK. The Existing hash sets area of the
Hash Libraries dialog populates with the Project VIC hash sets. Click OK.
5. A prompt displays, informing you that you will need to manually run a hash analysis to
update the cache. Click OK to proceed.
6. Click Yes.
7. Click OK to close the Hash Libraries dialog.
8. Perform a hash analysis (CRTL-SHIFT-H).
9. When processing is finished, the Refresh button in the upper right corner of the Evidence
Tab is enabled.
10. Click the Refresh button. The Tree view updates with the Project VIC hash library applied
to the relevant files. Matches display in the Hash Set Names column.
Overview 345
Overview
EnCase allows files, sections of file content belonging to different data types, and data
structures to be selected, annotated, and stored in a special set of folders. These marked data
items are bookmarks, and the folders where they are stored are bookmark folders.
EnCase stores bookmarks in .case files, and also stores metadata and content associated
with a bookmark in the actual bookmark.
Bookmarks and the organization of their folders are essential to creating a solid and
presentable body of case evidence. You can examine bookmarks closely for their value as case
evidence, and additionally, use the bookmark folders and their data items to create case
reports. For more information, see Generating Reports on page 435.
l An expanse of raw text within a file or document. The raw text is usually a portion of ASCII
or Unicode text, or a hexadecimal string.
l A data structure. Data structure bookmarks mark evidence items of particular data inter-
pretation types.
Note: If there is an allocated file associated with a deleted, overwritten file, both files
are bookmarked.
1. In the Evidence tab, go to the Table pane and select the file containing the content you
want to bookmark.
2. In the View pane, click the appropriate tab (Text or Hex).
3. Highlight the raw text you want to bookmark.
346 EnCase Forensic User Guide Version 20.2
4. On the menu bar, click Bookmark > Raw text or right-click the highlighted text and click
Bookmark > Raw text.
5. The Raw Text dialog is displayed. Type some identifying text in the Comments box on the
Properties tab that makes it easy to identify the bookmarked content. If desired, you can
highlight a string, create a bookmark, and then highlight a separate string with a different
color and create it as a separate bookmark.
CHAPTER 10 Bookmarking Items 347
6. Click the Destination Folder tab to display the bookmark folder hierarchy for the current
case, then click the bookmark folder where you want to place this sweeping bookmark.
In the example below, the Highlighted Data subfolder is selected. Note that you can
always rename bookmark folders or move the bookmark later.
1. Select the evidence item of interest from the Table pane of the Evidence tab.
2. Examine the file content in the View pane by clicking the Text or Hex tab. As an example,
let's assume that characters displayed in the pane are not in an easily readable format.
Select the bytes of interest.
3. Click the Decode tab in the lower right pane.
l The Quick View decoder enables you to view common decode interpretations in
one screen.
o When populating the Quick View table, all bytes required to successfully
interpret the data are read.
o For example, if one byte is selected, and four bytes are required to decode a
32-bit integer, Quick View looks at the next three bytes to provide the
decoded interpretations.
l The View Types list displays specific decoded values, organized in a tree structure.
o With the exception of pictures, when viewing by Type, only the selected
bytes are interpreted.
o For example, if one byte is selected, and four bytes are required to decode a
32-bit integer, a decoded interpretation is not available.
348 EnCase Forensic User Guide Version 20.2
4. Use the Quick View or the View Types lists to investigate the data. To investigate date/-
time data, expand the Dates folder.
5. For this example, the HFS Plus Date option yields a satisfactory interpretation of the
data.
6. To bookmark the data, click the Bookmark toolbar button. The Data Structure dialog is
displayed.
7. In the Data Structure dialog, type text about the data structure bookmark in the Com-
ments box and click the Destination Folder tab.
8. In the Destination Folder box, click the folder where you want to store this data struc-
ture bookmark.
9. Click OK.
1. From the appropriate tab, select the file of interest in the Table pane by clicking its row. In
the example below, a .pst file is selected.
CHAPTER 10 Bookmarking Items 349
Note: You cannot use this bookmark selection with sweeping bookmarks.
1. In the Table pane, select two or more files. When selecting multiple files in the Table
pane, use the checkboxes beside the files.
2. On the toolbar, click Bookmark > Selected items
3. The Selected items dialog opens. Type some identifying text in the Comment box on the
Properties tab that describes the file. You can also use the browse button to view a list of
existing comments, and use one of those.
4. Click the Destination Folder tab to display the case's bookmark folder hierarchy, and
click the bookmark folder where you want to store the bookmarks.
5. Click OK.
350 EnCase Forensic User Guide Version 20.2
OVERVIEW
You can Bookmark all artifacts and items associated with a Case Analyzer report directly from
Case Analyzer.
BOOKMARKING PROCESS
Follow these steps to create a Bookmark in Case Analyzer.
5. Enter a name for the Bookmark or accept the default. The Bookmark name is the name of
the current report, by default.
6. Enter a comment or accept the default. Each comment includes information on the
source of the bookmarked data. The Comment text defaults to the text shown when you
click About for the current report.
7. The Destination Folder dialog is displayed.
8. Select a destination folder for the Bookmark or create a new folder. Click Next.
9. The Add Datamark dialog is displayed.
352 EnCase Forensic User Guide Version 20.2
10. Select a column to categorize the Bookmark. The Bookmark is displayed in this column in
the final report.
11. Click Finish. EnCase adds the new Bookmark to the case.
Table Bookmarks
You can select a table to bookmark. Highlight a table and select it as a Table bookmark in order
to save its metadata and store it in a bookmark folder. Table bookmarks are especially useful
for representing evidence data in reports.
Transcript Bookmarks
If the Transcript tab in the Viewer pane is active, you can bookmark transcript text.
The Transcript tab extracts text from a file containing mixtures of text and formatting or
graphic characters. The transcript view is useful for creating bookmarks inside files that are not
normally stored as plain text, such as Excel spreadsheets.
CHAPTER 10 Bookmarking Items 353
Notes Bookmarks
Notes differ from other bookmarks in that you use them with other bookmarks to annotate
report data. They do not mark distinct evidence items like other types of bookmarks. A notes
bookmark has a field reserved only for comment text that can hold up to 1000 characters.
4. Type a Name for the note bookmark, then type text in the Comment box or browse for a
list of previous comments. This is the bookmark text where the note is added.
5. Click OK.
To show the notes in their true order in the bookmark folder hierarchy, click Split Mode on the
Bookmark toolbar and select Traeble view.
Use the Report tab in the View pane to show how the note actually is displayed in reports, as
shown above.
1. While in the Evidence tab, select the document you want to bookmark from your evid-
ence list and click the Doc tab in the lower view pane.
2. In the Doc tab, select Bookmark Page as Image. A dialog opens, displaying all the pages in
the selected document.
3. Select the page(s) you want to create as an image, and click Next.
The image is added to all appropriate reports automatically. Original formatting and
pagination, when available, is preserved.
Bookmark folders are organized according to a standard tree structure, with a folder named
"Bookmark" at the top the hierarchy. The various bookmark folders (and subfolders) are
beneath this node.
If you are not using the default bookmark folders, assign bookmark folder names that identify
their content or are meaningful to your case team. For example, you can organize the folders
by type of computer evidence, or by relevance to a particular part of the case.
Note: Bookmark folders are nonspecific in nature. Any default folder or folder you
create can hold any data type or content.
To display the set of default bookmark folders for the #Basic template, start a case and choose
the #Basic template.
We recommend using the supplied labels for the bookmark folders to organize the types of
bookmarked content (Documents, Pictures, Email, and Internet Artifacts). Although this folder
organization is entirely flexible, bookmark folders are directly linked to the Report template
that is also included in the default templates. If a case grows to where it needs more bookmark
folders or a greater level of bookmark organization, you can create new folders or modify the
folder organization, but you may need to make changes to the Report template.
1. In the Tree view of the Bookmark tab, click the Bookmark folder you want to delete.
2. Right-click the folder and click Delete Folder.... A delete confirmation prompt is dis-
played.
3. Click Yes to delete the folder. Use caution, since deleting a bookmark folder also deletes
any bookmarked items in the folder.
Note: Deleting a bookmark folder also deletes any bookmarked items in the folder.
Editing Bookmarks
To edit a bookmark:
1. Click Edit... and modify the text in the Comments box of the Properties tab.
2. You can also click the browse button (...) in the dialog to view a list of bookmark com-
ments.
3. Select a comment from the list to replace the current comment.
4. Click OK.
358 EnCase Forensic User Guide Version 20.2
Renaming Bookmarks
To rename a bookmark:
Decoding Data
You can see decoded interpretations of your evidence, when viewing it in text or hex format,
using the Decode tab in the lower right pane of the Evidence pane.
1. On the Text or Hex tabs in the View pane, select the bytes you want to decode.
2. Click the Decode tab in the lower right pane and select from the list of decoding options.
3. View the decoded interpretations of your evidence:
l The Quick View decoder enables you to view common decode interpretations in
one screen.
o When populating the Quick View table, all bytes required to successfully
interpret the data are read.
o For example, if one byte is selected, and four bytes are required to decode a
32-bit integer, Quick View looks at the next three bytes to provide the
decoded interpretations.
l The View Types list displays specific decoded values, organized in a tree structure.
o With the exception of pictures, when viewing by Type, only the selected
bytes are interpreted.
o For example, if one byte is selected, and four bytes are required to decode a
32-bit integer, a decoded interpretation is not available.
o EnCase Forensic attempts to decode pictures from the selected starting
byte. The bytes for the entire picture do not need to be selected.
integer, Quick View looks at the next three bytes to provide the decoded
interpretations.
Text
The Text folder contains child objects for formatting which you can use when displaying
bookmarked content as text.
Pictures
The Pictures data types display data as images.
Integers
The Integers data types include these categories:
Dates
The Dates data types include these categories:
l DOS Date displays a packed 16-bit value that specifies the month, day, year, and time of
day an MS-DOS file was last written to.
l DOS Date u(GMT) displays a packed 16-bit value that specifies the time portion of the
DOS Date as GMT time.
l UNIX Date displays a Unix timestamp in seconds based on the standard Unix epoch of
01/01/1970 at 00:00:00 GMT.
l UNIX Date Big-endian displays a Unix timestamp in seconds based on the standard Unix
epoch of 01/01/1970 at 00:00:00 GMT, as Big-Endian integers.
l UNIX Text Date displays a Unix timestamp in seconds as text based on the standard Unix
epoch of 01/01/1970 at 00:00:00 GMT.
CHAPTER 10 Bookmarking Items 361
l HFS Date displays a numeric value on a Macintosh that specifies the month, day, year,
and time when the file was last written to.
l HFS Plus Date is an improved version of HFS Date. It displays a numeric value on a Macin-
tosh that specifies the month, day, year, and time when the file was last written to. HFS
Plus is also referred to as "Mac Extended."
l Windows Date/Time displays a numeric value on a Windows system that specifies the
month, day, year, and time when the file was last written to.
l Windows Date/Time (Localtime) displays a numeric value on a Windows system for the
local time specifying the month, day, year, and time when the file was last written to.
l OLE Date displays a date as a double-precision floating point value that counts the time
from 30 December 1899 00:00:00.
l Lotus Date displays a date from a Lotus Notes database file.
Windows
The Windows data types include these categories:
l Partition Entry displays a partition table entry from the Master Boot Record.
l DOS Directory Entry displays a DOS directory entry.
l Win95 Info File Record displays Recycle Bin details from Windows 9x INFO files.
l Win2000 Info File Record displays Recycle Bin details from Windows 2000+ INFO files.
l GUID displays a 128-bit globally unique identifier (GUID).
l UUID displays a 128-bit universally unique identifier (UUID).
l SID displays a Windows Security Identifier (SID).
362 EnCase Forensic User Guide Version 20.2
CHAPTER 11
TAGGING ITEMS
Overview 365
Overview
The EnCase tagging feature lets you mark evidence items for review. You define tags on a per
case basis; default tags can be part of a case template.
Any item that you can currently bookmark can also be tagged. You can search for tagged
items, view them on the Search Results tab, and view the tags associated with a particular
item in Evidence or Record view.
l You can create tags as part of a case or add them to a case template, then customize each
tag with specific colors and display text.
l You can edit saved tags: change their colors and text, hide specific tags from view, and
delete tags.
l You can directly manipulate tags on the EnCase user interface: modify the order in which
they display, delete them from the display, and so forth.
l You can build searches based on tags you have created and tag search results. You can
also combine tags with index and keyword search queries.
l You can sort the tag column to find items with multiple tags.
l Tags are persistent when you are working with entries and when you save and re-open a
case.
l Tags are local to a specific case (that is, you cannot create global tags).
l You can create up to 63 unique tags per case.
l Each item, entry, email, or artifact can have multiple tags.
Creating Tags
To create a tag:
5. Repeat the preceding two steps until you have created the set of tags you need. You can
always add, remove, and rename tags while working on a case.
CHAPTER 11 Tagging Items 367
Tagging Items
To tag an evidence item:
1. On the Evidence tab, display your evidence items. (You can also assign tags to Artifacts,
Bookmarks, and Results.)
2. Highlight or check the evidence item to which you want to assign a tag.
3. Display a list of available tags by clicking Tags > Show Tag Pane. A pane is displayed in the
lower right corner of the EnCase user interface. The pane contains a list of default and cus-
tom tags and the number of occurrences of each tag.
4. Check the tag that you want to assign to an evidence item.
5. The tag is displayed in the Tag column of the selected evidence item.
You can also tag an item by clicking its position in the Tag column:
1. Display a list of available tags by clicking the Tags tab from the lower right pane. The order
that the tags are shown in the table (top to bottom) corresponds to the order in which
they display in the Tag column (from left to right).
2. Click the space in item's Tag column where the tag would be displayed. The tag is dis-
played.
3. As an example, if you configured two tags:
o The left half of the Tag column is used to display the first tag.
o The right half of the Tag column is used to display the second tag.
4. Click the first half of the tag cell to display the item's first tag, and the second half of the
tag cell to display the item's second tag.
5. To remove a tag from displaying, click the tag.
SORTING TAGS
You can sort the entire tag column by individual tag. Clicking the tag name within the tag
column header sorts the column by the tag name. Also, clicking the narrow gray area around
the tag name, within the tag column, sorts the entire contents of the tag column.
In ascending order, items with a tag in the rightmost column will be sorted first. Items with a
tag in the second rightmost column will be sorted second.
In descending order, items with a tag in the leftmost column will be sorted first. items with a
tag in the second leftmost column will be sorted second.
l Hot keys are assigned to the first ten tags in the Tag database.
l The hot keys Alt-1 through Alt-9 and Alt-0 are assigned to the first ten tags.
l Remaining tags can be assigned via the second level menu: All Other Tags.
l The maximum number of tags allowed in a case is 63. Using the Manage Tags option, you
can create additional tags beyond the case limit of 63.
Click the Tags dropdown menu to view keyboard shortcuts for tags.
Hiding Tags
You can choose to hide tags in the Tag column or the Tag pane using the Manage Tag dialog.
You can also unhide a previously hidden tag in the same way. Hiding a tag prevents it from
being displayed without deleting the tag.
Deleting Tags
You can delete tags from the Manage Tags window. Deleting a tag removes the tag name from
the case and deletes all references to the tag in the tag database. This action cannot be
undone.
To delete a tag:
1. On the Evidence tab, click the Tags button. The Manage Tags window is displayed.
2. Check the row of the tag that you want to delete.
3. Click the Delete button on the Manage Tags toolbar.
Note: If the tag is assigned to at least one case item, a warning dialog is displayed
with the number of tags to be deleted. If the no items are tagged, no warning dialog is
displayed.
370 EnCase Forensic User Guide Version 20.2
1. Left click on a tag in the cell and hold the mouse button down.
2. Drag the tag to a new position in the cell and release the mouse button.
Overview 373
Maintenance 422
Troubleshooting 427
FAQs 429
372 EnCase Forensic User Guide Version 20.2
CHAPTER 12 Using EnCase Portable 373
Overview
EnCase Portable automates the collection of evidence from computers in the lab and in the
field. It is a self-contained application that runs on a removable USB device inserted into a
running machine.
EnCase Portable functionality is included in the full EnCase product. It can also be purchased
separately as a standalone product to create, manage, run, and analyze jobs.
l The Portable device contains and executes preconfigured jobs that collect evidence from
target machines.
l When using the standalone version of EnCase Portable, EnCase Portable is executed from
the security key.
l Evidence can be stored on the Portable device if desired. However, a separate Portable
storage device can be used to collect large amounts of evidence if necessary.
EnCase Portable can be run using an EnCase Portable security key, or on a prepared Portable
device. When EnCase Portable is run from a Portable security key, you can create collection
jobs directly on the device. When using Portable functionality from EnCase, you can create
collection jobs in EnCase and export them to either a Portable security key or a prepared
portable device.
Once the evidence is collected directly on the Portable device or the Portable storage device, it
can be analyzed in the field or imported back into EnCase to review the results. You can build
and generate reports that capture all or selected parts of the collected information.
1. Create your collection jobs in Portable Management. This can be done from EnCase or on
the Portable device itself.
2. If the jobs were created in EnCase, export the jobs to the Portable device.
3. Run the jobs from the Portable device.
4. Analyze the collected data.
5. If you own EnCase, import the evidence you have collected into EnCase.
6. Build and generate reports.
374 EnCase Forensic User Guide Version 20.2
If EnCase is installed, jobs are typically created in EnCase and exported to the Portable device.
You can also create and edit jobs directly from the Portable device. Once a job is created, you
can modify or copy it to create other jobs. Some jobs can be configured to triage the
information as it comes in, so you can choose exactly what information to collect.
Jobs use modules, which are configurable sets of instructions for how to look for certain kinds
of data, such as information found in running memory, certain types of files, etc. Modules also
define a specific set of data to be collected. You can configure the information collected by a
module by selecting a specific set of options for each module.
SYSTEM MODULES
l The System Info Parser module collects system artifacts related to user activity, network
SEARCH MODULES
l The Personal Information module collects information containing personal information.
This module searches all document, database, and Internet files and identifies Visa,
MasterCard, American Express, and Discover card numbers, as well as Social Security
numbers, phone numbers, and email addresses. Jobs created with this module enable
you to triage information as it is being collected.
l The Internet Artifacts module collects a history of visited websites, user cache, book-
From within the File Processor module, you can elect to find data using metadata,
keywords, or hash sets, or find picture data. You can also configure your own collection
sets using an entry conditions dialog. Jobs created with this module enable you to triage
information as it is being collected. You can then decide what files, if any, to collect.
CHAPTER 12 Using EnCase Portable 375
events logged into system logs, including application, system, and security logs.
l The Unix Login module parses the Unix system WTMP and UTMP files, which record all
login activities.
l The Linux Syslog Parser module collects and parses Linux system log files and their sys-
tem messages.
COLLECTION MODULES
l The Snapshot module collects a snapshot of pertinent machine information. Captured
information includes running processes, open ports, logged on users, device drives, Win-
dows services, network interfaces, and job information.
l The Acquisition module acquires drives and memory from target machines.
l The Screen Capture module preserves images of each open window on a running
machine.
Creating Jobs
You can create a job either from within EnCase or from the Portable device when in the field.
Modules are used to collect information about files and machines in specific ways. After
naming a job, you select modules and configure them to your needs. To set module options,
double click the module name. Most modules are collection modules that gather and collect
information into an evidence (.Ex01/.E01) or logical evidence (.Lx01/.L01) file.
Some modules (such as the File Processor module) provide you with the ability to review and
triage your information as it is being scanned on the target machine.
4. Text entered in the Description field (optional) is aligned with job names under Recent
Jobs in the Portable Home screen.
376 EnCase Forensic User Guide Version 20.2
5. Click Next to open the Module Selection dialog. This dialog shows module groupings in
the left pane and the current configuration options for the selected module in the right
pane.
6. Select one or more modules by checking the checkbox by the module's name.
7. When available, options for each module can be selected by double clicking the module
name. For more information, see documentation for the specific module.
8. Click Next to open the Compound File Options dialog.
The Compound File Options dialog provides options for whether compound file types
selected in the File Types box are mounted (unpacked) and scanned.
CHAPTER 12 Using EnCase Portable 377
If any option other than the first option is selected, you can select how to detect which
files to mount and select the specific file types to process:
o Do not mount does not perform any unpacking of compound files, so the files are
processed without unpacking any of the internal content.
o Mount - detect extension causes files with a matching extension to be mounted
and processed. No signature verification is conducted.
o Mount - detect signature results in a signature analysis being run on all files to
determine if they are a compound file of interest. Files with the correct signature are
then mounted and processed.
9. Click Next to open the Output File Options dialog. This dialog provides control over the
format of the collected evidence.
o File Format options determine the type of file to create. Lx01 format is an encryp-
ted logical evidence files. L01 format is a legacy unencrypted logical evidence file.
o Segment Size determines the size, in megabytes, of the individual segments of the
evidence file.
o Check Compression to compress the size of the EnCase evidence file.
o Use the Entry Hash dropdown to select the type of hash algorithm used for each file
system entry.
o The Encryption Keys box enables you to add multiple encryption keys for use in
encrypting Lx01 files. Evidence collected when triage is enabled cannot be
378 EnCase Forensic User Guide Version 20.2
encrypted.
New allows you to generate a new encryption key.
Change Root Path enables you to specify a folder where EnCase encryption
keys are stored.
2. In the Select Jobs table, select the jobs you want to add to the Portable device.
3. In the Select Devices table, select the device you want to add the jobs to.
4. Click Add Jobs. The Adding Jobs status window displays the updating process.
5. When completed, click Finished.
CHAPTER 12 Using EnCase Portable 379
Modifying a Job
1. Select Tools > Portable Management and double click the job you want to modify. The
Edit: # Collect Document Files dialog is displayed.
2. The tabs display the previously selected settings. Modify the name, module selections,
module options, target options, and encryption options as desired and click OK.
Duplicating a Job
1. Select Tools > Portable Management.
2. Select the job to duplicate in the Select Jobs section and click Duplicate. The Copy Job dia-
log is displayed.
3. Enter a new name for the job and click OK. EnCase transfers all the settings from the first
job to the new job.
4. Edit the new job to modify its settings.
Finding Jobs
By default, jobs are stored on the Portable device in the \Jobs folder. Using Windows
Explorer, or another file management tool, copy or move the .enjob file to the desired location
on your local drive or other device.
If a job is not contained in the \Jobs folder you can find its location by finding and opening its
containing folder:
380 EnCase Forensic User Guide Version 20.2
1. Select Tools > Portable Management. The Portable Management dialog is displayed.
2. In the Select Jobs section, right-click the job name you want to locate and select Open
Containing Folder.
3. A dialog displays the location of the file in the folder hierarchy.
4. By default, user-created jobs are stored in the \Documents\EnCase\Storage folder
created in the user profile folders of your EnCase installation. If you are using the stan-
dalone version of Portable, user-created jobs are stored in the \Jobs folder on the Port-
able device.
1. Select Tools > Portable Management. The Portable Management dialog is displayed.
2. In the Select Jobs section of the Jobs tab, click Import Old Jobs. The Browse For Folder
dialog is displayed. Navigate to the version of EnCase you are currently running.
3. Select the specific storage location of the jobs and click OK. The Importing Old Jobs dialog
is displayed.
CHAPTER 12 Using EnCase Portable 381
4. All .ini jobs are converted to the new .enjob format. When done, click Finished. The
imported jobs are displayed in Portable Management.
Deleting Jobs
o All portable devices that hold at least one target database are displayed, along with
all target databases present on each device.
o Clicking the device name in the left pane automatically selects all target databases
present on that device.
o After selecting at least one target database, the Delete Selected button becomes
enabled.
System Modules
System modules collect information about files and machines. Most of these modules contain
options that you can configure for your specific needs. To set module options, double click the
module name.
Most modules are collection modules that gather and collect information into an evidence
(.Ex01/.E01) or logical evidence (.Lx01/.L01) file.
Some modules (such as the File Processor module) let you review and triage your information
as it is being scanned on the target machine.
CHAPTER 12 Using EnCase Portable 383
The module works with both Linux and Windows operating systems, and displays different
data depending on the operating system of the collection target. The module also uses
different files to parse the data, depending on the system. For Windows systems, all data is
collected from the Windows registry. For Linux systems, the data is compiled from various
configuration files found throughout the file system.
l Ubuntu 8
l Fedora 8
The job summary displays results based on the options selected from the Standard and
Advanced tabs.
STANDARD OPTIONS
The Standard tab of the System Info Parser lets you choose from categories of data that can be
collected. These categories correspond to different data stores on the target machines,
depending on the operating system.
l Startup Routine (Linux only) retrieves information from supported Linux systems about
scripts that execute when the system starts and shuts down.
l User Activity (Linux only) retrieves information from supported Linux systems pertaining
to typed user commands. This information depends on what shell is being used.
l Operating System retrieves:
o The time zone of the computer.
o System startup mode information, such as the default place to save startup scripts.
o Login prompt and version information shown during startup.
o Boot manager information.
o Language settings.
l Hardware retrieves the hardware configuration of the computer as it was checked during
startup, including hardware adapters/devices, architecture information, and so forth.
l Software retrieves two types of software information:
o Cron jobs scheduled to run at particular times.
o All applications installed on the computer.
l Accounts/Users retrieves user and password information, including domain users who
have logged onto the machine.
l Network retrieves information about interfaces and their corresponding device names
and options, as well as the host name of the computer.
l Shared/Mapped Devices retrieves information about mapped or mounted network
shares and drives.
l USB Devices retrieves history of USB device use from the Registry.
l Network Shares retrieves "shellbag" keys which record what UNC paths a user visits.
ADVANCED OPTIONS
The Advanced tab lets you specify registry keys to collect from target machines running
Windows. You need to know the Windows version-specific locations of relevant data within
the registry before using this tab.
CHAPTER 12 Using EnCase Portable 385
l Link Files creates an output artifact for each Link file (usually *.lnk) found during
preprocessing. This selection adds Created, Accessed and Modified data properties plus
386 EnCase Forensic User Guide Version 20.2
the path to the file that is referenced by the link to each output artifact.
l Recycle Bin Files creates an output artifact for each item found in the file that holds
information about deleted files. This selection adds the path of the original file location as
the path data property to each output artifact.
l MFT Transactions creates an output artifact for each item in the Master File Table trans-
action log "$Log" file (which records all redo and undo information for each user file that
is updated). This selection adds Created, Written, Accessed, and Modified data properties
to each output artifact for these types of items.
l ShellBags creates an output artifact for registry keys that indicate size, view, icon and
folder position used within Windows Explorer.
Select Search Unallocated to enable a search of unallocated space for the Windows Artifacts.
Encryption
The Encryption module produces a single page report listing the encryption type of each drive
and volume on the target system. After jobs using this module are run, the report is available
as a Summary Report and as the Encryption Report in standard reports.
This module is used only on machines that are already running, and depends on core
encryption analysis. It does not work on evidence files.
Only supported encryption types are shown; do not assume that a device is not encrypted if
its encryption type is not displayed.
Search Modules
Search modules to find information about files and machines in specific ways. Most of these
modules contain options that you can configure. To set module options, double click the
module name.
Personal Information
The Personal Information module collects information about files containing personal
information. By default, this module searches all document, database, and Internet files and
identifies files containing the types of personal information listed below. Files are identified but
the information and the file itself are not collected. Reports show which files have personal
information content, and what type of content that is. This prevents potential abuse of this
kind of data.
CHAPTER 12 Using EnCase Portable 387
Jobs created with the Personal Information module let you triage the scanned data as it is
being gathered. You can stop a scan when you find the information you are seeking or
determine that the scan will not prove useful.
For more information, including the GREP expressions used, see FAQs on page 429.
GENERAL TAB
Select Entry condition and click Edit to specify or modify which conditions are used to search
for the personal information selected. By default, the entry condition is set to search only files
that match the document, database, Internet, or unknown file categories.
The Hit Threshold lets you ignore files with only a few hits. For example, if you set the
threshold to 5, only files containing five or more PII hits are collected. Any file with fewer than
five hits is ignored. The default is 1.
The Phone numbers options find information containing U.S. and Canadian formatted phone
numbers, with or without separators. You can select whether to search for numbers with or
without area codes.
The results section enables you to choose how you want to receive the results of your search:
l Generate Report allows jobs to run normally without triaging data as it is being collected.
l Triage displays data for review by the examiner, as it is being collected.
l Prompt when run lets you turn the Triage feature on or off during data acquisition.
l All detected numbers are subjected to validation to prevent random 16-digit numbers
from being identified.
l Credit card number validation is performed using the Luhn or Modulus/Mod 10
algorithm.
l Both card numbers with separators (1234-5678-9012) and without separators
(123456789012) are identified.
You can customize a credit card search by clicking New. The Credit Card Data dialog is
displayed:
CHAPTER 12 Using EnCase Portable 389
l Customized credit cards are signified by a dot in the Can Edit column.
l Click Edit to modify a customized credit card.
l Click Delete to remove a customized credit card.
l Results are validated with the Luhn algorithm.
GOVERNMENT ID
The Government ID tab enables you to search for any type of government ID (not just Social
Security numbers) through the use of GREP expressions. This is especially useful in areas where
government issued IDs have different formats.
390 EnCase Forensic User Guide Version 20.2
The hits are indexed and searchable using the Government ID pattern query.
Social security numbers finds U.S. social security numbers, with or without separators.
Note: You cannot view or edit the default Social Security Number.
To add another type of ID, click New. The Government ID dialog is displayed.
l Enter a name in the Government ID box and a GREP expression in the Search Expression
(GREP) box.
l When done, click OK.
Internet Artifacts
The Internet Artifacts module collects and analyzes Internet usage data from a target machine.
The module assumes the target machine was used to access the Internet at least once.
This module has no configurable options. Selecting the module captures the following
information:
File Processor
The File Processor module is a multipurpose module that enables you to select from four types
of file processing, then choose how you want to handle the final results.
The File Processor module provides you with the option to view evidence as it is being
collected. You can stop a scan when you find the information you are seeking or determine
that the scan will not prove useful.
The four filter types available in the File Processor module include:
l Metadata processing specifies the types of files to be searched for, using a set of entry
conditions. See Metadata on the next page.
l Keyword provides a way to find information based on a list of entered keywords, and lets
you refine the search with an entry condition. This option allows GREP expressions, whole
word, and case sensitive searching. See Keyword on page 393.
l Hash searches for files by comparing their hash values to hash values found in either a
new or pre-existing hash set. This option lets you create a new hash set or use a pre-exist-
ing set, and also lets you refine the search with an entry condition. See Hash on
page 395.
l Picture searches for files identified with a file category of "picture." This option lets you
limit the number of files that are returned, and limit the minimum size of the pictures. In
addition, you can add entry conditions to further refine your search. See Picture on
page 397.
l Collect all automatically collects everything that is responsive and creates an evidence
file for further analysis. When you select this option, jobs that include this module auto-
matically complete the collection and save it as an evidence file.
392 EnCase Forensic User Guide Version 20.2
l Enable triage while collecting lets you review the evidence as it is being collected. This
lets you triage the information as it is being gathered. You can then review your inform-
ation in real time, specifically select the information you want to examine further, and
save that information as a logical evidence file (LEF).
l Collect File Contents copies the contents of files identified by the file processor into the
logical evidence file (LEF).
To configure the File Processor module, select one of the processing types, and choose one of
the ways to handle the results.
Click Next to display the options screen for the processing type selected.
METADATA
The File Processor module Metadata processing option collects specific types of files using
entry conditions. For example, you can set it to collect all types of images (.jpg, .png, .bmp,
etc.) or documents (.doc, .xls, .pdf, etc).
Click on Entry condition to create or edit entry conditions. Set conditions to specify exactly
which files your job collects. The default metadata condition will target all files if left
unmodified.
KEYWORD
The File Processor module Keyword finder processing option lets you create a list of keywords
for searching documents on a target machine. The Keyword finder module contains an Entry
Condition which targets searchable documents. See the Customization section for instructions
on viewing and modifying default conditions.
Note: This module searches the transcript of files supported by Oracle Outside In
viewer technology. This differs from the keyword searching in EnCase in that this
method locates keyword hits inside of files (such as .docx or .xlsx files) that would
not be found by a raw search of the file.
After clicking Next in the File Processor module, the Keyword options dialog displays the
following:
IMPORTING KEYWORDS
To import a list of keywords that has been exported from EnCase, click Import. The Import
Keywords dialog is displayed.
Browse to the keywords file location, select a file, and click OK.
EDITING KEYWORDS
To edit a keyword in the Keyword Finder, select it in the options dialog and click Edit. The Edit
Keywords dialog displays the following:
EXPORTING KEYWORDS
To export the list of compiled keywords, click Export on the Keyword Finder dialog. The Export
Keywords dialog is displayed.
Enter a new filename and click OK. This keyword file can be used in EnCase.
CHAPTER 12 Using EnCase Portable 395
CUSTOMIZATION
To specify which files the Keyword processes, click Entry Condition in the Keyword options
dialog to open a conditions dialog. By default, the entry condition restricts processing to files
where the category matches "Document."
HASH
The Hash processing option in the File Processor module searches for files with a particular
hash value on the target machine. Hash values are stored in hash sets that can be identified by
a name and category. The Hash Finder module targets all files by default. You can customize
these default conditions.
Before you can use the Hash processing option, you must create hash sets for your current
case.
Hash sets can be added to the module from the following sources:
l A hash set created from a folder. When created this way, you can assign a name and cat-
egory to assign to the set.
l A hash .bin library available in EnCase:
o Existing .bin library files have a category if one was specified.
o The name of the hash set is the name of the .bin library file.
396 EnCase Forensic User Guide Version 20.2
When the Hash processing option is used in a job, the hash sets are kept in their original
location and also copied to the EnCase Portable USB device.
After clicking Next in the File Processor module, the Hash options dialog is displayed.
The hash sets displayed, if any, are taken from the hash library. You can select from an existing
hash set in this list, or create a new set. Click Refresh Set List to add all other available hash
sets to the list.
l Enter or browse to the folder containing the files you want to create a hash set from.
l The Hash set name is automatically populated using the name of the folder. You can
change the hash set name.
l Enter a category for this hash set (optional).
l Click OK. EnCase creates a .bin library file from the files in the selected folder, saves it to
the EnCase Hash Sets folder, and adds it to the Hash Finder options list.
CUSTOMIZATION
To further specify your results, click Entry Condition to open up a conditions dialog.
PICTURE
Use the Picture processing option in the File Processor module to search for pictures on a
target machine. This module contains an Entry condition which returns files that match the
picture file category in EnCase. See the Customization section for instructions on viewing and
modifying default conditions.
After clicking Next in the File Processor module, the following dialog is displayed:
l To limit the number of pictures returned, clear the Display all pictures checkbox and
adjust the number in the Limit number of pictures option.
l The default is set to gather all pictures above 10KB in size. If you want to change the min-
imum size of the picture files returned, adjust the Minimum size of pictures option.
l You can select to find pictures either by file extension or by file signature.
o By extension finds all files by category, as determined by the file extension (for
example, .jpg, .bmp, or .png).
o When you select By file signature, EnCase Portable checks the file signature of an
entry to see if it is a picture. This collects pictures that have been renamed by chan-
ging their file extensions.
o Prompt at collection time displays a dialog when you are running the job, which
lets you search by file extension or by file signature.
CUSTOMIZATION
To specify which files the Picture Finder processes, click Entry condition in the Picture Finder
options dialog to open a conditions dialog.
398 EnCase Forensic User Guide Version 20.2
The Picture Finder module only returns files that match the file category of "picture" in EnCase.
Although additional options can be specified in the entry condition, this particular parameter
cannot be modified.
l Entry condition filters which files EnCase processes, based on their entry properties.
l EVT condition restricts individual events on properties parsed from an EVT file (Event ID,
Event Type, Source, etc.).
l EVTX condition restricts individual events on properties parsed from an EVTX file (Event
ID, Process ID, Thread ID, etc.).
To enable a condition, select its checkbox. Click Edit next to the condition type to modify the
condition.
Unix Login
The Unix Login module parses the Unix system WTMP and UTMP files, which record all login
activities. In the module analysis reports, the WTMP-UTMP Log Parser provides information
about machines, login types, and login messages.
CHAPTER 12 Using EnCase Portable 399
File detection determines how the module detects authentic event files. By default, file
detection is performed by looking for event files with a proper extension, then verifying their
signature to prevent processing incorrect files. When checked, Process all files by signature
causes the module to determine event files based on their file signature only. Check this box to
detect event file logs that contain an incorrect extension.
To enable an entry condition, select its checkbox. Click Edit next to the conditions selected, to
modify the conditions that determine which files are processed.
On a Linux target, the \etc\syslog.conf file is parsed for paths that contain the system log
files.
On an Apple Macintosh target, the \private\etc\syslog.conf file is parsed for the paths
that contain the system long files.
Click Edit to modify the conditions that determine which event parameters are collected.
l Use Entry condition to create a condition that restricts which Linux syslog files are pro-
cessed.
l Use Log event condition to specify syslog conditions that can filter by host name, pro-
cess, message, and so on.
To enable an entry condition, select its checkbox. Click Edit next to the conditions selected to
modify the conditions that determine which files are processed.
400 EnCase Forensic User Guide Version 20.2
Collection Modules
EnCase Portable uses two collection modules to collect information about files and machines
in specific ways.
Snapshot
The Snapshot module collects a snapshot of a machine at a given time, including the running
processes, open ports, network cards, login information, open files, and user information.
l Hash processes calculates hash values for the executable files that were run to create the
currently running processes.
l Get hidden processes identifies processes that have been hidden from the operating sys-
tem.
l Get DLLs retrieves and collects a list of currently loaded DLLs.
l Mark logged on user finds and marks which of the identified users are currently logged
on.
l Detect spoofed MAC detects if the MAC address for any of the network interfaces is
being set to a value other than the default value.
Acquisition
The Acquisition module acquires images of drives and memory from a target machine. When
using this module, ensure you have enough storage available to hold the evidence files this
process creates.
CHAPTER 12 Using EnCase Portable 401
ACQUIRE
l Acquire logical devices acquires all logical devices (lettered drives, such as C:).
l Acquire physical devices acquires all physical devices (numbered devices, such as 0, 1,
etc.).
l Acquire removable drives acquires all removable drives. A drive is identified as remov-
l Prompt at collection time displays a list of all devices (logical, physical, and memory)
when the job is run. Select any combination of these devices for acquisition.
Note: To automatically acquire more than one type of device, create separate jobs
for each operation. Because EnCase runs in memory, we suggest capturing memory
first.
EVIDENCE FILE
l Format options determine the type of file to create.
l File segment size (MB) determines the size, in megabytes, of the individual segments of
the evidence file.
l Click Encryption Keys to open a dialog that enables you to add multiple encryption keys
for use in encrypting Ex01 files.
o New allows you to generate a new encryption key.
o Change Root Path enables you to specify a folder where EnCase encryption keys are
stored.
402 EnCase Forensic User Guide Version 20.2
l Block size (sectors) determines the block size of the contents where CRC values are com-
puted.
o The minimum value is 64 sectors.
o Larger block sizes generally enable faster acquisitions. However, if an evidence file
block becomes damaged, a larger amount of data will be lost.
l Use the Compression dropdown menu to determine whether to enable or disable the
compression of evidence files.
o Disabled does not compress evidence files.
o Enabled compresses evidence file size.
l Error granularity (sectors) determines how much of the block is zeroed out if an error is
encountered.
o Standard is the same value as the block size.
o Exhaustive sets granularity to one sector. This retains more data but takes more
time.
VERIFICATION
l Acquisition MD5 calculates the MD5 file hash of the acquired files.
l Acquisition SHA1 calculates the SHA-1 file hash of the acquired files.
Before the job runs, a dialog is displayed listing the storage path, available drives, and a Verify
acquisition checkbox.
Check the Verify acquisition checkbox to verify the hash values of the acquired evidence files.
This adds time to the running of the job.
When completed, EnCase includes both the original and the verification hash values in analysis
tables and reports.
Screen Capture
The Screen Capture module preserves images of each open window on a running machine.
Images are saved in a logical evidence file.
Collecting Evidence
This section describes how to:
l Run jobs.
l View information as it is being collected.
l If EnCase is installed, copy evidence into EnCase from a Portable storage device.
l A correctly configured Portable device. See Installation and Configuration in the EnCase
Portable User's Guide.
l The jobs to be exported to the Portable device (see Creating a Portable Job on page 375
and Adding a Job to the Portable Device on page 378).
l The correct configuration of storage devices, based on a knowledge of approximately
how much data you are going to be collecting.
Before you begin, try to determine as accurately as possible how much evidence you will be
collecting.
l If collecting less than 2.5 GB of data, use the Portable device to collect the evidence.
l If collecting more than 2.5 GB of data, use another prepared USB storage device to collect
the evidence. If necessary, use the storage device with a USB hub.
ter of the Portable device, then from a command prompt type <drive
letter>:\RunPortable.exe -q.
In the Configure Case section, the Case Name and Examiner Name are pre-populated,
based on your case. You can edit them as desired. You can also optionally enter a
description of the evidence.
5. Select a job to execute under Recent Jobs or click Run Multiple Jobs in the Action sec-
tion.
6. You are prompted for additional information according to the job you selected. If you
opted to Run Multiple Jobs, Portable displays the Select Job to Run dialog. A status dia-
log is displayed.
o All modules used in the current job are listed.
o When running a job using the File Processor module with triage results selected,
EnCase updates the job status in real time while the job is executing. Clicking the
status link displays the results as they are gathered. See Viewing Results to Triage
Information on the facing page. At any point during the scanning process, click Stop
Scanning to stop the job. This saves all data scanned to that point and terminates
the job.
o When running a job using the Acquisition module with the option selected to be
prompted for acquisition choices when the job is run, a dialog is displayed showing
CHAPTER 12 Using EnCase Portable 405
a list of devices to acquire. Selecting Verify acquisition causes the job to verify the
hash values of the acquired evidence files. This increases the amount of time
required to complete the job.
o When running a Picture Finder job using the File Processor module with the option
selected to be prompted for how to find pictures when the job is run, a dialog is dis-
played asking whether to find pictures by extension or by file signature. Selecting to
find pictures by file signature enables the collection of images that have been
renamed with a different extension.
7. When a job is complete, or when you choose to stop scanning, a link to a summary is dis-
played in the Summary column for each module in the Status window. Click the link to
open the summary.
o To create a report from selected items in the summary, select the items to include
and click Add Selected to Report. See Creating a Report on page 414.
COLLECTING EVIDENCE
When you select to triage the results, you can review your information in real time, select the
information you want to examine further, and save it as a logical evidence file (LEF). Blue check
every document or file you want to save and then, when your job has stopped running, click
Collect Selected to LEF from the job status screen. All selected items are collected and saved
as a LEF. See Collecting Evidence from Triaged Results on page 412.
JOB ANALYSIS
After the job is completed, you can see this information again by clicking Analysis or Advanced
Analysis in the Action section of the Portable home screen.
Options for metadata processing are configured when the job is created using the File
Processor module.
While this type of file processing is running, you can view the progress screen by clicking the
link in the status column of the status dialog. A list of files matching your entry conditions is
displayed.
If the job has been configured to triage results, you can click any document name to view
document files in the document viewer.
Note: The document viewer does not work on non-document types of files (such as
images). Pictures should be scanned and triaged using the Picture Finder option.
CHAPTER 12 Using EnCase Portable 407
Options for Keyword Finder are configured when the job is created using the File Processor
module.
Note: The results returned by the Keyword Finder may appear to be significantly
different from the results returned when using the EnCase Evidence Processor. This
is because the EnCase Evidence Processor lists all hard link entries for a given file,
while the Keyword Finder detects that a given set of entries are all hard links to the
same file and lists only one from the set. Also, Keyword Finder searches transcripts
when available, whereas EnCase Evidence Processor performs only a raw search on
non-transcript files.
While this module is running, if the job has been configured to triage results, the progress
screen can be viewed by clicking the link in the status column of the status dialog.
l The keywords listed in the Keyword Name column are the keywords entered when the
job was created.
o The name for the keyword may be different from the keyword expression being
used to search. This is useful when the search expression is a GREP expression or in a
foreign language.
o The table is sorted in alphabetical order based on the Keyword Name.
l The number of documents found to contain at least one instance of the keyword is listed
in the Document Count column.
l The number of search hits for the keyword is listed in the Keyword Hits column.
l The Keyword Expression is the literal string used in the search.
408 EnCase Forensic User Guide Version 20.2
l Columns can be sorted by double clicking the column header. As in EnCase, shift clicking
on multiple columns creates multiple layers of sort orders.
The table shows the document name, the number of times the keyword was found within it,
the file size, and its path.
l Click Next or Previous to open up the next or previous document in the list, using the cur-
rent viewer.
l Click the checkbox next to Add to Collection to add this document to your collection of
data. This collection can be turned into a LEF from the status window when your analysis
is complete. See Collecting Evidence from Triaged Results on page 412.
l Fit to Page adjusts the text to better fit the frame of the dialog.
l You can toggle between either Full View mode, with each line numbered, or Compressed
View with just the lines of the document that contain keywords displayed. When in com-
pressed view, click Full View to switch to the full document. When in full view, click Com-
pressed View to show only the lines that have keyword hits.
l In Full View, use Next Hit and Previous Hit to jump to the next highlighted keyword in
the document.
l Clicking Find opens a dialog that lets you search for additional expressions. From here,
you can search for the expression within the current document, within the current doc-
ument from your current position to the end, or within the currently selected text.
CHAPTER 12 Using EnCase Portable 409
Note: You cannot use the Hash Finder unless your hash libraries are correctly set
up.
Options for Hash Finder are configured when the job is created using the File Processor
module.
While this module is running, you can view the progress in the Status tab.
If the ability to triage results was selected when configuring the job, you can click on the link in
the status column to open up a search results tab.
l Hash Library displays the name of the hash set library used in the module.
l Category is the category assigned to that library.
l The Document Found column displays the number of documents found to have hashes
that match those in the hash library.
410 EnCase Forensic User Guide Version 20.2
Clicking the hash library link opens up the document table, displaying all documents that
match the hash values in that library.
Options for Picture Finder are configured when the job is created using the File Processor
module.
While this module is running, the progress screen can be viewed by clicking the link in the
status column of the status dialog.
VIEWING
You can increase or decrease the size of your images, by changing the number of rows and
columns you are viewing.
To see fewer, larger pictures, decrease the number of columns by clicking Fewer Columns. To
see more, smaller pictures, increase the number of columns by clicking More Columns.
You can also increase or decrease the number of rows displayed by right-clicking within the
gallery and selecting More Rows or Fewer Rows.
If an image is corrupt, or if an image type is not supported by EnCase, its thumbnail does not
display.
SORTING
Images are initially displayed in the order they are found.
EnCase Portable provides a quick sorting function that brings pictures in popular locations to
the top for efficient review. After the search has completed, click Add Sort to apply sort priority
to pictures located in the User folder(s), then removable media, and then the rest of the drive
(s). In addition, multiple images contained in a single folder are sorted by file size, from largest
to smallest.
Note: Images can be added to reports during collection, only. See the Analyzing and
Reporting on Data chapter for details.
When configured for triage, the results screen can be viewed by clicking the link in the status
column of the status dialog while a job is running.
l The personal information types listed in the Keyword Name column are the types of per-
sonal information specified by the Personal Information module.
l The number of documents found to contain at least one instance of the personal inform-
ation type is listed in the Document Count column.
l The number of search hits for the personal information type is listed in the Keyword Hits
column.
Clicking a personal information type opens a documents table for that information type.
The table also includes the document name, the number of times the personal information
type was found within it, the file size, and its path.
Note: The search hits for credit card numbers are not validated before appearing in
this table. Therefore, there may be a discrepancy between the number of hits shown
in the document viewer, and the number of actual, verified results.
Clicking the link opens a document viewer with keywords highlighted in yellow.
412 EnCase Forensic User Guide Version 20.2
l Click Next or Previous to open the next or previous document in the list, using the cur-
rent viewer.
l Click the checkbox next to Add to Collection to add this document to your collection of
data. This collection can be turned into a logical evidence file (LEF) from the status win-
dow when your analysis is complete. Even if no files are collected, the module can cap-
ture and save a complete report of relevant documents for later examination. See
Collecting Evidence from Triaged Results below.
l Fit to Page adjusts the text to better fit the frame of the dialog.
l You can toggle between either Full View mode with each line numbered, or Compressed
View with just the lines of the document that contain keywords displayed. When in com-
pressed view, click Full View to switch to the full document. When in full view, click Com-
pressed View to show the lines that have keyword hits only.
l In Full View, use Next Hit and Previous Hit to jump to the next highlighted keyword in
the document.
l Clicking Find opens a dialog that creates searches for additional expressions. From here,
you can search for the expression within the current document, within the current doc-
ument from your current position to the end, or within the currently selected text.
1. Drill down from the status window into the results for each module and select each file to
collect.
2. Return to the main status screen.
3. Click Collect Selected to LEF. All checked items are collected into a logical evidence file
(LEF) and stored with an .L01 extension in the \EnCase Portable Evidence\<Job Name>
folder on the storage device.
Copying Evidence
You can copy evidence easily from one location to another. This may be useful for moving
evidence from an older version to a new storage location.
To copy evidence:
1. In EnCase select EnScript > Portable Management. The Portable Management dialog is
displayed.
2. Click the Evidence tab.
3. Select the evidence file(s) to copy.
4. Check Add evidence to case.
5. To remove the files from the original location, check Delete evidence after copy.
6. To change the destination of the copied evidence, enter or browse to a different folder.
7. Click Copy. A status dialog displays the files being copied.
8. When finished copying, click Finished.
ANALYSIS REPORTS
Instead of showing views of artifacts collected, analysis reports attempt to indicate what
happened on the system. These reports interpret artifacts and may join together multiple
artifacts in a single report, such as Windows link files and Registry keys to show files accessed
on specific USB devices.
The Analysis and Advanced Analysis options create customized reports that show your data
organized in tables. You can create reports from within EnCase Portable or from Portable
Management in EnCase.
414 EnCase Forensic User Guide Version 20.2
The reports compiled are available only as long as you have the application open. To preserve
your information, you can print or export it.
Creating a Report
You can create reports from the evidence you have collected.
1. From the EnCase Portable Home screen, select Analysis or Advanced Analysis. See the
discussion in the Overview section of this chapter to determine which is appropriate for
your reporting needs. In general, Advanced Analysis gives you many more elements to
choose from to build your report.
2. The analytics query selector screen is displayed.
o Analytics query groups are displayed in the left pane.
o Select an analytics query group to show results in the right pane.
o Select results from these queries in the right pane to be added to your report.
3. Double-click the analytics query group folder icons to display the analytics queries.
4. Click Save Selected in the table toolbar to save the queries. The Set Table Title dialog is
displayed.
5. Enter the title you want for the table in your report and click OK.
6. Click Manage Saved Reports in the analytics query selector screen to display the tables
which have been added to your report. All tables are displayed in the Customize Report
dialog.
CHAPTER 12 Using EnCase Portable 415
7. Continue using the analytics query selector screen to add additional query results to your
report. You can add as many tables as necessary to your report.
8. Click Unavailable Views to display the sets of analysis results that are not yet available,
given the collections still under examination. This list can be used as a checklist to assure
that the required data is collected.
Click View Report to preview your report. From the preview screen, you can also print
your report to maintain an artifactof this evidence.
416 EnCase Forensic User Guide Version 20.2
1. From an appropriate table in the analytics query selector screen, click Constraint.
2. The Constraint dialog is displayed, showing fields that are relevant to that specific table.
CHAPTER 12 Using EnCase Portable 417
3. Enter the information to include in the table in the appropriate text box. For example, to
see filenames that contain the word Cat only, enter Cat in the Filename text box.
o Only one value can be entered in each text box. For example, if you enter Cat and
Dog, to display information that contains both the words Cat and Dog, EnCase Port-
able takes the value literally and displays information that contains the entire
phrase Cat and Dog.
o If you enter values in multiple text boxes, EnCase Portable displays the information
that contains all specified values only.
o All non-string fields (such as IP addresses, numbers, hashes, or dates) look for exact
matches. For example, if you enter 80 for the local port, EnCase Portable looks for
port 80 only; port 8080 does not match the filter and will not be displayed.
4. Click OK. The table is displayed according to the restrictions entered. The current criteria
are shown in the bottom left status area of the Analytics Query Selector.
Note: To remove the restrictions, click Remove Constraint in the Analytics
Query Selector toolbar.
2. Select a Find Pictures option and click Finish. The Status tab is displayed.
3. After at least one file is found, click the link in the Status column. This can be done while
the job is running. The Images tab is displayed.
CHAPTER 12 Using EnCase Portable 419
4. Select images to add to your report by clicking individual image check boxes.
5. Click Add Selected To Report. The Customize Report screen is displayed, listing the
images selected.
6. Select View Report. Your report now displays the images.
7. To print a report, select the hamburger menu at the upper right and click Print.
Images can be added to a report only while the # Triage Pictures job is running. However, if
you select Collect File Contents in the File Processor wizard, image data in the LEF can be
added to reports from EnCase.
Snapshot Reports
Snapshot Reports contain structured information on processes, open files, users, and ports.
Snapshot Reports can help you determine precise relationships between parent and children
processes, details about processes and their associated DLLs, and open ports and their
associated processes and DLLs. Using Snapshot Reports, you can determine which process
instance spawned the process you are trying to identify. These reports allow you to see the
path, command line parameters, and DLL/EXE file information for specific running processes.
Clicking an entry in the Parent Process ID column, which contains process IDs for each parent
process instance, displays all running instances of the process. This filters the report to display
matching process IDs, only, which allows you to trace that process to its source. For example,
instead of displaying only the type of process, such as explorer.exe, clicking an entry in the
420 EnCase Forensic User Guide Version 20.2
Snapshot Reports also display both port information and its relationships to process instances
and DLLs, so you can determine which DLLs are active as well as which process instance loaded
each DLL.
Some Snapshot Reports combine information from other reports to make the workflow more
efficient. Under Operating System > DLLs, the DLLs by Process Details Report combines all the
information in the DLLs Report and the Processes Report. Under Network, the Open Ports by
DLL Report combines all the information in the DLLs Report, the Processes Report, and the
Open Ports Report. Under Operating System > Processes, the Processes report combines all
the information in the DLLs Report and the Open Ports Report.
Each Snapshot Report also has an About option which shows details for each report.
DLLs by Process Details: Instance Name, Parent Process ID, Open Ports, and Children
Processes.
Open Ports by DLL: Instance Name, Parent Process ID, and Children Processes.
Processes: Instance Name, Parent Process ID, Open Ports, Children Processes, and DLL Count.
Instance Name is a descriptor for a specific instance of a process. An instance name is often the
same as a process name.
Children Processes are the processes that were spawned by a parent process. For example,
some malware spawns many other processes. Viewing a malware parent process shows how
many processes it created. This count is displayed as a link to the child processes.
Open Ports are ports that have been opened by a process to communicate over the network.
These include both local and remote ports.
CHAPTER 12 Using EnCase Portable 421
DLL (Dynamic-linked library) Counts are used by many programs to share code. Malware can
inject a malicious dll and a program will execute it without realizing it is malicious code. The DLL
Count is the number of dlls that a specific program is using.
Exporting a Report
You can run a report that shows comprehensive details of all the jobs and scans previously run
on the current Portable device.
o Using the Column options on the left, hide or show columns to suit your require-
ments.
Maintenance
The following section contains topics on portable device maintenance, including preparing
portable devices and storage, modifying EnCase portable device configuration, and preparing
additional USB storage devices.
1. Select Tools > Create Portable Device. The Portable Management screen is displayed.
2. Select a device and click Configure Device. A status screen displays the updates to the
device as they are being executed.
3. When done, click Finished. The device is labeled with the currently installed version.
1. Select Tools > Portable Management. The Portable Management dialog is displayed.
424 EnCase Forensic User Guide Version 20.2
2. Select the drive to configure and click Configure Device. The Configure Device dialog is dis-
played.
o Allow Job Configuration at Runtime enables the user to create and edit jobs in the
field, using the Portable device. By default, this option is enabled.
o Display East Asian Characters enables the display of Unicode character sets, spe-
cifically for East Asian language support.
o NAS licensing enables the use of EnCase Portable without a separate security key.
CHAPTER 12 Using EnCase Portable 425
Note: If there is a bullet in the Needs Upgrade column, the device needs to be
restored.
4. Select one or more devices and click Prepare. A dialog shows the status of the task. When
complete, this dialog confirms the creation of the EnCase Portable Evidence folder on the
storage device.
5. The Prepared column displays a dot when the process is complete.
426 EnCase Forensic User Guide Version 20.2
l EnCase Portable must be used on a target computer that has routable network access to
License Manager.
l The EnCase Portable EnLicense must be stored in at least one of the following places to
work with License Manager:
o In the \EnCase Portable\License folder on the examiner machine used to con-
figure the EnCase Portable NAS settings (default location).
o In the \SAFE\License folder on the SAFE (recommended).
We recommend storing the EnLicense on the SAFE so multiple machines can be set up without
a specific local licensing folder. If an EnLicense cannot be found in either of these locations,
Portable must have a physical security key.
1. Select Tools > Portable Management. The Portable Management dialog is displayed.
2. Select the drive to configure and click Configure Device. The Configure Device dialog is dis-
played.
CHAPTER 12 Using EnCase Portable 427
3. Select the NAS checkbox, then click Options. The NAS Settings dialog is displayed.
o User Key Path specifies the location of the NAS key file.
o Server Key Path specifies the location of the SAFE public key file.
o Server Address is the name or IP address of the Network Authentication Server. If
you are using a port other than 4445, provide the port with the address (for
example, 192.168.1.34:5656).
4. Click OK. The prepared USB device can now run as a Portable device.
Troubleshooting
MY JOB HANGS.
Some jobs may take long periods of time to execute. If the progress bar is moving
occasionally, the job is still running.
Maximize EnCase and check the title at the top. If it displays EnCase Acquisition, the dongle
and/or license must be extended or replaced.
WHEN TRYING TO RESTORE PORTABLE I GET A MESSAGE THAT THE DEVICE IS IN USE.
If you are sure the Portable device is not in use, but consistently get a message that the device
is busy:
The sector size of the restore image and the destination drives must match exactly, or the
destination drive must be larger. If the destination drive is even a few sectors smaller than the
.E01 restore image, a warning dialog is displayed before the restore starts. If you choose to
continue, the restore process is shown as successful even though the target drive image is
truncated and data is potentially lost. We recommend using a destination drive that is at least
4GB in size.
You should go back through the restore process and make sure the EnCase Portable image has
been correctly restored to the physical storage device.
Next, make sure that you have the correct files in the correct locations.
File/Folder Name
sbAlgs folder [blank]
sbTokens folder
SbAdmDll.dll
SbComms.dll
SbDbMgr.dll
SbErrors.xml
SbFileObj.dll
SbGroupObj.dll
SbMachineObj.dll
SbUiLib.dll
CHAPTER 12 Using EnCase Portable 429
File/Folder Name
SbUserObj.dll
SbXferDb.dll
SafeBoot Tool\GetKey.xml
sbTokens\SbTokenPwd.dll
Also, the following files must be copied from your company's SafeBoot server and copied to
your local folder structure:
C:\Program
C:\Program
Files\EnCase8\Lib\SafeBoot
Files\SBAdmin\ALGS\<Algorithm>\SbAlg.dll
Technology\SafeBoot\sbAlgs
FAQs
HOW DO I UPGRADE MY ENCASE PORTABLE DEVICE?
In Portable Management, a bullet in the Needs Upgrade column indicates that the device
needs to be restored.
HOW DOES ENCASE PORTABLE DETERMINE WHAT DEVICE TO USE FOR STORAGE?
After a job finishes, files created from that collection are stored in a predefined location on a
configured EnCase Portable storage device. During initialization, EnCase Portable determines
the storage location by:
If the only device found is the Portable device, that device is used for storage.
430 EnCase Forensic User Guide Version 20.2
When a collection job is run using the File Processor module and the metadata processing
type, two LEFs are created. One of the LEFs contains the collected files and is designed to be
brought into EnCase so that you can process or view the collected files. The second LEF does
not contain any file data, but simply contains meta-information and metrics about the data
that was processed and collected. This LEF is not designed to be added to a case in EnCase, but
is used by EnCase to generate reports.
l Files that contain the actual evidence files that have been collected. These files have
either an .Lx01/.L01 or .Ex01/.E01 extension and can be mounted and used in EnCase.
They are stored during EnCase Portable collection in ..\EnCase Portable
Evidence\.
l Files that contain summary data about collected information and are used for analysis.
These files have an .L01 extension and contain metadata about the collected files. They
do not contain the actual evidence files themselves. These files are stored during EnCase
Portable collection in ..\EnCase Portable Evidence\ModuleEvidence.
Each specific target has its own logical evidence file (or LEF), with the name of the target
reflected in the name of the logical evidence file. If a target's LEF is already in the storage folder
when a new collection is started, you have the option to overwrite the previous data.
The Module Evidence and the File Evidence folders contain folders for each collection job that
has been run.
WHERE ARE EVIDENCE FILES STORED WHEN I IMPORT THEM INTO ENCASE?
LEF files created by EnCase Portable are imported by opening the Evidence tab in Portable
Management and selecting evidence to be copied to case folders. By default, the LEFs are
stored in the %\portable evidence path located in case paths for the open case. The LEFs
containing file data can be added directly into EnCase by selecting the checkbox option.
CHAPTER 12 Using EnCase Portable 431
If you choose to add LEFs to EnCase directly from the storage folder, please note that when
EnCase Portable collects data, it can collect files (such as when the File Collector module is
used) or it can collect parsed data (such as when the Internet Artifacts module is used). To
make it easier to conduct examinations, files are stored separately from parsed data. LEFs
containing file data can be identified by the words "Collected Files" in the name of the LEF. It is
only these LEFs that can be added to and examined with EnCase.
LEFs that contain parsed data are designed to be analyzed in Portable Management and do
not have Collected Files in the file name. If you attempt to add these files into EnCase, the
collected information will not be viewable.
WHAT FILES ARE COPIED TO THE ENCASE PORTABLE DEVICE DURING EXPORTING?
The following items are copied to the Portable device during the export process:
l EnCase.exe
Note: When a 64-bit version of EnCase is being used, the 32-bit version of EnCase
is copied to the EnCase Portable device.
WHEN USING THE FILE PROCESSOR MODULE AND THE METADATA PROCESSING
TYPE ON A RUNNING MACHINE, DOES ENCASE MOUNT LOGICAL OR PHYSICAL
DEVICES FOR ANALYSIS?
EnCase Portable mounts the logical device when used on a running machine.
HOW ARE DAILY AND WEEKLY RECORDS FOR INTERNET EXPLORER HANDLED?
In the analysis table report, you do not see the history grouped into daily and weekly folders
as IE and EnCase. Instead, you start with high level domain visits and drill into the individual
entries by navigating from there.
MY NUMBERS SEEM WAY OFF. SHOULDN'T THE COLUMN BE CALLED HITS INSTEAD
OF VISITS?
Visits are pulled from the cache file directly, and to prevent confusion, the name is not
changed.
WHICH GREP EXPRESSIONS ARE BEING USED TO PERFORM CARD, E-MAIL, AND SSN
SEARCHES?
Visa-13 [4][#]{12,12}
Visa-16 [4][#][#][#][^#]?[#]{4,4}[^#]?[#]{4,4}[^#]?[#]{4,4}
MasterCard [5][1-5][#][#][^#]?[#]{4,4}[^#]?[#]{4,4}[^#]?[#]{4,4}
[6](([0][1][1])|([5][#][#]))[^#]?[#]{4,4}[^#]?[#]{4,4}
Discover
[^#]?[#]{4,4}
[a-z0-9\~\_\.\x2D]+@[a-z0-9\_\x2D]+\.[a-z0-9\_
Email
\x2D\.]+
SSN ###[\x2D]?##[\x2D]?####
Also note that the operating system runs entirely in memory (in a RAM drive); therefore,
changes made to the running environment do not affect the environment on disk.
434 EnCase Forensic User Guide Version 20.2
CHAPTER 13
GENERATING REPORTS
Overview 437
Overview
The final phase of a forensic examination is reporting the findings, which should be well
organized and presented in a format that the target audience understands. EnCase adds
several enhancements to its reporting capabilities, including:
l Bookmark folders where references to specific items and notes are stored.
l Report templates that hold formatting, layout, and style information. A report template
links to bookmark folders to populate content into a report.
l Case information items, where you can define case-specific variables to be used through-
out the report.
l Documents
l Pictures
l Email
l Internet Artifacts
1. Select the content you want from any tab (for example, Entries, Artifacts, or Search Res-
ults) and click Bookmark on the tab toolbar.
2. From the dropdown menu, select the type of bookmark you want to create, enter a
name and optional comment, and click OK.
3. View your bookmarks in the Bookmarks tab.
Triage Report
The Triage report enables you to customize and quickly generate an investigation report.
This report creates a fully linked HTML report from bookmark folders you create. Each
bookmark folder is a separate report section linked together by a table of contents. Each
report section can have an associated custom format or be formatted automatically. Each
bookmarked item by default includes a separate item report including comprehensive data for
that item.
You can customize this report with your own logo, and add external links within the report. All
customization can be done using an HTML editor.
When done, this report can easily be distributed on a CD or USB drive and is compatible with
most browsers. This enables evidence to be easily shared across teams so that the most
relevant information can be discovered and acted upon quickly.
To share your report, navigate to its export location and copy the Triage Report folder,
index.html, and Triage.Report.html files to a USB drive or CD.
This reporting option can be accessed on the case home page under the Report header. It is
also available in both the Full Investigation and Preview/Triage Pathways.
CHAPTER 13 Generating Reports 439
Main screen
EXPORT LOCATION
Using the browse button, select the folder that the completed HTML report will be placed into.
This folder must exist on the system.
OPEN REPORT
When selected, automatically loads the report in the default browser.
ADDITIONAL LINKS
This section enables the examiner to include additional links in the left pane of the completed
report. By default, it includes:
l The Case Information link which draws the data from case information items tab in
EnCase.
l The logo item which is used to hold the location for a custom logo.
The Name column shows the text that will be placed on the left pane for the link.
The Link column is used to designate the file path of the file to be linked.
If AutoCopy is selected, the linked file will be copied automatically into the export path for the
Triage report. This can only be used if the linked file is a single file (i.e. PDF or Word doc, Excel
spreadsheet). If the AutoCopy is not selected, you must copy the file or files into the export
location before setting the Link field. For example, if you are trying to link in a HTML report
which consists of multiple files, the files will have to be manually copied into the export
location.
BOOKMARK FOLDERS
The Bookmark Folders table shows all bookmark folders contained in the current case.
Selected folders are included in the Triage report when the report is created.
The Format field designates what information is included in that section of the report. The
format can be changed by clicking Auto and selecting a different format form the popup box.
In the popup:
l The Auto format selection attempts to use the most appropriate data for each of the
bookmarked items.
l Selecting External Link allows you to set the link on the left side of the screen to an altern-
ate file. If External Link is selected, that report section will not be created. You must manu-
ally copy the linked file(s) to the export location before the link is created.
CHAPTER 13 Generating Reports 441
The NoExport checkbox stops the exporting of the bookmarked files for that section of the
report. Individual files and bookmarks can also be prevented from being exported or included
in the report by using the No Export and No Report options from the Bookmarks tab.
The No TOC (No table of contents) checkbox removes that section of the report from the table
of contents, but the section is still created and a link is created in the parent report section.
The Include in Parent checkbox includes the selected report section within the parent report
section. This can be used to create a single report section based on different formats. If you
select Include in Parent on all bookmark folders, the report will be displayed in a flat form. The
HTML links on the left side of the final report will jump the viewer to the respective sections.
Click Make Single Bookmark Report on the menu bar to recreate only the current report
section. This was designed so you would not have to recreate the entire report when only one
section has been changed. This will not recreate the table of contents.
Options
The options button provides you with ways to change the behavior of the Triage report.
442 EnCase Forensic User Guide Version 20.2
TEMPLATE LIST
The Template List displays the list of default formats and custom formats available. The Auto
format automatically selects the default format depending on the bookmarked item type.
Default formats can be changed but if they are deleted they will be recreated the next time the
Triage report is run.
FIELD DEFINITIONS
Field definitions designate what information is included in the report section for each item.
CHAPTER 13 Generating Reports 443
REPORT TITLE
Enables you to modify the report title shown in the browser when the report is displayed.
HIDE PREVIEW
When selected, hide the preview pane in the main window.
REPORT FILENAME
Enter the filename for the main HTML page. An identical INDEX.HTML is also created.
Report Formatting
l * = default
TAGS
l FIELD= property name. (the word FIELD is not needed) Multiple fields can be place in a
Name property.
l LINK=*AUTO, NONE, FILE,PDF,REPORT,REPORT_HTML,REPORT_PDF, FOLDER
l REPORT,PRINT, etc...
Besides the default templates, you can define your own custom reports and save them as part
of a case template. For more information, see Using a Case Template to Create a Case on
page 87.
l Report sections: groups of similar information and formatting that provide the ability to
organize your report.
l Report formatting: page layout, section design, and text styles.
l Report elements: collections of bookmarks. Bookmarks are a key element of the report
structure. You do not embed bookmarks into a report template, but embed a reference
to the contents of a bookmark folder.
To display the template, click Report Templates on the case Home page.
1. Highlight the row above the new element you want to add. Right-click and select New
from the dropdown menu.
2. The New Report Template dialog opens.
3. Enter a Name.
4. Select a Type (Section or Report).
5. If you want to customize Format styles, check the appropriate boxes, or leave the boxes
clear to use the default styles.
6. Click OK. The new template component is displayed below the row you highlighted.
Report templates follow a hierarchical tree to simplify formatting. Report sections inherit
formatting options from above so that changes to formatting only need to be made in one
place.
l Section Name: Used for organizational reference in the template only and does not pop-
ulate the report.
l Paper: Includes orientation and size.
l Margins: Set values for top, bottom, left, and right margins.
l Header/Footer: Specifies a header and/or footer.
l Data Formats: Specifies how a bookmark is displayed, including style and content.
l Section Body Text: Specifies the layout and content of each section in the Body Text.
l Show Tab: Determines if this report or section is displayed in the View Report dropdown
menu.
l Excluded: Provides the ability to exclude part of a report.
4. Click User defined to enable the Page Width and Page Height boxes, where you can spe-
cify dimensions manually.
MARGINS
1. Right-click the Margins column, then click Edit in the dropdown menu. The Margins dia-
log opens.
2. Enter the margins you want in inches. By default, the top margin is 1 inch, the left margin
is 0.75 inches, and the right and bottom margins are 0.5 inches.
All reports in EnCase obtain their paper settings from the Windows operating system.
Windows stores paper size in the Default Printer settings, so unless a specific paper size is
defined in a report template (Paper option), EnCase uses the paper size indicated there.
When reports are generated, margins are set for the indicated paper size and the report is
rendered in that composition. Users should utilize the ability to set tab stops relative to a
specific margin (described above) to ensure that tab stops also scale properly with the different
paper variations. Report templates supplied with EnCase are configured in this manner.
1. Right-click the Header or Footer column, then click Edit in the dropdown menu. The
appropriate dialog opens.
2. Formatting options (Document, Styles, Case Info Items, etc.) display at the top of the dia-
log.
Report Styles
As in Microsoft Word, you use styles to set text formatting options. EnCase comes with many
default styles to use in report templates, and you can also create your own styles. To override
a default style, create a user style with the same name.
o Double-click Font to open the Font dialog, where you can specify:
Font face
Font style (Regular, Italic, Bold, Bold Italic)
Size
Effects (Strikeout, Underline)
Color
o Double-click Text Foreground or Text Background to open the Color dialog, where
you can select a default color or specify a custom color.
6. To set a border, click the Border button. Set the position, size and color of the border
lines you wish to incorporate.
CHAPTER 13 Generating Reports 451
7. To set tab stops within the style, click the Tabs button. Right-click in the Tabs dialog and
select New to create a new tab.
o In the Alignment box, choose how you want the text to align relative to the tab.
Choices are Left (left side of the text block is aligned with the tab stop), Center (text
is centered in relation to the tab) or Right (right side of the text block is aligned with
the tab stop).
o Set the Position for the tab stop in Inches.
o In the Relative box, set the margin that the tab stop should be relative to. Choose
Left to position the tab stop a set distance to the right of the left margin, choose
Center to position it a distance from the center point between the margins, or
choose Right to position it a set distance to the left of the right margin.
Note: The ability to set the relative position of the tab enables users to create a
report template that you can use with various paper sizes (that is, letter, landscape,
A4, etc.) and various orientations (portrait or landscape) without having to reset the
margins for the various page widths. Default templates supplied with EnCase are
configured in this manner so they can be used in different locales without requiring
significant modifications.
8. When you finish, click OK. The new style and its attributes display in the User Styles list.
You can customize reports by specifying which fields to add to the report template. You can
choose to include the value in the field as well as the name of the field. Then, when you
generate a report, EnCase includes both specified fields and the content with which they are
populated, in the specified area of the report.
All entry, artifact and item (bookmark) fields can be added to report templates. Multi-value
fields, such as file extents and permissions, have two options for inclusion: cell and table.
Adding the cell data displays the value of the field as displayed within the Entry table view.
Adding the table data displays the value of the field as displayed in the Details tab.
Inserting a Picture
1. Right-click an item in the tree where you want to insert a picture, then click Edit in the
dropdown menu.
2. The Edit dialog is displayed. Select the Body Text tab, then place your cursor where you
want to insert the picture in the Report Object Code.
452 EnCase Forensic User Guide Version 20.2
3. Click Picture.
4. The Picture dialog is displayed. In the Picture dialog, browse to the file you want to insert,
specify a size (width and height in inches), then click OK.
Inserting a Table
1. Right-click an item in the tree where you want to insert a table, then click Edit in the drop-
down menu.
2. The Edit dialog is displayed. Select the Body Text tab, then place your cursor where you
want to insert the table into the Report Object Code.
3. Click Add Table.
4. Make a selection from the dropdown list. The dialog for the item you selected opens. The
example below shows the Evidence dialog.
o On the Columns tab, click the checkboxes for the columns you want to display.
o On the View Options tab, select the checkboxes for the visual elements you want
to display. The tabs and options vary depending on the selection you make from
the Add Table dropdown menu in step 3.
Excluded Checkbox
Depending on your target audience, you may want to exclude parts of a report. For example,
an investigator may need to see actual pictures in a report, while another reader does not. You
can customize content by clicking the checkboxes in the Excluded column for elements you
want to exclude.
l Document
l Styles
l Case Info Items
l Case
l Bookmark Folder
l Add Table
l Picture
l Language
l Text
To test if the code is well-formed, click Compile. To return to the last compilable code, click
Revert.
Note: Unless you have experience writing and editing code, we recommend using
default code in the report templates.
The following examples assume that a bookmark folder structure exists and items have been
added to the bookmark folders. The examples include both menu based customization and
the use of ROC to modify reports.
You can modify this from the dropdown menus available to add Accessed, Created, and
Written Times below the Image.
style("Image") {
image(width=2880, height=2880) par
fieldname(field=Accessed) tab cell(field=Accessed)
par
fieldname(field=Created) tab cell(field=Created) par
fieldname(field=Written) tab cell(field=Written) par
You can see these changes in the View pane in the Report tab.
CHAPTER 13 Generating Reports 455
2. Open Report Templates from the EnCase Home screen or select View > Report Tem-
plates. Since the item to bookmark is in the Documents folder, this example shows how
to edit the Documents Report Section to include the Item Path.
3. In the Edit Documents window, select the Formats tab. Select Notable File > Edit. Make
sure the blinking cursor is positioned correctly, as the Item Path Field is added here. This
456 EnCase Forensic User Guide Version 20.2
4. Drill down in the Item Field menu and select Item Path. fieldname
(field=ItemPath) tab cell(field=ItemPath) displays on the last line. Adding
par adds a line break in the report.
5. Click OK to exit Report Templates.
6. View your report. The Item Paths are added to the Document section of the report.
CHAPTER 13 Generating Reports 457
4. Drill down in the Item Field menu and select Item Path. fieldname
(field=ItemPath) tab cell(field=ItemPath) displays on the last line. Adding
par adds a line break in the report.
5. Click OK to exit Report Templates.
458 EnCase Forensic User Guide Version 20.2
6. View the report. The Item Paths are added to the Internet Artifact section of the report.
Other than defining the specific report section to modify, the only difference in adding the
Item Path field to the report is the category to be formatted. When adding Item Path to
documents, the format category Notable File is being modified. When adding Item Path to
Internet Artifacts, the format category Record is modified.
2. After bookmarking your entry, open the Bookmarks tab and locate the file. Add com-
ments to your files by editing the Comment field. The comments made here are dis-
played in your report.
3. Click the Report Templates tab from the home page or select View > Report Templates.
Since the item to bookmark is in the Email folder, edit the Email report section to include
Comments.
460 EnCase Forensic User Guide Version 20.2
4. In the Edit Emails window, select the Formats tab. Select Email > Edit. Make sure the
cursor is positioned correctly, as the Comment field is added here. In this example, the
cursor is positioned after the email () par statement.
5. Drill down in the Item Field menu and select Comment. fieldname(field=Comment)
tab cell(field=Comment) is displayed on the last line. Adding par adds a vertical
CHAPTER 13 Generating Reports 461
7. View your report. Comments are added to the Email section of the report.
We recommend that if you want to modify a report template or create your own, first refer to
one of the supplied templates and read the examples in the following sections to see how ROC
is structured and used.
Layout Elements
The following is a complete list of all ROC layout elements. These elements are also available
from the menus in the Edit window.
pagenumbe
Inserts a page number.
r
Example:
hline
hline(height=x)
text Example:
Example:
lang
lang(x)
Example:
image
(path="C:\\Users\\user.name\\Pictures\\EnCas
image e_big.bmp", width=760, height=400)
width and height are numbers that express the width and
height of the image in twips
Example:
hyperlink("http://www.link.com") { text
hyperlink
("Hyperlink") }
Example:
Example:
list
(path="Examination\\Report\\Introduction",
options="RECURSIVE, SHOWFOLDERS")
options:
l RECURSIVE: Display all items within all subfolders
in that folder.
l SHOWFOLDERS: Display the folder name before
Example:
table(type=CaseInfo, options="SHOWTABLE,
SHOWBORDER", columns="Name,Value")
header row.
l SHOWICONS: Display the icon associated with
Example:
cell
Valid types for use in body text and formats:
LogRecord, Bookmark, Evidence, CaseInfo.
options:
l PAR: Add paragraph only if text exists.
CHAPTER 13 Generating Reports 467
Example:
fieldname(type=Case, field=value,
options="PAR")
options:
l PAR: Add paragraph only if text exists.
Example:
email
email(fields="<comma-delimited list of
fields>")
image(width=1440, height=1440)
image
width: width of the image, in twips
Example:
filelink
filelink() { cell(field=Name) }
1. On the Bookmarks tab, click Reports, then click Add folder to report from the dropdown
menu.
2. The Add folder to report dialog is displayed.
3. Select an existing section, or create a new custom section. To create a new section, enter
a section name in the <New Section Name> area and click Add. The new section is created
as a child of the currently selected section or report.
4. Click Next. The second Add folder to report dialog is displayed. It enables you to apply
commonly used formatting to the report. When you click a Report section formatting
checkbox, the wizard generates Report Object Code automatically.
o Restart numbering restarts numbering at 1 in a new section, instead of continuing
numbering from a previous section.
o Hyperlink to exported items configures the report section to add a hyperlink to
exported data.
5. Click Preview to see how the formatting will display in the report.
6. To add metadata, click Customize metadata. The Customize metadata dialog is dis-
played.
470 EnCase Forensic User Guide Version 20.2
o In the Metadata fields pane on the left, click the field you want to work with (Item
fields, Entry fields, Common email fields, Record fields).
o In the Name pane in the middle, click the name of a metadata type you want to add
to the report, then click the double right arrow button (>>) to add it to the Display
order list.
Note that as you add metadata items to the Display order list, the preview
pane updates dynamically to reflect your choices.
To change the order, click the item in the Display order list you want to change,
then click the Up or Down button. Repeat as necessary to get the order you
want.
To remove an item from the Display order list, click it, then click the double left
arrow button (<<).
CHAPTER 13 Generating Reports 471
You can view the Report Object Code that the Report Template Wizard added to the template.
1. On the Bookmarks tab, click Reports > View Report, then click the report you want to
view.
2. The report is displayed. Click the Hide empty sections checkbox. Any empty sections no
longer display in the report.
1. In Report Templates view, check the part of the report where you want the bookmarks to
display, then click the Body Text tab in the lower pane.
4. In the Destination Folder tab, select the folder where you want the table to be saved and
enter a folder name.
5. In the Columns tab, click the checkboxes for the columns you want to display in the
table.
6. In the View Options tab, click the checkboxes for the options you want. Be sure to click
the Hyperlink to files checkbox.
474 EnCase Forensic User Guide Version 20.2
7. Click OK. The bookmarks display as hyperlinks in the table in the report.
1. Right-click, then click Save As from the dropdown menu. The Save As dialog is displayed.
2. For the Output Format, select RTF, HTML, or PDF, then click the Export items checkbox.
Note: The Export items checkbox is disabled for the other formats.
3. Accept the default path or enter another path. If you want to view the exported report
after saving, click the Open file checkbox.
4. Click OK. The hyperlinks display in the exported report.
1. In the Evidence tab, select the item you want to display as a hyperlink in the report.
2. In the lower pane, click the Report tab to display metadata.
3. Right-click and select Save As from the dropdown menu. The Save As dialog is displayed.
4. Select the Output Format you want. The supported formats are RTF, HTML, and PDF.
CHAPTER 13 Generating Reports 475
5. Click the Export items checkbox. If you want to view the report after saving, click the
Open file checkbox.
6. Accept the default path, or enter a path of your own, then click OK.
7. The hyperlink is displayed in the metadata report.
1. Go to Report Templates view. Select the part of the report where you want to add a
hyperlink, then click the Body Text tab in the lower pane to display the text.
2. Place the cursor where you want to insert the hyperlink, then click Hyperlink in the Docu-
ment dropdown menu.
3. A line of hyperlink code is displayed.
4. Replace http://www.link.com with the URL for your hyperlink. Replace Hyperlink with the
text you want to display for the hyperlink.
l Report name
l Examiner
l Grouping results
l All files or specified files
l Display fields
476 EnCase Forensic User Guide Version 20.2
2. In the Report Title field, enter the name of the report. The default report title format is
[Case Name] - File Report.
3. In the Report Prepared By field, enter the name of the examiner. The default examiner
name is drawn from the specified examiner in Case Info.
4. On the left side of the dialog, specify how you want to group your report.
o File Path sorts files by the file system's location of each file, sorted according to Item
Path.
o File Size sorts files according to size in Kilobytes.
CHAPTER 13 Generating Reports 477
o File Category sorts files alphabetically, according to file category. To sort by the
three-character file extension within a category, click the Sort by Extension check-
box.
5. On the right side of the dialog, specify whether to include all files, only files in the current
view, and/or files created within a specified range. To specify a creation date range:
o Select the checkbox for Only Files Created Between.
o Enter the Start Date directly, or click the calendar browser button.
o Enter the End Date directly, or click the calendar browser button.
6. At the bottom of the dialog, use the field selector to include/exclude and order the fields
for your report.
o In the Available fields box on the left, select any field you want to include in your
report and click the right arrow.
o In the Selected fields box on the right, select any field you want to exclude from your
report and click the left arrow.
7. To order the selected fields for your report, select each field and move it with the Up or
Down buttons.
8. Click OK. The File Report EnScript generates the file report, and it is displayed in the File
Report window.
Viewing a Report
To view a report:
1. In the Report Templates tab, click View Report from the tab toolbar. The dropdown
menu lists all reports that have the Show Tab option set.
2. Select the report you want to see. The report is displayed in the viewer.
l TEXT
l RTF
l HTML
l XML
l PDF
Once you select the output format, specify a Path and optionally set the Open file option if
you want the file to open in the default application after saving.
Note: To edit a report in Microsoft Word, save the report in RTF format. The
EnCase RTF report is fully compatible with Microsoft Word.
CHAPTER 14
ACQUIRING MOBILE DATA
Overview 481
Overview
EnCase can acquire a variety of mobile devices, including smartphones, tablets, PDAs, and
GPS navigation devices. Additionally, you can import mobile device backup files and Cellebrite
UFED XML report data. You can also acquire data from cloud services, such as Facebook,
Twitter, Gmail, and Google Drive.
Acquired or imported mobile data is saved as an EnCase Logical Evidence File in the folder you
specify in the Output File Settings.
Before beginning acquisition on a mobile device, you will need to download and install the
Mobile Driver Pack from OpenText My Support.
Note: If you are running Windows 7, you will need to install two security updates
before you can install the Mobile Driver Pack. Windows 7 needs to be upgraded to
SP1 before installing the security updates.
Note: If you are running Windows 7, you will need to install two security updates
before you can install the Mobile Driver Pack. Windows 7 needs to be upgraded to
SP1 before installing the security updates.
During the Logical Acquisition Process, the program uses the commands and protocols that
allow you to work with the device using its own OS. This means that each device has some
commands that allow it to exchange data with the PC by the means of some simple protocols
(i.e., the AT protocol).
Due to this, you can acquire only data designed by the OS to be passed using the protocol. But
the main part of the data will be completely parsed and shown in a readable format.
During the Physical Acquisition Process, the program doesn't use commands of the device's
OS. Usually, a special program is written into the device memory (into a part where data is not
stored). A complete memory image is acquired and all data is extracted from it if possible.
In this case, the data is usually not parsed but the required information can be found in it
anyway.
Note: During acquisition, the data on the device cannot be damaged or lost and its
structure and content do not change.
Data Parsing
Data Parsing is the process of decoding information and displaying it in a human-readable
form for analysis and reporting.
Data parsing is usually done automatically for any type of data that can be parsed.
Note: Not all types of data can be parsed and not all plug-ins contain parsers. For
more information, see the description of each plug-in.
For most plug-ins, data acquisition is performed using the standard process and does not
include any additional interaction with the devices. For some plug-ins, however, the
acquisition process requires some additional steps.
The data acquisition process differs from the general process for the following types of devices:
CHAPTER 14 Acquiring Mobile Data 483
l Android OS Devices
l Advanced Android LG Devices
l Garmin GPS
l iPhone/iPad/iPod Touch
l Motorola
l Motorola iDEN
l Nokia Symbian OS
l Palm OS Based Devices
l Psion 16/32 Bit Devices
l RIM BlackBerry
l Samsung GSM
l Siemens
l SIM Card Readers
l Symbian 6.1 Devices
l Tizen Devices
l WebOS Based Devices
l Windows Mobile Devices
It is highly recommended that you read the instructions for each of these devices before you
start acquisition.
There are two methods of device detection: automatic detection and manual plug-in
selection.
l Acquisition via automatic detection: This method automatically detects the devices con-
nected to the computer via a USB port and allows you to select the type of acquisition of
the device.
l Acquisition via manual plug-in selection: This method allows you to select a plug-in cor-
responding to the device manufacturer and acquisition type as well as the connection via
which acquisition will be performed.
484 EnCase Forensic User Guide Version 20.2
We recommend acquiring via automatic detection. Use manual plug-in selection only in the
event that the device is not detected or cannot be acquired via automatic detection.
1. Preparation Step: Prepare the device for working with the program. We recommend the
following:
o Check whether the device is charged in order to prevent power loss during the
acquisition process.
Note: Acquisition from PDAs, iPhones, and Androids might take
several hours.
o Choose the proper cable or cradle for your device.
o Ensure the proper drivers for any USB cable (cradle) are installed.
o Check that the device is connected to the computer.
o Insert or remove the SIM card depending on the requirements of the plug-in you
are using and your procedures.
o Turn the device on or off depending on the requirements of the plug-in you are
using.
o If acquisition of the device is NOT being performed for the first time within this case,
it is recommended that you reload (power cycle) the device before starting the new
acquisition process.
2. Selection Step: Go to Add Evidence > Acquire Mobile > Acquire from Device to start
the Acquisition Wizard, which will guide you through the process of acquisition. The fol-
lowing items must be selected:
o For automatic detection:
The device whose data you want to acquire.
The type of acquisition you want to perform.
3. Instructions Step: You can read special acquisition instructions if they are available for
the selected device.
4. Acquisition Step: The program acquires information from the device. In some cases, you
might need to perform more actions with the device, such as pressing special buttons on
it or entering special information. The process of acquiring the device features is dis-
played in the progress table.
5. Final Step: Acquisition finishes, and you can disconnect your device from the computer.
There can be certain specifics about acquisition of different types of devices. For more
information, see the description of data acquisition of the type of device you want to acquire.
Note: The program allows you to work with other data in the case during the
acquisition. You can add, view, and process other evidence in the case while the
device is being acquired.
4. In EnCase Forensic, select Add Evidence > Acquire Mobile > Acquire From Device.
5. On the Acquisition Wizard Welcome screen, an icon representing your device will be dis-
played. Click the icon of your device. If your device is not displayed, click the
troubleshooting link in the bottom of the page.
Note: We recommend working with only one connected device at a time.
6. On the Acquisition Type page, select the type of acquisition you would like to perform.
Note: Physical acquisition of some devices, such as CDMA and Siemens
devices, can only be performed via manual plug-in selection.
7. If you selected Custom Logical Acquisition on the Feature Selection page, select the fea-
tures you want to acquire from the device and click Start Acquisition.
8. Data acquisition starts, and its progress is displayed on the Acquisition Progress page.
Note: The program allows you to work with other data in the case during
the acquisition. You can add, view, and process other evidence in the case
while the device is being acquired.
486 EnCase Forensic User Guide Version 20.2
4. In EnCase Forensic, go to Add Evidence > Acquire Mobile > Acquire From Device.
5. On the Acquisition Wizard Welcome page, click Manual plug-in selection.
6. On the Plug-in Selection page, select the plug-in corresponding to the device man-
ufacturer and the type of acquisition you want to perform and click Continue.
7. On the Connection Selection page, select the port to which the device is connected. Click
Start Acquisition.
Note: For some device types, like Samsung GSM, Siemens, and Psion 16/32-
bit devices, you will need to select a model of the device.
8. Data acquisition starts, and its process is displayed on the Acquisition Progress page. On
this page, you can see which features have been successfully acquired and which features
have not and why.
Note: The program allows you to work with other data in the case during
the acquisition. You can add, view, and process other evidence in the case
while the device is being acquired.
Note: The data acquisition process will be different for some devices. For more
information, see the description of data acquisition of the type of device you want to
acquire.
The following features, limitations, and strategies can help increase success with multi-
device acquisition:
l Devices with different operating systems, generally, can be acquired in various com-
binations without limitation.
l If you want to acquire devices with the same operating system, some plug-ins will be
unavailable for selection. Such restrictions are aimed at preventing damage to the device
(s) being acquired. In this case, a warning message will be displayed.
l If any of the auto-detected devices are being acquired, such devices will be disabled for
selection in the newly opened Acquisition Wizard. When the device acquisition is finished
or terminated, the device becomes enabled on the Home page of the Acquisition Wizard.
l The auto-detected devices being acquired cannot be acquired through the manual plug-
in selection.
l Different devices can be acquired by one plug-in at the same time.
l One device cannot be acquired by different plug-ins at the same time.
l In case of Android or iOS device acquisition, the use of Portable plug-in is restricted.
l The device-related tasks, such as import and cloud import, can be started sim-
ultaneously.
l To avoid any application errors, it is recommended not to launch another Acquisition Wiz-
ard until the acquisition process is started in the currently opened acquisition.
Note: The custom name will be displayed in the header of the corresponding
Acquisition Wizard.
To rename a device:
1. In the Acquisition Wizard, right-click the device name you want to change, and select
Rename Device.
2. In the Device Name window, enter a custom name of the device and click OK.
Advanced logical plug-in, which allows you to acquire a backup and application data of
any version of iPhones, iPads, and iPod Touches. Acquired data will be partially parsed.
l Physical acquisition of iPhone/iPad/iPod Touch devices: Physical acquisition of
iPhone/iPad/iPod Touch devices is performed via the iPhone/iPad/iPod Touch physical
plug-in. Acquired data will be partially parsed.
Note: To acquire a non-jailbroken iPhone/iPad/iPod Touch device
physically, you must first put the device into the DFU mode.
Logical acquisition is performed via the iPhone/iPad/iPod Touch Advanced Logical Plug-in.
Note: Devices running iOS 8.4 may be acquired only after being jailbroken via the
TaiG jailbreak. For more information, visit http://www.taig.com/en/.
8. When acquisition finishes, exit the DFU mode on your device. To do this, hold the Home
and Power buttons until the Apple Logo appears.
1. Connection step:
a. Normal mode (that is what the device looks like before the connection starts)
b. Recovery mode
d. Normal mode
e. Recovery mode
f. Restore mode
2. Acquisition step:
Note: For devices running iOS 7 and later, a message that reads Do you
trust this computer? appears on the device when it is plugged into a
computer. Tap Trust to establish a trusted connection before beginning
acquisition.
492 EnCase Forensic User Guide Version 20.2
3. Disconnection step:
a. Recovery mode
l Parsed data
l Deleted parsed data in binary files (including Address Book, Calendar, Call History, iMes-
sages, Network Connection, Email messages, Notes, Safari Bookmarks, Messages, and
SMS Search)
l File system in binary files
CHAPTER 14 Acquiring Mobile Data 493
l Device properties
l Backups made from iOS 11 devices
Note: Device properties are acquired only from devices with iOS 5.x and higher.
Usually the amount of acquired data depends on the model and state of the phone.
Note: The file system is acquired only partially, e.g., it does not contain system files
of the iPhone.
Data
Standard Devices Jailbroken Devices
Type
Parsed data
Contacts ü ü
Messages ü ü
Call history ü ü
iMessages ü ü
Voicemail ü ü
Calendar ü ü
Notes ü ü
Maps
ü ü
Bookmarks
Maps
ü ü
History
Maps
ü ü
Directions
Mac
ü ü
Address
Installed
ü ü
Applications
494 EnCase Forensic User Guide Version 20.2
Data
Standard Devices Jailbroken Devices
Type
Email
Ï ü
Messages
Safari
Ï ü
Bookmarks
Safari
Ï ü
History
Safari
Suspend Ï ü
State
YouTube
Ï ü
Bookmarks
Dynamic
Ï ü
Text
WiFi
ü ü
Locations
Cell
ü ü
Locations
Mail
Ï ü
Accounts
Filesystem Ï ü
SMS Search Ï ü
Messages ü ü
Safari
ü ü
Bookmarks
Notes ü ü
CHAPTER 14 Acquiring Mobile Data 495
Data
Standard Devices Jailbroken Devices
Type
Call logs ü ü
Contacts ü ü
Contacts
ü ü
Properties
WiFi
ü ü
Locations
Cell
ü ü
Locations
Other Data
Device
ü ü
Properties
l Department
l Display Name
l First Name
l Last Name
l First Fonetic
l Job Title
l Middle Name
l Middle Fonetic
l Nickname
l Note
l Organization
l Phone Number 1
l Phone Number 2
l Phone Number 3
l Phone Number 4
l Email Address 2
l Email Address 3
l Phone Number 1
l Phone Number 2
l Phone Number 3
l Phone Number 4
l Phone Number 5
l Phone Number 6
l Phone Number 7
l Phone Number 8
l Phone Number 9
l Phone Number 10
l Ringtone
l Web Site 1
l Web Site 2
l Web Site 3
l Web Site 4
CHAPTER 14 Acquiring Mobile Data 497
l Raw Data
l Name
l Number
l Text
l Subject
l Sent(GMT)
l Received(GMT)
l Read(GMT)
Messages l Service
l Error
l Is Sent
l Attachments
l User Account
l Summary
SMS Search l Raw data
l Date (GMT)
l Duration (sec)
l Type
l Date (GMT)
l Country Code
Call history
l Type
l Duration
l Call Method
l Type
l Text
l Date Sent
l Date Created/Received
iMessages
l Contact
l Date Read
l Attachments
l Date
l Status
l Duration (sec)
l Expiration Date
l Trashed Date
l Path
l Location
l Description
l Start timezone
l End date
l All day
l Calendar ID
l Title
l Summary
Notes
Note: For devices with iOS 8.x parsing of
notes is not fully supported in the current
version of EnCase.
500 EnCase Forensic User Guide Version 20.2
l Extended data
l Sender
l Recipient
l Subject
l Date received
l Mailbox
l Remote mailbox
l Original mailbox
l Read
l Deleted
l MailAccount
l Locality
l Country
l Country code
l Region
l Type
Maps Bookmarks
l Address 1
l Address 2
l Thoroughfare
l Latitude
l Longitude
l Maps URL
l Map type
l Original type
l Zoom level
CHAPTER 14 Acquiring Mobile Data 501
l Display query
l Latitude
l Longitude
l Latitude span
l Longitude span
l Location
l Zoom level
l Start address
l Start latitude
l Start longitude
l End address
l End latitude
l End longitude
l Search kind
l Document title
l Incognito mode
CHAPTER 14 Acquiring Mobile Data 503
l URL
l Visit count
l Link
l Username
l Hostname
l Unique ID
l Account type
l SSL is direct
l Account name
l SSL enabled
l Full username
l Email address
l SMTP identifier
l Class
l Type string
l Longitude
l LAC
l Latitude
l Longitude
l MCC
Cell Locations
l MNC
l Timestamp (GMT)
l Account
l Access Group
l Type
Passwords l Description
l Comment
l Labels
l Tags
l Creation Date
l Modification Date
l Source File
applications in a device)
l Application Name (the name of the application as it
application)
l Category (the category of applications to which the
manufacturer)
l Signer Identity (the application signature)
l Evernote
lower)
l Google Chrome
l Google Maps
l Gmail
CHAPTER 14 Acquiring Mobile Data 507
l Jott Messenger
l Kik (Kik Messenger)
Note: The grid Messages Marked as Deleted
does not contain recovered data. These
messages are marked as deleted, but are not
deleted from the device.
l LinkedIn
l MailRu (Mail.ru)
l Skype
l Tinder
l Twitter
l TextFree (Text Free: Free Texting App + Free Calling App +
SMS with Textfree)
l TextPlus (textPlus Free Text + Calls : Free Texting + Free
Phone Calling + Free International Messenger)
l VK
l WhatsApp (WhatsApp Messenger)
l Whisper
l Yik Yak
Note: The amount of acquired application data
depends on the volume of data stored in the
cache of the corresponding application in the
device.
Note: For Parsed Recovered Data, fields in any data type may contain an N/A value
if corresponding data was not parsed. This might happen because deleted data
associated with an item in the list was partly overwritten by the device OS.
You can view the parsed application data in the Application Data folder.
Physical acquisition of iPhone/iPad/iPod Touch devices allows you to acquire the following
groups of data:
l Deleted data in parsed format (including Address Book, Calendar, Call History, iMessages,
Network Connection, Notes, Safari Bookmarks, Messages, and SMS Search) and deleted
unparsed data (as in the iPhone/iPad/iPod Touch Advanced (logical) plug-in)
Note: Depending on the iOS version, some features may not be acquired.
Usually the amount of acquired data depends on the model and state of the device.
Supported Models
Support of physical acquisition is determined based on the hardware. The following models
are supported:
iPhone 2G ü Ï
iPhone 3G ü ü
iPhone 3GS ü ü
iPhone 4G ü ü
iPhone 6s ü Ï
iPhone 6s Plus ü Ï
CHAPTER 14 Acquiring Mobile Data 509
iPhone 7 ü Ï
iPhone 7 Plus ü Ï
iPhone 8 ü Ï
iPhone 8 Plus ü Ï
iPhone X ü Ï
iPhone XS ü Ï
iPhone XS Max ü Ï
iPhone XR ü Ï
iPhone 11 ü Ï
iPhone 11 Pro ü Ï
iPad Air ü Ï
iPad Air 2* ü Ï
iPad Pro* ü Ï
* The current version of of the application does not support iPadOS on these devices.
2.x ü ü
3.x ü ü
4.x ü ü
5.x ü ü
6.x ü ü
7.0.x ü ü
CHAPTER 14 Acquiring Mobile Data 511
7.1.1 ü ü
8.0.x ü ü
8.1.x ü ü
8.2.x ü ü
8.3 ü ü
8.4 ü ü
9.0 ü Ï
9.1 ü Ï
9.2 ü Ï
9.2.1 ü Ï
9.3 ü Ï
9.3.1 ü Ï
10.0 ü Ï
10.0.1 ü Ï
10.0.2 ü Ï
10.0.3 ü Ï
10.1 ü Ï
10.1.1 ü Ï
10.2.x ü Ï
10.3.x ü Ï
11.0.x ü Ï
12.0.x ü Ï
13.0.x ü Ï
512 EnCase Forensic User Guide Version 20.2
l If the device you are trying to acquire has been successfully connected to another PC pre-
viously, you can try copying the content of the Lockdown folder (by default its location is
C:\Program Data\Apple\Lockdown) to the same folder on your PC.
l Make sure that no programs, such as a firewall, block EnCase Forensic access to the net-
work.
l The iPhone battery might need to be recharged.
l Disconnect other USB devices from your computer and connect the iPhone to a different
USB 2.0 port on your computer.
l Turn the iPhone off and turn it on again. Press and hold the Sleep/Wake button on the
top of the iPhone for a few seconds until a red slider appears, and then slide the slider.
Then press and hold the Sleep/Wake button until the Apple logo appears.
l Restart your computer and reconnect the iPhone to your computer.
l Download and install (or reinstall) the latest version of iTunes from www.apple.-
com/itunes.
l Try uninstalling the Apple software components and then reinstall the Mobile Driver
Pack. Follow the Apple support instruction (http://support.apple.com/kb/ht1923) to
properly uninstall Apple software components. After this, uninstall the Mobile Driver
Pack and install it again.
l For physical acquisition of non-jailbroken devices, check that you have correctly put the
device in DFU mode. Follow the instructions in the Data acquisition section. If the device
is placed into the DFU mode, there must be no logos on the screen.
Q: I have a jailbroken device, but I cannot acquire application data. How can I fix this?
A: Yes. If the device you are trying to acquire has been successfully connected to another PC
previously, you can try copying the content of the Lockdown folder (by default its location is
C:\Program Data\Apple\Lockdown) to the same folder on your PC. Please note that this
will only work if the password on the device was set before the device was connected to the
PC.
Q: The acquisition process was broken. The device is in the Recovery mode. What do I do?
A: Start acquisition of the device once more. If you don't want to acquire data, just wait until
the device restarts and disconnect it from the computer.
A: Reset the iPhone by holding the Sleep/Wake button at the top right of the device and the
Home button at the bottom center of the face at the same time.
Q: What's the difference between the iPhone/iPad/iPod Touch Advanced Logical and the
iPhone/iPad/iPod Touch Physical plug-ins?
A: The iPhone/iPad/iPod Touch Physical plug-in allows you to acquire all data from your
iPhone/iPad/iPod Touch device. The amount of parsed data both in logical and physical plug-
ins is the same. But the total amount of data is larger in the physical plug-in. It contains the file
system that is inaccessible for the logical plug-in.
A: iPhone/iPad/iPod Touch devices with iOS 7 and later require you to establish trusted
connection after connecting it to the computer and on the start of acquisition. For this
purpose, you need to tap Trust on the device each time a message appears on the device
screen.
Q: I get the message that limited application data has been acquired. What does it mean?
A: Generally, it means that the version of the application on your device is higher than the one
supported in the current version of EnCase Forensic . Please contact OpenText Support.
A: You need to install a special AFC2 tweak to unlock the device file system. To install the
tweak:
514 EnCase Forensic User Guide Version 20.2
Only physical acquisition can be performed on an iPod. Physical acquisition is performed via
the iPod Physical Plug-in.
All data is parsed, from the FAT filesystem to binary files. In addition, the following data is
detected and located in separate folders as binary files:
l Device
l Accessories
l iTunes
l Music
l Contacts (contacts are stored in the vcard format)
l Calendars (calendars are stored in the vcalendar format)
l Notes
IPOD FAQ
l Make sure that no programs or firewalls block EnCase Forensic access to the network .
l If that doesn't work, disconnect other USB devices from your computer and connect the
iPod to a different USB 2.0 port on your computer.
l If that doesn't work, turn the iPod off and turn it on again.
l If that doesn't work, restart your computer and reconnect the iPod to your computer.
CHAPTER 14 Acquiring Mobile Data 515
l If that doesn't work, download and install (or reinstall) the latest version of iTunes from
www.apple.com/itunes.
Depending on the manufacturer and the model of your device and the data you want to
acquire, different plug-ins must be used:
Rootable during
Device Type Autodetect Plug-In
Acquisition
LG devices with Android OS Android LG Advanced
Ï Ï
4.4.2–5.1.1 Physical
Rootable during
Device Type Autodetect Plug-In
Acquisition
Other devices with Android
Ï ü Android Logical
OS 5.5–10
Note: Any device with Android OS 10 and lower can be acquired via the Android
Logical plug-in regardless of its manufacturer and model. If the device is locked, you
can try to acquire it using the Android Samsung Bootloader Physical, Android LG
Advanced Physical, Android Spreadtrum Expert (physical), Android MTK Expert
(physical) or Android Qualcomm EDL (physical) plug-in if the plug-in supports the
corresponding device model.
Rooting can be performed either by the user prior to acquisition, or by the program during an
acquisition. In the latter case, rooting is temporary and all effects of device rooting are
reverted after acquisition finishes.
CHAPTER 14 Acquiring Mobile Data 517
In the program, rooting can be performed for the majority of devices with Android OS 4.4.4
and lower. Rooting of devices with higher Android OS is not possible in most cases. Please also
note that some device models or model lines with Android OS 4.4.4 and lower may have
custom modifications, which makes it impossible to root them.
Android OS Devices
With the forensic process, it is important to note that, with embedded systems such as smart
devices, some data must be written to the device in order to communicate with it. Depending
on the type of device, the data that is written will change. However, in order to follow the
principles of forensics, the data that is written is documented and noted as part of the process.
This process is repeatable with multiple devices and is considered forensically sound. In each
section, the details of the process can be found. The methods used by the program are
designed to write the minimal amount of data to the device to allow for a forensically stable
data acquisition.
Note: WARNING! During data acquisition, your device may reboot a few
times and you will need to enter its PIN/password. Make sure you know the
device PIN before performing acquisition. For devices with Android OS up
to 4.1, if the phone is in the USB debugging mode, the program can bypass
the PIN/password.
Note: Unlocking a device file system doesn't damage the device or any
data on it.
Note: If the screen password still appears after removal, simply draw
any pattern to remove a graphical password or enter and confirm a
new PIN or password.
4. Move between the other pages of the wizard and, when you are ready to start acquis-
ition, click Start Acquisition.
520 EnCase Forensic User Guide Version 20.2
5. Before acquisition starts, the device file system will be unlocked. The file system unlock-
ing process is performed as follows: the AndroidService.apk installation package is writ-
ten to the /data/local/tmp folder and a special service is installed to the system folder
with applications. They will be removed automatically after the acquisition process fin-
ishes.
Note: This does not damage data integrity and doesn’t cause any damage to
the device.
6. Data acquisition starts, and its process is displayed on the Acquisition Progress page.
7. During acquisition, the following messages may appear on the device:
o If the Allow USB Debugging message appears on the device, tap OK in it to con-
tinue acquisition.
o If the Full Backup message appears on the device, tap Back up my data in it to con-
tinue acquisition. This message appears if device rooting failed. In this case, backing
up data on the device allows acquiring at least some part of the device file system.
o If the Waiting For Debugger message appears on the device, do not close the mes-
sage or the acquisition process will fail. This does not affect data integrity on the
device.
o If the Choose Connection Mode message reappears on the device, choose the con-
nection mode.
o The Usage data access permission message appears on the devices with Android
OS 5.0 and higher during full logical acquisition or custom logical acquisition with the
selected User Activity Timeline feature. Tap OK on the message, select the Seizure
Service in the opened window, and then turn the permission toggle on.
Contacts ü ü
CHAPTER 14 Acquiring Mobile Data 521
MMS History ü ü
Call History ü ü
Media Store ü ü
Browser History ü ü
Settings ü ü
Calendar ü ü
Installed Applications ü ü
Application Data Ï ü
Authentication Data Ï ü
Contacts Ï ü
SMS History Ï ü
MMS History Ï ü
Call History Ï ü
Calendar Ï ü
Other Data
Device Properties ü ü
Data
Notes Data Format
Type
A grid containing the fields:
l Photo
l Name
l Notes
Numbers stored in the
l Phone (home)
Phone memory and l Phone (mobile)
Contacts the folder with photos l Email (home)
(including deleted l Email (work)
data) l Email (other)
l IM
l Postal
l Organization
l Times contacted
l Date
l Read
l Address
l Status
Both sent and l Type
received SMS and a
Note: For Parsed Recovered SMS
folder with the
History, the Type column
SMS History attachments shown in
contains the following values:
the binary files 1 – Inbox
(including deleted 2 – Sent
data) 3 – Draft
4 – Outbox
5 – Failed
l Subject
l Body
l Service Center
CHAPTER 14 Acquiring Mobile Data 523
Data
Notes Data Format
Type
The MMS History is a grid containing the fields:
l Date
l Read
l Address
l Priority
Both sent and l Box
received MMS, and a l Class
folder with the l Type
MMS Subject
attachments shown in l
History Text
the binary files l
l Date
History of call logs l Type
Call History (dialed numbers, l Duration
received calls, etc) l New
l Number
l Number type
l Name
524 EnCase Forensic User Guide Version 20.2
Data
Notes Data Format
Type
Video store is a grid containing the fields:
l Name
l Title
l Size
l MIME type
l Date added
l Date modified
l Date taken
l Duration
l Resolution
l Artist
l Album
l Category
l Description
l Private
l Data
Information from the Image store is a grid containing the fields:
Media Store Image, Audio, and
Video stores l Name
l Title
l Size
l MIME type
l Date added
l Date modified
l Date taken
l Description
l Private
l Data
l Orientation
l Name
l Title
l Size
l MIME type
l Date added
CHAPTER 14 Acquiring Mobile Data 525
Data
Notes Data Format
Type
l Date modified
l Duration
l Artist
l Composer
l Album
l Track
l Year
l Alarm
l Music
l Notification
l Ringtone
l Data
l Title
l URL
Includes browser l Date
Browser history including l Bookmark
History visited URLs and l Visits
performed searches.
Search history is a grid containing the fields:
l Text
l Date
l Value
Data
Notes Data Format
Type
Binary nodes
Data
Notes Data Format
Type
Includes only backup
file from which file
Android
system data is parsed Android Backup.ab binary file.
Backup
in case device rooting
failed.
528 EnCase Forensic User Guide Version 20.2
Data
Notes Data Format
Type
This type of data contains the information on the
applications installed on the device and parsed
application data.
l Facebook
l Facebook Messenger
CHAPTER 14 Acquiring Mobile Data 529
Data
Notes Data Format
Type
l Fitbit
l Google Chrome
l Instagram
l Jott Messenger
l Kik (Kik Messenger)
l LinkedIn
l Pinger (Free Texting App Text Free)
l Skype
l Snapchat
l textPlus
l Textfree (Text Free: Free Texting App)
l Tinder
l Vkontakte
l WhatsApp (WhatsApp Messenger)
l Whisper
All data is acquired using the USB, Android Debug Bridge, and the program internal protocols.
Note: Acquisition of the device filesystem and recovery of deleted data are not
guaranteed for devices with Android OS 2.3.6.
The device properties are acquired and displayed in the Properties pane.
l Full Flash - includes raw partition images and parsed deleted data.
l File system - file system content is displayed in binary nodes.
l Authentication Data
l Recovered Contacts
l Recovered Call History
l Recovered Calendar
l Recovered SMS History
l Recovered MMS History
Note: Flash partitions data might be acquired partially from some devices with
Android OS 9.
The device properties are acquired and displayed in the Properties pane.
530 EnCase Forensic User Guide Version 20.2
Android devices vary by manufacturer. Each manufacturer has the ability to modify the device
and it can affect the support of the device within the program. We test on a variety of devices
from a variety of manufacturers, but that does not guarantee 100% support of all Android
devices running a particular firmware because of these manufacturer changes. If your device
firmware is supported, but your device is not processed, please gather the logs and send them
to our support team. This will allow us to add modifications in future releases to account for
the manufacturer differences on the device you were processing.
A: On the start of acquisition of Motorola MB200 device, the device automatically reconnects
to the PC and the Choose Connection Mode message reappears on the device. Choose the
connection mode.
Q: I get the message that limited application data has been acquired. What does it mean?
A: Generally, it means that the version of the application on your device is higher than the one
supported in the current version of EnCase Mobile Investigator. Please contact OpenText
Support.
A: An Android backup file is acquired only in case device rooting failed. If device rooting is
successful, the acquired data contains all files that may be included in a backup file; therefore,
the acquisition of an Android backup file is not necessary.
CHAPTER 14 Acquiring Mobile Data 531
Data Acquisition - LG
The program allows you to perform physical acquisition of advanced Android LG devices using
the Android LG Advanced Physical plug-in.
Acquired Data - LG
The Android LG Advanced Physical plug-in acquires a complete file system of a device. The file
system is parsed and its content is shown in the form of binary files.
Supported Models - LG
The Android LG Advanced Physical plug-in allows you to acquire the following models of
Android LG devices with Android OS 4.4.2–5.1.1:
l LG G4
l LG G3 (all variants)
l LG G3 Beat
l LG G2 (all variants)
l LG G2 Mini
l LG G Pro 2
l LG G Pad
l LG G Watch
l LG F60
l LG L90
l LG Tribute
l LG Spirit
l LG Volt
l LG G Vista
A: The device may have been connected to a computer before pressing the Volume Up
button, or the button was released too early.
Q: Can I acquire other devices with Android 4.4.2 – 5.1.1 using the Android LG Advanced
Physical plug-in?
A: The Android LG Advanced Physical plug-in works only for LG devices and only with a limited
number of models. Successful acquisition of other LG models is not guaranteed.
Q: I cannot acquire data from my smartwatch device. How can I fix this?
CHAPTER 14 Acquiring Mobile Data 533
A: If you have problems acquiring smartwatches, try one of the following solutions:
To prepare a Samsung smartphone with Android OS 4.4.4 – 6.0.1 for acquisition, put it into the
Download mode:
To perform acquisition, a custom forensic recovery image file has to be written into your
device memory. Once it is done, you will need to reboot your device into Recovery mode.
534 EnCase Forensic User Guide Version 20.2
Note: Please keep in mind that the firmware of your device will be changed as a
result of acquisition by this plug-in.
Note: If your device model is not on this list, please do not try to acquire it via the
Android Samsung Bootloader (Physical) plug-in. This may result in your device not
being functional after your acquisition is complete.
A: No. If the device model you are trying to acquire does not correspond to the model you
select in the Acquisition Wizard, the device data may be wiped completely.
Q: The device starts normally when I try to put it into the Download Mode. Why?
A: This may happen if the Volume Down, Home, and Power buttons are released too early, or
if they are not pressed simultaneously. Do not release the buttons until the device enters
Download Mode.
1. Download the Firmware Update Drivers from the trusted Internet source to the com-
puter.
2. Download the firmware PAC file (ROM image) for your Spreadtrum device model from the
trusted Internet source to the computer. The PAC file contains the boot image required
for physical acquisition of the Spreadtrum device. PAC files are unique for each device
model. To find out the device model, in the device settings, go to About phone > Model
number.
Note: The PAC file will be loaded into the memory of the device. Once the
data acquisition is completed, the file will be automatically removed from
the device memory.
536 EnCase Forensic User Guide Version 20.2
7. Install the drivers and disconnect the device from the computer.
8. Connect the device onсe more. COM virtual port appears in the Device Manager.
9. Disconnect the device.
Note: It is recommended to remove the device battery for a few seconds
every time after disconnecting the device from USB.
8. On the Connection Selection page, select the connection type and click Start
Acquisition.
CHAPTER 14 Acquiring Mobile Data 537
Note: The device battery doesn’t charge during the acquisition. Depending on
the time required to acquire all data from the device, you might need to replace
the device battery with an alternative power source, like a DC–DC converter, to
prevent the device from shutting down during the acquisition.
9. The acquisition process starts. Its progress is displayed on the Acquisition Progress
page.
10. After the acquisition finishes, click Finish.
11. The case is saved and you can disconnect the device from the computer.
Note: Each device model requires specific Firmware Update drivers and ROM
image file to be acquired.
1. Make sure that the Mobile Driver Pack is installed on your computer.
2. Download the DA file to your computer from the trusted source. The DA file contains the
boot image required for physical acquisition of the MTK device.
Note: The DA file will be loaded into the memory of the device. Once the
data acquisition is completed, the file will be automatically removed from
the device memory.
538 EnCase Forensic User Guide Version 20.2
Note: In the current version of the program, acquisition of devices based on MTK
chipsets can be performed only via manual plug-in selection.
7. While the device is turned off, click Continue and connect the device as soon as possible,
within 10 seconds at most.
8. On the Connection Selection page, select the connection and click Continue.
Note: If the connection is not established, try connecting the device without the
battery or use another DA file.
9. The data acquisition process starts. Its progress is displayed on the Acquisition Progress
page.
10. After the acquisition finishes, click Finish.
11. The case is saved and you can disconnect the device from the computer.
Note: Each device model requires specific MediaTek USB VCOM drivers and the
DA file to be acquired.
1. Make sure that the Mobile Driver Pack is installed on your computer.
2. Make sure that you have a programmer file(s) downloaded from the trusted source on
the Internet to your computer. The programmer file required for physical acquisition of
the Qualcomm device will be loaded to the device RAM and will be automatically deleted
from there after rebooting or turning off the device.
3. Put the device into the EDL (Emergency Download) mode.
There are a few ways to put the device into the Emergency Download mode. The most
popular ways are described below:
Combination of buttons
Note: For different devices, different combinations may apply.
Option 1:
Option 2:
4. When the warning about entering the download mode appears, release the buttons.
5. Press and hold Volume Up.
6. Release Volume Up when the screen is off.
7. Open the Device Manager on the PC and search for “Qualcomm XXXX” COM port.
8. If such port is available, the device is in the EDL mode.
Option 3:
To use this method, you will need a special EDL cable. Just plug the cable into the PC,
press and hold the cable’s toggle button and plug it into the device. After releasing the
toggle button, the device will boot into EDL mode.
Note: To exit from the EDL mode, press the Power button.
CHAPTER 14 Acquiring Mobile Data 541
Data Acquisition
EnCase Forensic allows you to acquire Android devices with Qualcomm processors using the
Android Qualcomm EDL (physical) plug-in.
7. Click Continue.
8. On the Connection Selection page, select the connection and click Continue.
9. The acquisition process starts automatically. Progress is displayed on the Acquisition Pro-
gress page.
Note: If the acquisition process fails, please reboot your device before starting the
next acquisition.
10. After the acquisition finishes, the device will be rebooted automatically.
11. Click Finish.
The case is saved and you can disconnect the device from the computer.
542 EnCase Forensic User Guide Version 20.2
Acquired Data
The Android Qualcomm EDL (physical) plug-in acquires the full memory dump of devices
(except SD card) with Qualcomm processors.
Supported Models
The Android Qualcomm EDL (physical) plug-in allows you to acquire Android devices with
Qualcomm processors that can be put into the EDL mode.
1. In the device menu, select Settings > Device Info, and then select the USB debugging
option.
2. Connect the device to the computer using a data cable. Make sure the required drivers
are installed (the required drivers for most Tizen devices are included in the Mobile Driver
Pack).
3. Before starting acquisition, on the Pre-acquisition Options page, select Unlock device
filesystem to unlock the device file system. This action is required to perform acquisition.
Note: Unlocking a device file system doesn't damage the device or any data on it.
4. Move between the other pages of the wizard and, when you are ready to start the acquis-
ition, click Start Acquisition.
5. Before acquisition starts, the device file system will be unlocked. For this purpose, the
program writes special files to the /tmp/, /opt/usr/apps/tmp/ and
/home/developer/sdk_tools/gdbserver/ folders. The files will be removed
automatically after the process of acquisition finishes.
Note: This does not damage data integrity and does not cause any damage to the
device.
6. Data acquisition starts, and its process is displayed on the Acquisition Progress page.
7. When data acquisition finishes, the case is saved. Click Finish.
Note: This process may take some time.
l Make sure that no programs block EnCase Forensic access to the network (e.g., EnCase
Forensic is not blocked by a Firewall).
l If that doesn't work, disconnect other USB devices from your computer and connect the
device to a different USB 2.0 port on your computer.
l If that doesn't work, turn the device off and turn it on again.
l If that doesn't work, restart your computer and reconnect the device to your computer.
l Make sure you enabled the USB Debugging mode on the device.
If your device is locked by a password you will be asked to enter it. The password can only be
entered 10 times. If you enter a wrong password on the last attempt, all data on the device will
be erased.
If acquisition is performed via a COM port and the device is locked by a password, then only
the Memory Image can be acquired.
l If a BlackBerry device is locked with a password and acquisition is performed via a COM
port, databases will not be acquired.
l Memory images from BlackBerry Devices with Java (OS v. 4.0) will probably not be
acquired. Their acquisition depends on the state of the device.
l SMS messages once opened on BlackBerry and marked as Unread manually have a Read
flag in the program.
CHAPTER 14 Acquiring Mobile Data 545
l Address Book
l Application (OS 4.x and higher)
l Auto Text
l BlackBerry Messenger (OS 4.x and higher)
l Browser Bookmarks
l Calendar
l Categories
l Filesystem (form Content Store database)
l Handheld Agent
l Hotlist
l Memo
l Messages
l PhoneCall
l Profiles
l QuickContacts
l Service Book
l SMS
l Task
Type Contents
Memory (in one binary node called Memory
BlackBerry Pager (devices of series 85x)
Image)
Simple BlackBerry Devices (this devices Databases stored in the physical memory
have Intel 386 processor inside) Some databases are parsed (see list below)
A: Disable the Content Protection option. To do this, set the Options > Security Options >
General Settings > Content Protection option to Disabled, then save your changes and
restart the device.
Q: I get the message that limited application data has been imported during the BlackBerry
backup 10 import. What does it mean?
A: Generally, it means that the version of the application on your device is higher than the one
supported in the current version of EnCase Forensic . Please contact OpenText Support.
Note: Data on the device will not change in the process of acquisition. No data and
no applications are written to the device file system.
Note: Physical acquisition of Nokia Symbian OS devices can only be performed via
manual plug-in selection with the Nokia Symbian OS (physical) plug-in.
It will
Z: ROM always be
present
548 EnCase Forensic User Guide Version 20.2
l Nokia 9290
Note: Data on the device will not change in the acquisition process. No data and no
applications are written to the device filesystem.
Note: Physical acquisition of Nokia Symbian OS devices can only be performed via
manual plug-in selection with the Nokia Symbian OS (physical) plug-in.
Please note that Symbian OS 6.1 devices can be connected via IrDA or Bluetooth. We
recommend that these forms of connection only be used as a last resort as neither connection
is secure. Data cables should always be your first choice as they are secure. Pay attention to
the steps for connecting your device using IrDA or Bluetooth.
Note: Symbian OS 6.1 device can be acquired only via manual plug-in selection.
A: Parsing the acquired data is not yet supported by EnCase Forensic . You can use the hex
viewer or other forensic tools to view the data.
Acquisition is performed via the Nokia Symbian 7.x - 8.x Logical Plug-in.
Note: Physical acquisition of Nokia Symbian OS devices can only be performed via
manual plug-in selection with the Nokia Symbian OS (physical) plug-in.
Contacts grid:
l ID
l Group
l Last name
l First name
l Tel. (home)
l Tel. (home)
l Web addr. (home)
l Street (home)
l Postal/ZIP (home)
l City (home)
l Job title
Contacts l Job title
l Company
l Tel. (business)
l Mobile (business)
l Web addr. (bus.)
l P.O. Box (bus.)
l Extension (bus.)
l Street (business)
l Postal/ZIP (bus.)
l City (business)
l St.Prov. (bus.)
l Ctry./Reg. (bus.)
l Telephone
l Telephone
l Mobile
l Pager
l Fax
l Email
l Email
l Street
CHAPTER 14 Acquiring Mobile Data 551
l #
l ID
l Group
l Last name
l First name
l Job title
l Company
l Telephone
l Mobile
l Fax
l Email
l User ID
l Creation date (UTC)
l Last modified (UTC)
Config grid:
l Parameter
l Value
552 EnCase Forensic User Guide Version 20.2
l ID
l Event type
l Direction
Logs l Contact ID
l Number
l Remote party
l Subject
l Date
l Duration
l Specific data
Config grid:
l Parameter
l Value
CHAPTER 14 Acquiring Mobile Data 553
l Description
l Priority
l Due date
ToDo list l Crossed out date
l Creation date
l #
l Description
l Priority
l Due date
l Crossed out date
l Creation date
554 EnCase Forensic User Guide Version 20.2
Calendar grid:
l #
l Status
l Description
l Location
l Type
l Start date
l Start time
l End date
l End time
l Alarm time
l Alarm days warning
Calendar l Repeat type
l Repeat specification
l Repeat interval
l Repeat forever
l Repeat start date
l Repeat end date
l Creation date
l #
l Status
l Description
l Location
l Type
l Start date
l Start time
l End date
l End time
l Alarm time
CHAPTER 14 Acquiring Mobile Data 555
l Text
Mail box l Number
l Folder
l Service
l Date
l Property
l Value
Acquisition is performed via the Nokia Symbian 9.x. Devices Logical Plug-in.
Note: Data on the device will not change in the acquisition process. No data and no
applications are written to the device filesystem.
l MMS History
l SMS History
CHAPTER 14 Acquiring Mobile Data 557
l ID
l Event type
l Direction
Logs l Contact Id
l Number
l Remote party
l Subject
l Date
l Duration
l Specific data
Config grid:
l Parameter
l Value
558 EnCase Forensic User Guide Version 20.2
l Description
l Priority
l Due date
ToDo list l Crossed out date
l Creation date
l #
l Description
l Priority
l Due date
l Crossed out date
l Creation date
CHAPTER 14 Acquiring Mobile Data 559
Calendar grid:
l Status
l Description
l Location
l Type
l Start date
l Start time
l End date
l End time
l Alarm time
l Alarm days warning
l Repeat type
l Repeat specification
Calendar l Repeat interval
l Repeat forever
l Repeat start date
l Repeat end date
l Creation date
l #
l Status
l Description
l Location
l Type
l Start date
l Start time
l End date
l End time
l Alarm time
l Alarm days warning
l Repeat type
l Repeat specification
l Repeat interval
560 EnCase Forensic User Guide Version 20.2
l Text
Mail box l Number
l Folder
l Service
l Date
l Property
l Value
Parsed Backup This is device backup data parsed into grids with
data various data.
A: SMS and email history are not acquired for Symbian 9.1.
Q: It seems like not all the files from the filesystem are acquired. Why?
A: This may happen because of the specific device. Some system files may be locked and
cannot be acquired.
1. Open the Symbian Dumpers subfolder of the program installation folder (you can find it
in the Symbian Dumpers folder of the program installation directory).
2. Copy the SymbianDumper.exe file (for Symbian OS version 6.1 and higher) or the Sym-
bianDumper6.0.exe file (for Symbian OS version 6.0) to an external memory card using a
special Card reader.
3. Insert this external memory card into the device being investigated. Pay attention that
the supporting file is not written to the device so it cannot damage the data stored on it.
4. Connect the device to the computer using a COM port cable.
5. On the Home page, click Manual Plug-in Selection.
6. On the Plug-in Selection page, select the Nokia Symbian OS (physical) plug-in.
7. On your Symbian device, navigate to the copied file (SymbianDumper.exe or Sym-
bianDumper6.0.exe) and open it on the device.
8. In the opened window, select SERIAL for the connection type.
9. On the Connection Selection page, select the port via which the acquisition will be per-
formed. Click the Instructions navigation link.
10. Once you have the instructions on the Instructions page, click Start Acquisition.
11. The data acquisition starts and its process is displayed on the Acquisition Progress page.
12. When the data acquisition finishes, the case is saved. Click Finish.
Note: This process may take some time.
1. Open the Symbian Dumpers subfolder of the EnCase installation folder (you can find it in
the Symbian Dumpers folder of the program installation directory).
2. Copy the SymbianDumper.exe file (for Symbian OS version 6.1. and higher) or Sym-
bianDumper6.0.exe file (for Symbian OS version 6.0.) to an external memory card using a
special card reader.
3. Insert this external memory card into the device being investigated. Please note that the
supporting file is not written to the device so it cannot damage the data stored on it.
4. Connect the Infrared adapter to your computer. Wait until the device is installed on your
computer.
5. Start the program.
6. On the Home page, click Manual Plug-in Selection.
7. On the Plug-in Selection page, select the Nokia Symbian OS (physical) plug-in.
8. On your Symbian device, navigate to the copied file (SymbianDumper.exe or Sym-
bianDumper6.0.exe) and open it on the device.
9. In the opened window, select IrDA for the connection type.
CHAPTER 14 Acquiring Mobile Data 563
10. Connect the device to the computer using the IrDA connection (place the Infrared
adapter next to the Infrared port of your Symbian device). You will see the notification
item in the Windows taskbar if the device is connected.
11. On the Connection Selection page, select the port via which acquisition will be per-
formed. Click the Instructions navigation link.
12. Once you have read the instructions on the Instructions page, click Start Acquisition.
13. Data acquisition starts, and its process is displayed on the Acquisition Progress page.
14. When data acquisition finishes, the case is saved. Click Finish.
Note: This process may take some time.
1. Open the Symbian Dumpers subfolder of the program installation folder (you can find it
in the Symbian Dumpers folder of the program installation directory).
2. Copy the SymbianDumper.exe file (for Symbian OS version 6.1.) or Sym-
bianDumper6.0.exe file (for Symbian OS version 6.0.) to an external memory card using a
special card reader.
3. Insert this external memory card into the device being investigated. Please note that the
supporting file is not written to the device so it cannot damage the data stored on it.
4. Connect the Bluetooth device to a USB port. Wait until the Bluetooth icon appears in the
taskbar.
5. Right-click the Bluetooth icon in the taskbar and select Open Settings.
6. In the Bluetooth Settings window, select the Options tab and select the Allow Bluetooth
devices to find this computer checkbox. Click Apply.
7. Right-click the Bluetooth icon in the taskbar and select Add a Device. In the newly-
opened window, select the detected Symbian device and click Next.
8. Enter the code displayed by Windows into your Symbian device and press OK.
9. Wait until your device is completely connected. You will see the following page of the Add
a Device wizard. Click Close.
10. On the Home page, click Manual Plug-in Selection.
11. On the Plug-in Selection page, select the Nokia Symbian OS (physical) plug-in.
12. Go to the SymbianDumper.exe (SymbianDumper6.0.exe) file on your external memory
card on the phone and open it.
13. Select the Bluetooth connection (as shown on the following picture).
14. In the list of Bluetooth devices on the phone, select the name of the computer with the
program installed and click OK.
15. Data acquisition starts, and its process is displayed on the Acquisition Progress page.
16. When data acquisition finishes, the case is saved. Click Finish.
564 EnCase Forensic User Guide Version 20.2
Note: Physical acquisition of Nokia Symbian OS devices can only be performed via
manual plug-in selection.
Pay attention to each connection process. You should define the correct settings for IrDA,
Bluetooth, and COM port connection.
Note: Data on the device will not change in the process of acquisition. No data and
no applications are written to the device file system.
A Processes dump includes all binary files used by the processes currently running on the
device.
All data is acquired in the form of binary files and stored in folders whose names are the names
of the currently running processes.
A: Check that you correctly set the Bluetooth, IrDA, or COM port connection for your device.
4. If you enter the code correctly, you'll see the developer mode application icon.
The acquisition is performed via the WebOS Based Devices Logical Plug-in.
CHAPTER 14 Acquiring Mobile Data 567
The amount and the type of acquired data depends on the type of device.
Usually PDA plug-ins for the program allow you to acquire the following data:
l RAM
l ROM
l Databases Stored in the Memory
Siena Series
Select Menu > Special > Communications.
Series 3c
Select Menu > Special > Communications.
Series 5
Select the Menu > Tool > Remote link.
l Link: Cable
l Baud rate: 19200
Note: For other Psion device settings, please read the instructions for your device.
The acquisition is performed via the Psion 16/32 bit devices logical plug-in.
Note: Acquisition of Psion 16/32-bit devices can only be performed via manual
plug-in selection.
Note: Some models of Psion devices lock ROM (disk C:) and RAM (internal disk). If
they are locked, the program will not be able to acquire them. Locked disks are
usually marked ABSENT in the menu of the device.
All data is acquired in the form of binary nodes and is not parsed.
570 EnCase Forensic User Guide Version 20.2
SERIES 3c
Will be empty if a hard reset
SERIES M: RAM
for a device was done.
3MX
The properties of the acquired data can be seen in the Properties pane.
For Psion
devices with
SIBO (EPOC 16)
Device Device OS, it will be
node defined only if
RPC service is
loaded.
Program
timestamp
CHAPTER 14 Acquiring Mobile Data 571
Version
Date/Time
Attributes
MD5
SHA1
Q: The acquisition stops and the device stops responding. What do I do?
A: If this happens, restart the device and start the acquisition again. In some cases, you may
need to do this multiple times before the proper acquisition process is completed. After
restarting, please check the connection settings of the device thoroughly.
572 EnCase Forensic User Guide Version 20.2
Note: Some Palm devices (for example Treo 750) have the Window Mobile OS and
must be acquired with the Windows Mobile/PocketPC logical plug-in or Windows
Mobile 5-x/6-x physical plug-in.
Note: These instructions only work for Palm devices. The program should work
with devices running the Palm OS made by other firms, but we can't guarantee it.
Consult the instructions to your device to find out how to put it into the console
mode.
o To acquire the Logical Image (Databases), put your device into the Sync mode. Press the
Sync button on the cradle or activate the Sync mode through the screen dialog on the
device, then click Continue.
3. If acquisition from a Palm device is being performed for the first time, the driver install-
ation for it begins. This may lock the device.
Note: If the device gets locked while acquiring Databases, press Cancel. If you
are acquiring Memory and the device gets locked, restart the device (turn it off
and then back on).
4. Acquisition starts.
5. There can be some files locked by the Palm OS on your device. If the program tries to
acquire these files, it adds the file to the "black list" and stops acquisition. Files added to
CHAPTER 14 Acquiring Mobile Data 573
the black list are omitted on next acquisition. You have to repeat acquisition until all
locked files are added to this list. After that, all unlocked files will be acquired without
errors.
6. After acquisition finishes, click Finish.
ROM Card Information contains the password field which will be filled if the device is locked by
a password and runs Palm OS v4.0 or lower.
Some parts of data in databases will be parsed and displayed in grids form (MemoDB,
AddressDB, DatebookDB, etc).
Vendor This
information is
usually the
Device Caption same for all
node devices.
Program
timestamp
574 EnCase Forensic User Guide Version 20.2
Acquired/Not
State
Acquired.
Actual size
Size defined on
RAM/R
the device.
OM
This size can
Acquired Size be less than
actual size.
Calculated
MD5/SHA1
hash codes.
Name
Acquired/Not
State Acquired/Par
sed.
Create/Modify/ba
ckup dates
Version
Databas
es Resource
(resources or
Resource executable
code)/Databa
se (data).
Size
Identifier
A: Check whether your device has Palm OS. Some Palm devices (for example, Treo 750) have
the Window Mobile OS and must be acquired by the Windows Mobile/PocketPC logical plug-in
or Windows Mobile 5.x - 6.x physical plug-in.
Q: Driver installation starts during acquisition. After driver installation, Palm does not
acquire memory.
A: To resolve this problem, the user must reset the Palm device (use the hole on the back side
of the device) before starting a new acquisition. It is strongly recommended that you acquire
Databases before the Memory Image.
Q: I can't put the device into the console mode even when following the instructions given
in the Data Acquisition topic. Why?
A: The given instructions are only suitable for devices made by Palm. EnCase Forensic should
work with any Palm devices made by other firms, but it is not guaranteed. Consult the
instructions for your device to find out how to put it into the console mode.
Q: I experience difficulties while acquiring ROM from devices with Palm OS 5.0. Why?
A: The problem is that some databases in the ROM are locked. When EnCase Forensic starts
the acquisition and runs into a locked file, it freezes. You just need to restart the device and
continue the acquisition. When this happens, the locked file will not be read again. It will be
added to the list (its size will be near 70 - 80 bytes).
A: EnCase Forensic cannot acquire passwords from devices running versions of the Palm OS
later than 4.0.
Q: When syncing the Palm device, the device reports "Unable to initiate HotSync operation
because the port is used by another application". What's using the port?
A: Usually, this is caused by the device being placed into the console mode and not being
reset. To fix this problem, soft reset the device using the pin hole on the back (usually labeled
"Reset").
576 EnCase Forensic User Guide Version 20.2
A: There can be files locked by the OS on the device. These files cannot be acquired. They are
added to the Black list and omitted during the following acquisitions. You have to repeat the
acquisition process until all locked files from your device are added to the Black list. After this
the acquisition is performed without errors.
Logical acquisition is performed via the Windows Mobile Devices Logical Plug-in.
Physical acquisition is performed via the Windows Mobile 5.x – 6.x Devices Physical Plug-in.
Please note that, for logical acquisition, when a connection with the device is being
established, the device will probably ask for a confirmation to write the .dll library into its
memory. Please agree to this or else the connection won't be established.
Note: Data acquisition can be done only with the help of a special .dll library which
is written to the free space in the device memory. This guarantees that data stored in
the device memory won't be lost.
Logical acquisition allows you to acquire the following data in the form of binary nodes:
Acquired
Contents Notes
Data
The information from any external
The filesystem of the device including
cards can be seen in the folder
Filesystem user files, system files, program files,
nodes named Storage Card, SD
and recovered deleted data.
Card, CF Card, etc.
CHAPTER 14 Acquiring Mobile Data 577
Acquired
Contents Notes
Data
Windows Mobile 5.x and 6.x use
removable databases. They
Databases Databases stored on the device.
cannot be read because they are
locked by the device.
For Windows Mobile 5.x for Pocket PC Phone Edition, Windows Mobile 5.x for Smartphones,
Windows Mobile 6.x Professional for Pocket PC, and Windows Mobile 6.x Standard for
Smartphones, the following data is acquired in grid form:
578 EnCase Forensic User Guide Version 20.2
Acquired
Contents Fields Description
Data
Call History:
l Name: The name of the contact.
l Telephone Number: The phone
number of the contact.
l Telephone Number Type:
o w - The work telephone
number
o h - The home telephone
number
o m - The mobile telephone
number
Note: The
letter
depends on
the language
of the phone.
l Caller ID type:
Call history of the device
Call History o Unavailable
(outgoing, incoming, etc. call) o Blocked
o Available
l Call Status:
o Outgoing
o Missed
o Incoming
missed calls
l Call Connected:
o Yes - Call connected
CHAPTER 14 Acquiring Mobile Data 579
Acquired
Contents Fields Description
Data
o No - Busy
o No answer
l Call ended:
o Yes - Call ended
o No - Call dropped
roaming
o No - Local call
Acquired
Contents Fields Description
Data
SIM Phonebook:
l Text: The name of the contact
l Phone number: The phone
number of the contact
l Address type:
o International number
o One national number
o Network-specific number
o Subscriber number
(protocol-specific)
o Alphanumeric address
o Abbreviated number
The Phonebook and the SMS
l Numbering plan: A type of
history (including deleted SMS)
numbering scheme used in
stored on the SIM card
telecommunications; for
Note: This example, ISDN/mobile.
data is SIM Messages (SMS history):
SIM Data
acquired only l Message: SMS text.
if the SIM card l Phone number: The number
is inserted and from which the SMS was sent.
its phone l Receive time: Time when the
functionality is
messages was received.
turned on.
l Address type:
o International number
o One national number
o Network-specific number
o Subscriber number
(protocol-specific)
o Alphanumeric address
o Abbreviated number
Acquired
Contents Fields Description
Data
Contacts:
l FirstName: The first name for
the contact
l LastName: The last name for the
contact
l MiddleName: The middle name
for the contact
l FileAs: The filing string for a
contact
l MobileTelephoneNumber: The
mobile or cellular telephone
number for the contact
l HomeTelephoneNumber: The
home telephone number for the
contact
l RadioTelephoneNumber: The
radio telephone number for the
contact
Pocket
l Email1Address: The first e-mail
Outlook Contacts information
address for the contact
Items
l Birthday: The birth date for the
contact
l Anniversary: The wedding
anniversary date for the contact
l HomeAddressStreet: The home
street address for the contact
l HomeAddressCity: The home
city for the contact
l HomeAddressState: The home
state, department, or province
for the contact
l HomeAddressPostalCode: The
home ZIP or postal code for the
contact
l HomeAddressCountry: The
home country/region for the
contact
l BusinessFaxNumber: The
582 EnCase Forensic User Guide Version 20.2
Acquired
Contents Fields Description
Data
business fax number for the
contact
l CompanyName: The company
name for the contact
l Department: The department
name for the contact
l OfficeLocation: The office
location for the contact
l PagerNumber: The pager
number for the contact
l BusinessTelephoneNumber: The
business telephone number for
the contact
l JobTitle: The job title for the
contact
l Email2Address: The second e-
mail address for the contact
l Spouse: The name of contact's
spouse
l Email3Address: The third e-mail
address for the contact
l Home2TelephoneNumber: The
second home telephone number
for the contact
l HomeFaxNumber: The home fax
number for the contact
l CarTelephoneNumber: The car
phone number for the contact
l AssistantName: The name of
contact's assistant
l AssistantTelephoneNumber:
The phone number for the
contact's assistant
l Children: The names of contact's
children
l Categories: The categories for
CHAPTER 14 Acquiring Mobile Data 583
Acquired
Contents Fields Description
Data
the contact
l WebPage: The Web page for the
contact
l Business2TelephoneNumber:
The second business telephone
number for the contact
l Title: The title for the contact
l Suffix: The suffix for the contact
name
l OtherAddressStreet: The
alternative street address for the
contact
l OtherAddressCity: The
alternative city for the contact
l OtherAddressState: The
alternative state, department, or
province for the contact
l OtherAddressPostalCode: The
alternative ZIP or postal code for
the contact
l OtherAddressCountry: The
alternative country/region for
the contact
l BusinessAddressStreet: The
business street address for the
contact
l BusinessAddressCity: The
business city for the contact
l BusinessAddressState: The
business state for the contact
l BusinessAddressPostalCode:
The business ZIP or postal code
for the contact
l BusinessAddressCountry: The
business country/region for the
contact
l Body: The notes for the contact
l YomiCompanyName: The
584 EnCase Forensic User Guide Version 20.2
Acquired
Contents Fields Description
Data
Japanese phonetic rendering
(Yomigana) of the company
name for the contact
l YomiFirstName: The Japanese
phonetic rendering (Yomigana) of
the first name for the contact
l YomiLastName: The Japanese
phonetic rendering (Yomigana) of
the last name for the contact
CHAPTER 14 Acquiring Mobile Data 585
Acquired
Contents Fields Description
Data
Calendar
l Subject: The description of the
event
l Location: Location of the event
l Categories: Categories assigned
to the event
l Start: Start time of the event
l End: Finish time of the event
l Duration: Duration of the event
l IsRecurring:
o Yes - Recurring event
o No - Non-recurring
events
l RecurrencePattern: The current
recurrence pattern for the event.
l AllDayEvent:
o Yes - All day events
o No - Events not set to all
Pocket day
Outlook Calendar information l BusyStatus: User's availability
Items during the event time
l Sensitivity: Sensitivity for an
event (normal or private)
l Body: Ink notes or the message
body accompanying the event
l Recipients: A collection of
recipients for an event that is a
meeting
l MeetingStatus:
o Yes - Event is a meeting
o No - Event is not a
meeting
l ReminderSet:
o Yes - Event reminder set
o No - Event reminder not
set
l ReminderSoundFile: The name
of the reminder sound file
l ReminderMinutesBeforeStart:
586 EnCase Forensic User Guide Version 20.2
Acquired
Contents Fields Description
Data
Time the reminder will play
(reminder delay before event
beginning)
l ReminderOptions: The type of
the reminder for the event
l BodyInk: A binary
representation of the event body
CHAPTER 14 Acquiring Mobile Data 587
Acquired
Contents Fields Description
Data
Tasks:
task
l IsRecurring:
o Yes - Recurring task
o No - Not a recurring task
set
l ReminderSoundFile: The name
of the reminder sound file
l ReminderTime: Determines
when a reminder occurs before
the start or due date of a task
588 EnCase Forensic User Guide Version 20.2
Acquired
Contents Fields Description
Data
l Sensitivity: Sensitivity for a task
(normal or private)
l BodyInk: A binary
representation of the task body
Note: Data acquisition is performed with the help of a special DLL library, which is
written to the free space in the device memory. This guarantees that data stored in
the device memory won't be lost.
Acquired
Contents Notes
Data
ROM, the parsed FAT filesystem, and the
binary file (Binary) that contains all unparsed
Internal data acquired from the device, including
stores deleted data. All data stored in the
device memory (storage) is
The file containing Contacts is parsed.
acquired. But only the
The parsed FAT filesystem and the binary file filesystem is parsed.
Memory (Binary) that contains all unparsed data
cards acquired from the device, including deleted
data.
The information about memory stores from which data was read (physical characteristics) can
be seen in the Properties pane.
Physical acquisition should work with any device running Windows Mobile 5.x – 6.x.
CHAPTER 14 Acquiring Mobile Data 589
A: Make sure the SIM card is inserted in the device and the phone functionality of the device is
turned on.
Q: I cannot acquire Call History, SIM data and Pocket Outlook items. Why?
A: Make sure you confirmed the DLL installation by tapping Yes on your device when the
acquisition started. Also make sure that the security settings of your device allow internal
applications to copy data to your device and to run unsigned applications on it.
l If you use a USB cable, make sure the required drivers are installed. The installation of
these drivers is included in the Mobile Driver Pack.
l Turn off all external applications working with the Garmin GPS device.
l In the device settings, define Garmin USB as the connection protocol.
l Garmin Mass Storage Devices (Garmin nuvi): Device settings, Waypoints, Tracks, Routes,
and Maps.
l Garmin Devices (eTrex, Rino, Edge, GPSMAP, etc.): Waypoints, Proximity waypoints,
Tracks, Routes, Almanac, Maps, and Device properties.
Besides the standard case file containing the acquired data, the program allows you to create a
GPS file. This file contains information about tracks, routes, and waypoints stored on the
Device.
The GPS file (GarminGPS.gps) is placed as a sub-node of the device node and can be exported
for future examination.
Data is read from the device as from a mass storage device. The acquired .gpx files are parsed
and shown in the form of a grid:
Data
Notes Data Format
Type
For Data type data, a grid
containing the fields:
l Base name
l File location
Device settings include two types of data: l File path
Device l Transfer direction
l Data type: Includes information about
settings most device settings For update file, a grid
l Update file containing the fields:
l Part number
l Description
l Path
l File name
CHAPTER 14 Acquiring Mobile Data 591
Data
Notes Data Format
Type
A grid containing the fields:
l Name
l Position
l Elevation (m)
l Creation date/time
(UTC)
l Magnetic variation
(deg)
l Geoid height (m)
l Comment
Waypoints are sets of coordinates that l Description
Waypoints Source of data
identify a point in physical space. l
l URL
l Link
l GPS symbol name
l Classification
l Number of satellites
l HDOP
l VDOP
l PDOP
l Time since last DGPS
update (seconds)
l DGPS station ID
592 EnCase Forensic User Guide Version 20.2
Data
Notes Data Format
Type
Three grids containing the
fields:
1. Link
oText
2. Properties
o Comment
o Description
o Source
o Number
o Type
3. Waypoints
o Name
o Position
o Elevation
o Creation
variation
o Geoid height
o Comment
o Source
o URL associated
o Text hyperlink
o Symbol
o Type (category)
o GPS fix
o HDOP
o VDOP
o PDOP
o Time since last
DGPS fix
o DGPS station ID
CHAPTER 14 Acquiring Mobile Data 593
Data
Notes Data Format
Type
Three grids:
1. URL
oHref
oType
o Text
2. Optional
o Comment
o Description
o Source
o Number
o Type
3. Waypoints
o Name
o Position
o Elevation
o Creation
Routes Drawn by user course of travel. date/time (UTC)
o Magnetic
variation
o Geoid height
o Comment
o Source
o URL associated
o Text hyperlink
o Symbol
o Type (category)
o GPS fix
o HDOP
o VDOP
o PDOP
o Time since last
DGPS fix
o DGPS station ID
Note: The types and amount of acquired data depend on the type of device.
The Garmin GPS Logical Plug-in acquires the following data from Garmin Devices (eTrex, Rino,
Edge, GPSMAP, etc.):
l Waypoints
l Proximity waypoints
l Tracks
l Routes
l Almanac
l Maps
l Device properties
Data
Notes Data Format
Type
A grid containing the fields:
l Name
l Attributes
l Waypoint class
l Waypoint color
l Display option
Waypoints are sets of coordinates that identify Position
Waypoints l
a point in physical space. l Attitude
l Depth
l Proximity distance
l State
l Country code
l Waypoint symbol
l Subclass
CHAPTER 14 Acquiring Mobile Data 595
Data
Notes Data Format
Type
A grid containing the fields:
l Name
l Attributes
l Waypoint class
l Waypoint color
l Display option
Proximity Position
Waypoints and the area around them. l
waypoints l Altitude
l Depth
l Proximity distance
l State
l Country code
l Waypoint symbol
l Subclass
Data
Notes Data Format
Type
Three grids:
1. Links
o Route link class
o Subclass
o Identifier
2. Header
Identifier
o
3. Waypoints
o Properties
o Attributes
o Waypoint class
Routes Drawn by user course of travel. o Waypoint color
o Display option
o Position
o Attitude
o Depth
o Proximity
distance
o State
o Country code
o Waypoint
symbol
o Subclass
CHAPTER 14 Acquiring Mobile Data 597
Data
Notes Data Format
Type
A grid containing the fields:
l Week number
l Almanac data
reference time
l Clock correction
coefficient (s)
l Clock correction
coefficient (s/s)
l Eccentricity
l Square root of semi
Almanac Data received from satellite. major axis (a) (m**
1/2)
l Mean anomaly at
reference time (r)
l Argument of perigee
(r)
l Right ascension (r)
l Rate of right
ascension (r/s)
l Inclination angle (r)
l Almanac health
l Satellite ID
Data
Notes Data Format
Type
A grid shown in the
Properties window
containing the fields:
Physical acquisition acquires the Internal Memory Dump and Main Firmware from the Garmin
GPS devices. Both files are acquired as binary files and are not parsed.
l Make sure the drivers for the USB connection of your device are installed.
l Make sure you set Garmin USB as the connection protocol of your device.
l Make sure all external applications working with your device are turned off.
A: Some models of GPS devices need to have the Acquiring Satellites option turned ON to
acquire the Almanac.
Note: Connect the device to the computer and make sure it is detected on the
computer before you start the Acquisition Wizard.
Besides the standard case file containing the acquired data, the program allows you to create a
GPS file. This file contains information about tracks, routes, and waypoints stored on the
device. GPS files can be opened within the program and you can view information in Google
Earth without exporting this file.
The GPS file (TomTomGPS.gps) is placed as a sub-node of the device node and can be exported
for future examination.
The acquired files are parsed and shown in the form of a grid:
l Name
l Phone number
SMS History Sent and Received SMS messages. l Message
l Time
l Type
l Other
information
CHAPTER 14 Acquiring Mobile Data 601
l House number
l Location type
l Location
description 1
l Location
description 2
TomTom
l Location
Configuration Map settings.
description 3
file l Location North
l Location East
l Road North
l Road East
l Location ID
l Turn Point I
North
l Turn Point 1
East
l Turn Point 2
North
l Turn Point 2
East
This process is repeatable with multiple devices and is considered forensically sound. In each
section, the details of the process can be found. The methods used by the program are
designed to write the minimal amount of data to the device to allow for a forensically stable
data acquisition.
l Alcatel
l CDMA Devices
l Kyocera CDMA
l LG CDMA
l LG GSM
l Motorola
l Motorola iDEN
l Nokia GSM
l Nokia TDMA
l Samsung CDMA
l Samsung GSM
l Sanyo CDMA
l Siemens
l Sony Ericsson
l ZTE
The types and amount of acquired data depend on the type of device. Usually, the feature
phone plug-ins in the program allow you to acquire the following data:
Data
Notes Data Format
type
A grid containing the
fields:
l Number
l Date
l Memory type
Note: Physical acquisition of CDMA devices can be performed only via manual
plug-in selection.
l GUID properties
l NV Memory Dump
l Memory Dump (for all phone models except Samsung CDMA)
604 EnCase Forensic User Guide Version 20.2
Note: Physical acquisition is performed via the CDMA Devices Physical plug-in.
Note: Physical acquisition is performed via the CDMA Devices Physical plug-in.
l SMS history
l Phonebook
l Filesystem
l Memo
l Call Logs
l Calendar
l Text
l State
l Type
SMS history SMS received and sent from the phone. l Sender/Recipient
Number
l Response/Reception
Date
l Subject
l Name
l Phone1
l Phone2
l Phone3
Phonebook Numbers stored in the Phone memory. l Phone4
l Phone5
l Email1
l URL
l Memo
l Email2
l Email3
Filesystem
System files
Memo
Call Logs
606 EnCase Forensic User Guide Version 20.2
l Type of Call
Incoming Calls
l Phone Number
Outgoing Calls l Name
l Entry Number in
Missed Calls Phonebook
l Duration (s)
l Date
Calendar
l Event ID
l Description
Calendar
l Date Start
File Exceptions l Repeat
l Remind
File Calendar l Delay
l Ringtone
l Has Voice
l Voice ID
LG CDMA FAQ
Q: Data is not being read even though previous data was read without errors.
A: After acquiring data using the BREW protocol, you can't acquire data until you restart your
mobile phone. In this case, turn off your mobile phone and then turn it back on.
l Phonebook
l SMS History
l Memos
l Filesystem (if present)
l Scheduler
l Call Logs
l ToDo list
Data
Notes Data Format
Type
A grid containing the fields:
l Name
l Home number
Phonebook Numbers stored in the Phone memory. l Mobile number
l Office number
l Email
l Memo
l Text
l State
l Memory Type
SMS history Both sent and received SMS. l Sender/Recipient
Number
l Response/Reception
Date
l SMS Center Number
l Type
608 EnCase Forensic User Guide Version 20.2
Data
Notes Data Format
Type
A grid containing the fields:
ToDo l Text
l Date
l Status
l Text
Scheduler l Date/time
l Alarm date/time
l Repeat
Filesystem
Users files
(Java files,
Multimedia,
Sounds etc) Binary nodes
LG GSM FAQ
Q: The phonebook is not acquired from the phone. Why?
A: It means that the support of your model has not been added to EnCase Forensic yet. Please
send us your log files so that we are able to add support (the logs are located in C:\Program
Files (x86)\Guidance Software\Mobile Acquisition\logs by default).
CHAPTER 14 Acquiring Mobile Data 609
Motorola drivers are included in the Driver Pack so you need to have it installed on your
computer.
The installation is performed when a new Motorola device is connected to the computer for
the first time.
1. The Found New Hardware message will appear in the right bottom corner of the screen.
2. At the same time, the Found New Hardware wizard appears on the screen. Click the Next
button.
3. The drivers search starts (the drivers are copied to the disk when the program is
installed).
4. A caution message appears. Click the Continue Anyway button.
5. The installation finishes. Click the Finish button.
6. After this, it is recommended that you check whether the drivers are really installed. To
do this, go to Start\Settings\Control Panel\System\Hardware\Device
Manager. You should see the Mortorola USB Modem there.
7. This means the first step of the drivers installation has been performed successfully and
you can acquire data through the AT modem now (Phonebook, Calendar, Calls History,
and SMS history).
This part of the installation is performed when a Motorola device tries to acquire the file
system (or SMS and quick notes dump).
1. When you try to acquire this data for the first time, acquisition will be stopped and you
will see an error message.
2. You will see a number of Found New Hardware messages in the tray notification area in
the bottom-right corner of the screen, and then the installation of all these subdevices
will begin. They will be installed one after another. Please note that this make some time.
Sometimes there will be a pause between the installation of different subdevices.
3. During the driver installation process, information in the device manager window is
changed. When the installation is totally finished, you should see all the interfaces under
610 EnCase Forensic User Guide Version 20.2
Motorola USB device in gray. They should not be marked with question or exclamation
marks.
4. Reconnect or power-cycle the device and start acquisition.
Note: Whenever you make selections, please leave the radio button selections as
they are.
Please note that some devices, such as the Motorola VU 204, require the phone to be turned
off before acquisition.
LOGICAL ACQUISITION
l Location
(Phone AT protocol
Numbers stored in the Phone memory,
Phonebook OBEX protocol
memory. Own
(for some
number,
models)
Quick dial
etc.)
l Number
l Name
CHAPTER 14 Acquiring Mobile Data 611
SMS history Both sent and received SMS. l Number TCI protocol
l Status
l Date/time
l Text
A grid containing
the fields:
l Name AT protocol
Missed, received, and dialed Number
Call logs l
calls list. l Direction
(Received,
Missed,
Dialed)
File System
A grid containing
the fields:
l Title
l Alarm timed AT protocol
l Alarm
Datebook enabled OBEX protocol
l Start (for some
time/date models)
l Duration
l Alarm
time/date
l Repeat
612 EnCase Forensic User Guide Version 20.2
The amount of acquired data depends on the model and state of the phone. The types of data
listed above should be available; however, some of them can be empty or absent.
PHYSICAL ACQUISITION
Data
Notes Data Format
Type
For SMS, a grid containing the fields:
l Creator number
l Sender number
l Recipient number
l Text
l Date/Time
l Dump (hyperlink that allows you
SMS History to view dump corresponding to
and quick SMS from Inbox and Outbox. the SMS in the Text and Hex
notes viewers)
Quick notes.
dumps For Quick notes, a grid containing the
fields:
l Text
l Date/Time
l Dump (hyperlink that allows you
to view dump corresponding to
the Quick notes in the Text and
Hex viewers)
l Name
Calls logs Incoming and outgoing calls. l Number
l Date/Time
l Duration
CHAPTER 14 Acquiring Mobile Data 613
Data
Notes Data Format
Type
Restored security information
Security
from the phone, including Data is shown in grid form.
information
security codes, IMEI, and more.
Note: Quick notes can only be extracted by physical acquisition. Logical acquisition
does not acquire them.
Motorola FAQ
Q: I can't acquire data from this device. Why?
A: When acquiring data through a USB connection, make sure the process of drivers
installation is performed correctly.
Q: Data is not being read even though previous data was read without errors. Why?
A: After acquiring data by the TCI or BREW protocol, you can't acquire data until you restart
your mobile phone. In this case, turn off your mobile phone and then turn it on.
Logical acquisition acquires the following data from the phone SIM card:
Data
Notes Data Format Protocol
Type
The grid
containing the
Phonebook fields: Direct
Numbers stored on the SIM Card
l ID protocol
l Number
l Name
The grid
containing the
Both sent and received SMS stored on the fields: Direct
SMS history
SIM Card l ID protocol
l Date/Time
l Text
Filesystem
The amount of acquired data depends on the model and state of the phone. The types of data
listed above should be available; however, some of them can be empty or absent.
Physical acquisition acquires the following parts of memory from the phone:
CHAPTER 14 Acquiring Mobile Data 615
Flex Mobile's OS
Data is read using the I55
User protocol and Direct.
The amount of memory for any custom user data,
Data
such as pictures, ringtones, Java files etc.
space
Please note that data stored on the SIM card is not acquired.
A: This may happen because the phone is not charged. Restart the phone, recharge it, and try
again.
Nokia drivers for new Nokia phone models (Nokia N97, Nokia 6700, etc.) and older ones are
included in the Driver Pack.
LOGICAL ACQUISITION
Logical acquisition acquires the following data using the FBUS protocol:
616 EnCase Forensic User Guide Version 20.2
l General number
Phone Numbers stored in the phone memory. l Home number
l Mobile number
l Work number
l Fax number
l Email 1
l URL
l Caller Group ID
l Caller Group
Name
SIM card Numbers stored on the SIM card. l Caller Group
Logo
l Postal, Note
l Date
l Ringtone ID
SMS
CHAPTER 14 Acquiring Mobile Data 617
l Text
l Picture
l Type
l State
l Memory type
l Format
l Validity period
Recipient name
l Re-sponse/
Reception date
l Default Recipient
name
l SMS Centre
number
l SMS Centre
name
l Reply
Call logs
Missed Calls
A grid containing the
Received Calls fields:
l Name
Dialed l No.
l Date/Time
Unknown
Calendar
618 EnCase Forensic User Guide Version 20.2
l Alarm date
l Recurrence
Birthday l Text
Reminder l Location
l Phone
ToDo List
l Complete Status
l Private
l Category
l Contact ID
l Phone
Logos
WAP
WAP l Title
bookmarks l URL
CHAPTER 14 Acquiring Mobile Data 619
l Format
Profiles
l Validity
l Name
l Default number
l Number
points l Active
l Name
l URL
Chat Settings
MMS Settings
SyncML
Settings
FM Station
File System
Java files
Multimedia
The amount of acquired data depends on the
Binary nodes
model of the phone and its state.
Sounds
Other files
PHYSICAL ACQUISITION
Physical acquisition acquires EEPROM memory using the FBUS protocol. The following data will
be parsed:
620 EnCase Forensic User Guide Version 20.2
Possible fields:
l Name
l Fax Number
l Note
l Email
l URL
l Post Address
l Caller Group ID
CHAPTER 14 Acquiring Mobile Data 621
Possible fields:
l Message type
l SMS text
Call logs
622 EnCase Forensic User Guide Version 20.2
l Call Date
Calendar
The following phone properties stored in the EEPROM are parsed and shown in the Properties
viewer:
l Serial Number
l Product code
l Basic product code
l Module code
l Hardware version
l Security Code
l ICC-ID
l Name
l General
l Location
Note: Physical acquisition is performed via the CDMA Devices Physical plug-in.
Data
Comments Data Format
Type
Phone Book
624 EnCase Forensic User Guide Version 20.2
Data
Comments Data Format
Type
A grid containing the fields:
l Name
l Phone number 1
l Phone number 2
l Phone number 3
l Phone number 4
Numbers stored in the phone l Phone number 5
Contacts Speed dial number
memory. l
l Email
l URL
l Caller Group ID
l Date/Time
l Number Label
l Secrecy
l Memory Type
Calendar
l Text
Tasks for the day. l Start date/time
l Finish date/time
l Creation date/time
l Alarm
SMS History
File System
CHAPTER 14 Acquiring Mobile Data 625
Data
Comments Data Format
Type
Java files
Call History
l Name
Calls made from the device. l Mobile Number
l Date/Time
l Call Type
Notes
ToDo History
l Text
Information from the ToDo list. l Due Date/Time
l Alarm Date/Time
l Priority
The amount of acquired data depends on the model and state of the phone. The types of data
listed above should be available; however, some of them can be empty or absent.
A: Try downloading and installing the Kies application. It contains all necessary drivers for
Samsung devices:
http://www.samsung.com/in/support/usefulsoftware/KIES/JSP#versionInfo.
Q: When recovering audio from a Samsung CDMA phone, there are files that are
unplayable with various types of media players after exporting. What do I do?
A: Samsung CDMA devices store *.wav files in their internal QCP format. For playing such wav
files, you should use QUALCOMM’s PureVoice Player.
It is strongly recommended that you enter the PIN code on your device before starting an
acquisition. Otherwise, some data (SMS, Calendar, Call Logs, and Phone Book) from the device
might not be acquired.
Data acquisition is performed using the standard process. Before acquisition, turn off the
phone, remove the battery, and insert it back again. After that, connect the phone to the
computer with the cable.
Data acquisition is performed using the standard process. Before acquisition, turn off the
phone, remove the battery, and insert it back again. After that, connect the phone to the
computer with the cable.
Data acquisition is performed using the standard process. Before acquisition, turn off the
phone, remove the battery, and insert it back again. After that, connect the phone to the
computer with the cable.
When the phone is connecting to the computer (the Connection page appears), press the
Power button on your cell phone for 1-2 seconds. This activates the connection to the phone.
Be careful that the phone does not turn on. If it turns on, you should disconnect it and start
the acquisition procedure from the beginning (this can be tricky and may require many
attempts). Then click the Next button on the Complete Acquisition window.
Data acquisition is performed using the standard process. Before the acquisition, turn off the
phone, remove the battery, and insert it back again. After that, connect the phone to the
computer with the cable. Turn on the phone and wait until it loads to the desktop or to the
Enter Your PIN screen. If it is a flip-phone, it should remain closed.
Data
Notes Data Format
Type
Phone Book
628 EnCase Forensic User Guide Version 20.2
Data
Notes Data Format
Type
A grid containing the fields:
l Name
Phone Numbers stored in the phone memory. l General number
l Home number
l Mobile number
l Work number
l Fax number
l Email 1
l URL
l Caller Group ID
SIM card Numbers stored in the SIM card. l Caller Group Name
l Caller Group Logo
l Postal, Note, Date
l Ringtone ID
Calendar
l Start date
l End date
l Alarm date
Scheduler l Silent alarm date
l Recurrence
l Text
l Location
l Phone
SMS History
CHAPTER 14 Acquiring Mobile Data 629
Data
Notes Data Format
Type
A grid containing the fields:
l Text
Inbox l State
l Memory type
l Sender/Recipient
name
l Response/Reception
number
Outbox l Response/Reception
date
l SMS Centre number
File System
Java files
Other files
The amount of acquired data depends on the model and state of the phone. The types of data
listed above should be present, however, some of them can be empty or absent.
Generally, all data is acquired by the AT protocol. The OBEX protocol is used for some models.
VLSI
CONEXANT
The program acquires only EEPROM from Conexant generation phones and the file system
from Conexant 2 generation phones.
SYSOL
The program acquires three types of data: RAM, EEPROM, and NAND.
630 EnCase Forensic User Guide Version 20.2
AGERE
The program acquires only EEPROM (with PIN Code extraction) and flash file system.
A: Try downloading and installing the Kies application. It contains all necessary drivers for
Samsung devices:
http://www.samsung.com/in/support/usefulsoftware/KIES/JSP#versionInfo.
Q: I can't acquire the SMS, Calendar, Call Logs and Phonebook from this device. Why?
A: Some Samsung phones don't allow you to acquire these features until the PIN code is
entered.
Q: The acquisition has finished but the phone won't turn back on. What happened?
A: This happens because it takes time for the phone to switch off from the service mode. Try
pressing the power button for varying lengths of time. If the phone still doesn't turn on (some
firmware versions don't have a software reset), you should disconnect and then reconnect the
battery and try again.
A: This happens when the buffers are filled with trash data. In this case, turn the phone off and
then on or, if this does not help, disconnect and reconnect the battery.
Note: Physical acquisition is performed via the CDMA Devices Physical plug-in.
l Name
l Numbers 1-7
Phone Book Numbers stored in the phone memory. l Email 1-2
l URL
l Address
l Memo
l Secret
l Phone number
SMS history Incoming and outgoing SMS. l Callback
l Date
l Priority
l Status
l Message
File System User data and system files. Files in the binary format.
Before acquisition, turn off the phone, remove the battery, and insert it back again. After that,
connect the phone to the computer with the cable.
Please note that physical acquisition of Siemens devices can only be performed via manual
plug-in selection and you need to define the exact model of the phone.
When the phone is connecting to the computer, the Information screen appears.
Press the Power button of your mobile phone for 1-2 seconds. This activates the connection to
the phone. Make sure the phone stays turned off. If it turns on, you should disconnect it and
re-start the acquisition process.
Data
Note Data Format Protocol
Type
Phone Book
SMS
History
CHAPTER 14 Acquiring Mobile Data 633
Data
Note Data Format Protocol
Type
A grid containing the
fields:
Inbox l Text
l State (Sent or
Read)
l Memory type
(Phone or SIM AT
card) protocol
l Sender/Recipient
number
Outbox l Response/
Reception Date
l SMS centre
number
Call logs
Missed
calls
Received
A grid containing the
calls
fields:
Dialed l ID AT
numbers l Name protocol
Last dialing Last dialed numbers from the SIM l Mobile number
l Date/time
numbers card and phone memory.
File System
Java files
Data
Note Data Format Protocol
Type
Calendar
l Due date
l Complete status
l Completed OBEX
To Do List Start date
l protocol
l Text
l Priority
l Category
l Contact ID
l Phone
l Name,
l Mobile number,
Numbers stored in the phone’s
l Home number, OBEX
Phone memory with more detailed Work number,
l protocol
information. l E-mail,
l Address,
l Group,
l Organization,
l Birthday
Usually the amount of acquired data depends on the model and state of the phone. The types
of data listed above should be present but sometimes some of it can be empty. Some old
models of phones do not support the standard version of the OBEX protocol. Data read by the
OBEX protocol in these phones cannot be acquired.
CHAPTER 14 Acquiring Mobile Data 635
Physical acquisition acquires data stored in the memory of the mobile phone. After
acquisition, it is automatically parsed and represented as a set of binary nodes. Even the
information usually represented as a grid (Phonebook, SMS, etc.) is acquired in the form of
binary files.
l Phone book
l SMS History (Inbox, Outbox)
l Java Files
l Multimedia Files
l User Settings
l Other Files Stored in the Memory
The amount of acquired information depends on the model of the phone and its state.
Siemens FAQ
Q: The filesystem cannot be not read although previously data was read without errors.
Why?
A: In some models of Siemens phones (A56i,C56, etc.), after the acquisition of the Calendar,
the file system cannot be read. In this case, turn off the device and then turn it back on. After
this, the file system can be acquired.
l Name
l Mobile Number
l Home Number OBEX protocol
Numbers stored in the Work Number
l (if it is
Phone phone’s memory and on E-mail
l supported) or
the SIM card. URL
l
AT protocol
l Group
l Organization
l Birthday
l Address
SMS
Inbox l Text
l State (Sent or Read)
l Memory Type (Phone
or SIM card) AT Protocol
l Sender/Recipient
Number
Outbox l Response/Reception
Date
l SMS Center Number
Call Logs
CHAPTER 14 Acquiring Mobile Data 637
Received
Calls
A grid containing the fields:
Dialed
Numbers l ID,
l Name, AT Protocol
Last dialed numbers l Mobile Number,
Last Dialed
from the SIM card and l Date/Time
Numbers
phone memory.
File System
Java Files
The amount of data
Multimedia acquired depends on the
Binary Nodes OBEX protocol
Sounds model of the phone and
its state.
Other Files
Calendar
Usually the amount of acquired data depends on the model and state of the phone. Parts of
the data listed above should be available but sometimes some of them can be absent.
Some old models of phones do not support the standard version of the OBEX protocol. Data
read by the OBEX protocol from these phones cannot be acquired.
638 EnCase Forensic User Guide Version 20.2
l Mobile number
l Name
l Mobile number 2
l Work number
l Home number
l Country
l E-mail
l E-mail 2
l Fax number
l Postcode
l State
l Street
File System User data and system files. Files in the binary format
If the card is locked by a PIN code, you will be asked to enter it before acquisition starts.
Note: You only have 3 attempts to enter the PIN code. After that, the PUK code will
be requested. After you enter the right PUK, the SIM card PIN will be reset to 0000.
Data like SMS and phone numbers (Abbreviated Dialing Numbers and Service Dialing Numbers)
is acquired in two formats: parsed and unparsed.
Parsed data is represented as grids showing information in a way suitable for analyzing. Each
SMS message is shown in a separate grid which includes all information about the message.
640 EnCase Forensic User Guide Version 20.2
l CPBCCH
Information
l De-personalization
Control Keys l Voice Broadcast
l Emergency Call Service Status
Codes l Voice Broadcast
l Enhanced Multi- Service
Level Preemption l Voice Group Call
and Priority Service Status
l Extended Capability l Voice Group Call
configuration Service
parameters
l Extended Language
preference
Most of the data listed above can be found in the file system folder in a parsed format.
Note: Usually the amount of acquired data depends on the model and state of the
phone.
For more information about data stored on the SIM card and abbreviation explanations, see
International Journal of Digital Evidence.
Besides the data listed above, the system and provider-specific data which wasn’t included in
any specification, if found on the device, will be acquired from GSM SIM and CDMA RUIM
cards.
Note: There may be problems acquiring some SIM cards with mass storage SIM card
reader when running Windows 7 or later.
l Make sure your SIM card reader is supported, connected to your PC, and is not dam-
aged.
l Thoroughly read the instructions on how acquisition should be performed.
Q: After acquiring information from the SIM card from a Siemens phone, I see the last
symbol in the names in the phone book is invalid. Why?
A: Siemens phones save the name of the group to which the number belongs in the last
character. That's why it cannot be parsed.
A: Yes. You can enter an invalid PIN code 3 times and then enter the right PUK. After that, the
PIN code will be reset to 0000.
Q: I cannot acquire a SIM card on Windows 8/10, although everything worked fine on
Windows 7. Is there a way to fix this?
A: By default, the latest available driver for SIM card readers is automatically installed on
Windows 8/10. You can try selecting an older driver.
This process is repeatable with multiple devices and is considered forensically sound. In each
section, the details of the process can be found. The methods used by the program are
designed to write the minimal amount of data to the device to allow for a forensically stable
data acquisition.
A: Check that your card reader is supported, connected to your PC, and is not damaged.
Q: There are a number of empty folders acquired from the device. What are they?
A: A folder acquired from the device may be empty in the following cases:
Q: What is the difference between acquiring a device with its native plug-in and Portable
Device plug-in?
A: Portable Device plug-in guarantees to acquire only the user media content from the device.
Generally, a native plug-in allows to acquire more data. For example, many devices store
media files, such as music and photos, within the area of the device that can mount as media
for acquisition while the user data is stored in other areas only accessible with acquisition by
the native plug-in.
A: If you have a portable device, after connecting it to your computer it will be displayed under
the Portable Devices group in Computer (This PC in Windows 8 and 10).
Q: The device is not auto-detected as Portable Device, but can be acquired manually
through the Portable Device (logical) plug-in. Why?
CHAPTER 14 Acquiring Mobile Data 647
A: Not all devices with enabled MTP mode can be auto-detected as Portable Device. Please
enable the PTP mode on the device to acquire it through the auto-detection. Note that some
devices do not have the PTP mode option. In this case, you can acquire such devices with
enabled MTP mode manually through the Portable Device (logical) plug-in.
Note: It can take a long time to acquire data from high capacity mass storage
devices.
Importing Data
Importing is the process of adding data received by other programs to the case.
2. Complete the fields and select the output folder in the Output File Settings dialog and
click OK.
3. The Import Wizard opens. Select Cellebrite XML Report and click Next.
4. Click Browse and browse to the .xml file to be imported. Click Finish.
5. The data importing starts and a new Import stored mobile data task is added to the
Tasks pane, where you can view its general progress.
The progress is also displayed on the Importing File Process page of the Import wizard.
6. If the importing process finishes correctly, you will see the last page of the Import wizard.
Click Finish.
7. Data is imported to the case.
Encrypted data can be imported from iOS 13.x devices if you have the encryption key.
EnCase Mobile Investigator allows you to parse the following data from iPhone backups:
Parsed
Data Type Parsed Data
Recovered Data
Address Book Images ü Ï
Calendar ü ü
Call History ü ü
Cell Locations ü ü
CHAPTER 14 Acquiring Mobile Data 649
Parsed
Data Type Parsed Data
Recovered Data
Contacts ü ü
Contact Properties Ï ü
Cookies ü Ï
Dynamic Text ü Ï
Mac Address ü Ï
Mail Accounts ü Ï
Maps Bookmarks ü Ï
Maps Directions ü Ï
Maps History ü Ï
Notes ü ü
ü (encrypted
Keychain Data (passwords and account info) Ï
backups only)
Safari History ü Ï
Safari Bookmarks ü Ï
Voicemail ü Ï
WiFi Locations ü ü
YouTube Bookmarks ü Ï
Device Properties
Last three SIM cards on the device (devices ü N/A
with 7.x and higher only)
In addition, encrypted iOS backups include extracted authentication data, which can be used
to import data from cloud-based services.
650 EnCase Forensic User Guide Version 20.2
To import data:
2. Complete the fields and select the output folder in the Output File Settings dialog and
click OK.
3. The Import Wizard opens. Select iPhone Backup and click Next.
4. Click Browse and browse to the file to be imported. Click Finish.
Note: To import iPhone files, load the Manifest.plist file to make sure you have all
the supporting files in the backup folder intact. If you load an *.mdbackup file for
iPhones, you will not need any supporting files.
5. If the backup file is encrypted, you will be asked to enter a password. Enter a password
and click Next.
6. The data importing starts and a new Import stored mobile data task is added to the
Tasks pane, where you can view its general progress.
The progress is also displayed on the Importing File Process page of the Import wizard.
7. If the importing process finishes correctly, you will see the last page of the Import wizard.
Click Finish.
8. Data is imported to the case.
To import data:
2. Complete the fields and select the output folder in the Output File Settings dialog and
click OK.
3. The Import Wizard opens. Select RIM Blackberry Backup and click Next.
4. Click Browse and browse to the file to be imported. Click Finish.
CHAPTER 14 Acquiring Mobile Data 651
Note: To import BlackBerry backup files, load the backup file with the *.ipd
extension to make sure you have all supporting files in the backup folder intact.
5. If the backup file is encrypted, you will be asked to enter a password. Enter a password
and click Next.
6. The data importing starts and a new Import stored mobile data task is added to the
Tasks pane, where you can view its general progress.
The progress is also displayed on the Importing File Process page of the Import wizard.
7. If the importing process finishes correctly, you will see the last page of the Import wizard.
Click Finish.
8. Data is imported to the case.
Note: A BlackBerry 10 backup may be incomplete. To make sure all data from the
device is present in a backup, make a complete backup of the device if you have
access to it.
EnCase Mobile Investigator parses the following types of data from RIM BlackBerry 10 backup
data:
l Calendar
l Contacts
l Call Logs
l SMS
l Notes
l BlackBerry Messenger
l Evernote
l Skype
l WeChat
l WhatsApp
To import data:
o Select Add Evidence > Acquire Mobile > Acquire from File from the top toolbar.
2. Complete the fields and select the output folder in the Output File Settings dialog and
click OK.
3. The Import Wizard opens. Select RIM Blackberry Backup and click Next.
4. Click Browse and browse to the file to be imported. Click Finish.
5. You will be asked to enter a password. Enter a password and click Next.
Note: An active Internet connection is required to obtain a decryption key from
the RIM BlackBerry server after you enter the password.
6. The data importing starts and a new Import stored mobile data task is added to the
Tasks pane, where you can view its general progress.
The progress is also displayed on the Importing File Process page of the Import wizard.
Note: When importing BlackBerry 10 encrypted backup, EnCase
Mobile Investigator performs the backup decryption procedure that requires at
least 3 times more space on the system disk than the size of the backup.
7. If the importing process finishes correctly, you will see the last page of the Import wizard.
Click Finish.
8. Data is imported to the case.
2. Complete the fields and select the output folder in the Output File Settings dialog and
click OK.
3. The Import wizard opens. Select the GPS and KML Map and click Next.
4. Click Browse and browse to the file to be imported. Click Finish.
CHAPTER 14 Acquiring Mobile Data 653
5. The data importing starts and a new Import stored mobile data task is added to the
Tasks pane, where you can view its general progress.
The progress is also displayed on the Importing File Process page of the Import wizard.
6. If the importing process finishes correctly, you will see the last page of the Import wizard.
Click Finish.
7. Double-click a *.gps or *.kml file in the Data View pane (it is placed as a subnode of the
device node).
8. In the Data View pane, the Open Street Viewer opens. The information received from the
device is displayed in a tree-view structure on the right side of the pane.
9. Select the location (waypoint, route, etc.) in the tree view to navigate to it in the Open
Street Viewer.
Evidence screen.
o Select Add Evidence > Acquire Mobile > Acquire from File from the top toolbar.
2. Complete the fields and select the output folder in the Output File Settings dialog and
click OK.
3. The Import wizard opens. Select GrayKey Case and then click Next.
4. Click Browse and navigate to the file to be imported. Click Finish.
5. The data import process starts and a new Import stored mobile data task is added to the
Tasks pane, where you can view its general progress.
The progress is also displayed on the Importing File Process page of the Import wizard.
6. If import finishes correctly, you will see the last page of the Import wizard. Click Finish.
To use this option, you have to receive two files from the GSM provider (this information
cannot be acquired from the device; it can only be received from the provider):
654 EnCase Forensic User Guide Version 20.2
l Tower location file. Data should have the following format in a *.csv file: LAC, CID, Site,
Switch, Latitude, Longitude, ACG, Sector, and Orientation.
l The list of the towers via which the calls from the investigated phone were performed.
Data should have the following format in a *.csv file: Switch, Date, Time, Duration,
Inbound / Outbound, Customer Number, Tower Name, and Tower Number.
Note: *.csv files with data in other formats are not supported in the current version
of EnCase Mobile Investigator. Data headers are not case-sensitive.
If you have issues importing tower information files, double-check the spelling of headers and
make sure there are no misprints in them.
group; and then, in the Add New Evidence window, select Mobile Data Import in
the Mobile Data category and click OK.
2. The Import wizard opens. Select the Tower Information and click Next.
3. Click Browse for the Towers box and navigate to the file with the information about tower
locations.
4. Click Browse for the Calls box and navigate to the file with the information about phone
calls.
5. After the phone call file is selected, the Import phone calls settings group of options
appears. Select the Date format of imported data from the drop-down list, and then
select the period for which phone calls are to be imported in the Import phone calls from
and Import phone calls to boxes. Click Finish.
Note: If the selected date format does not correspond to the date format of the
selected files, data may be imported but will be displayed incorrectly.
6. The data importing starts and a new Import stored mobile data task is added to the
Tasks pane, where you can view its general progress.
The progress is also displayed on the Importing File Process page of the Import wizard.
7. If the importing process finishes correctly, you will see the last page of the Import wizard.
Click Finish.
8. After the importing finishes, navigate to a GPS file under the acquired device node and
double-click it to view its data on Open Street maps.
CHAPTER 14 Acquiring Mobile Data 655
Using the Cloud Data Import wizard, you can obtain data from online services, such as:
l Facebook
l Gmail
l Google Drive
l Google Locations
l iCloud Backup
l Twitter
l Amazon Alexa
Note: Java SE Development Kit 11 is required to import data from iCloud.
Note: The current version of the application allows you to start multiple import
tasks simultaneously.
l When you perform a logical acquisition of an Android OS device (devices already rooted
or rootable by EnCase Forensic ).
l When you import an encrypted iTunes backup (from devices with iOS 7.x and later).
After acquisition/importing, you will find the authentication data file in the Authentication
Data folder in the device/backup root folder. The file name contains the name of the device
from which it was extracted and the time of extraction.
This file is used to obtain data from the corresponding cloud-based service accounts via the
Cloud Data Import wizard.
656 EnCase Forensic User Guide Version 20.2
In the current version of EnCase Forensic , authentication data for the following services is
extracted:
l Amazon Alexa
l Facebook
l Gmail
l Google Drive
l Google Locations
l Twitter
Note: For iOS backups, Gmail and Google Drive authentication data can be
extracted only if the user logged in to these services via a mobile browser.
l Using authentication data file extracted from logically acquired Android OS data or from
imported encrypted iTunes backups
l By manually entering credentials from the user’s account
Note: User credentials for cloud-based services can sometimes be found in parsed
iOS keychains (primarily in the General Password Data and Web-form Passwords
grids).
1. If you have an authentication data file in your case, export it to your computer.
2. Do one of the following:
o Click Add Evidence on the Welcome screen, select Acquire from Cloud in the
Acquire Smartphone category, and click OK.
o In the top navigation bar, click Add Evidence > Acquire Mobile > Acquire from
Cloud.
3. The Output File Settings window appears. Fill out the information on both tabs and click
OK.
4. The Cloud Data Import Wizard opens and the Accounts and Sources page is displayed.
5. If necessary, in the Cloud investigation name field, define the name under which impor-
ted data will appear in the case.
CHAPTER 14 Acquiring Mobile Data 657
7. Select the checkboxes of the accounts from which you want to import data and click
Authenticate.
8. The authentication of the selected accounts starts and its progress is displayed on the
Authentication Process page.
Note: During authentication, account credentials and tokens are sent directly to
the corresponding authentication servers and are not saved anywhere.
12. The cloud data importing starts and a new Import data from cloud task is added to the
Tasks pane, where you can view its general progress.
13. The progress is also displayed on the Importing Progress page of the Cloud Data Import
Wizard.
14. After the importing finishes, click Finish.
Service Imported
Additional Information
Name Data
l User name is the user's first and last name.
l User ID is the user's username for Amazon.
l User email is the email address associated with the
User name user's Amazon account.
User ID l Recording time is the date and time of recorded
User email voice activity. The format is YYYY-MM-DD
Amazon
Recording time HH:MM:SS.
Alexa
Summary l Summary is Alexa's interpretation of the voice
Audio activity.
Device type l Audio is the audio file for the voice activity.
l Device type is the type of Alexa device that has been
synched with Amazon. For example, the Amazon
Echo an Echo Dot are both Alexa devices.
Profile
Information
Friends
News Feed Facebook contains photos and message attachments.
Facebook Notifications Depending on the number and the size of attachments,
Conversations importing may take some time.
Photo Albums
(including actual
pictures)
Inbox
Sent Mail
Gmail messages include email attachments. Depending on
Draft
Gmail the number and size of attachments, importing may take
Trash
some time.
Spam
Chats
User storage
Google files During importing, all files from selected folders are
Drive Files shared downloaded. This may take a while.
with a user
CHAPTER 14 Acquiring Mobile Data 659
Service Imported
Additional Information
Name Data
Google Saved Places
Locations Timeline
Profile
Information
Twitter
Conversations
Posted Tweets
A: It depends on the type of the service. Token lifespan may be unlimited or may be just half
an hour.
A: No, the passwords are stored in an encrypted format and cannot be viewed.
A: Some devices require special actions to be performed so that the device is detected. Start
the acquisition wizard or see the FAQ for the corresponding device for more information.
Additionally, some devices, like Psion 16/32-bit devices, cannot be automatically detected and
must be acquired via manual plug-in selection (see the description of data acquisition process
for the corresponding device).
Q: The type of device connection is not shown in the Connections Selection page of the
Acquisition Wizard. Why?
l The PC port is locked by another program (close the programs which may be locking the
port).
l The port of the cell phone is locked. Restart the phone (if this doesn't help, take out the
battery and re-insert it).
660 EnCase Forensic User Guide Version 20.2
l If a USB Connection is not shown, it may be because the drivers of the USB port are not
installed.
l Some devices require special actions to be performed so that the device is detected. Click
the troubleshooting link in the bottom of the Home page of the Acquisition Wizard or see
the FAQ for the corresponding device for more information.
A: The error message contains the description of the error and advice on what to do to solve
the problem.
1. Phone problems:
o Check whether the device is charged.
o Check whether the device is turned on (for logical acquisition) or, in some cases,
turned off (for physical acquisition).
o Read the instructions on how the acquisition for your device should be performed.
1. Disconnect the cable from the computer as well as from the phone and then reconnect it
again.
2. Turn on/off the phone and turn it off/on again and reload the phone.
3. Pull out the battery from the phone and insert it back again.
Q: The Data Acquisition Process starts correctly but, in the middle of the acquisition, an
error appears. Why?
l Bugs in the device’s operating system. In this case, try reloading your device.
l The phone ran out of power. Charge the phone and try again.
l The connection was broken. Maybe the cable was unplugged accidentally or has a loose
connection.
A: Bugs in the device's operating system may cause this error. Try reloading your device. You
can also try acquiring each type of data separately.
Q: I have X phone from Y manufacturer and I get the message that the phone isn't
supported. Why isn't this particular phone supported yet?
A: There are currently thousands of models of phones out on the market, and new phones are
being introduced every day. It is impossible to support and test every make and model that is
available. We are trying to add support for all the most popular model phones on the market
and are adding more model support every month. If you have a model that isn't currently
supported, please follow these instructions for submitting log files, and we'll work on adding
support for your phone as soon as possible:
1. Once the device is connected properly to your computer, begin the acquisition.
2. After the acquisition finishes (timeout, error, problem), close EnCase Forensic .
3. Browse to the Logs folder (by default, it is C:\Program Files (x86)\Guidance
Software\Mobile Acquisition\logs).
4. In the Logs folder, find the log that corresponds to the manufacturer of the phone you
tried to acquire. For each plug-in, there are two logs present: *.txt and *.dump (for
example, plugin.psion_logical.txt and plugin.psion_logical.dump).
5. Rename the log file to include the model number of the phone. For example motorola_
log.txt should be renamed to motorola_c331_log.txt.
6. Check the size of the log file to ensure that information from the acquisition was cap-
tured. If the file is a zero byte file, try acquiring the phone again.
662 EnCase Forensic User Guide Version 20.2
7. Once the log file has been renamed, place the file in a .zip archive to ensure that, when
we receive the file, the data is unaltered. Some mail servers alter the data contained in
*.txt files. Sending it in a zip file ensures that this does not happen.
8. Contact OpenText Support.
Q: EnCase Forensic shuts down after the first 10 minutes of acquisition. Why?
A: Chances are that you are running a personal firewall on the same machine that you are
using EnCase Forensic on. The personal firewall will block the communication between your
device and the computer. Disable the firewall and start the acquisition process again. This will
most commonly occur when you work with a Windows Mobile 5 device.
Q: How can I check that the Prolific drivers for my device are installed correctly?
A: If you want to check whether the Prolific drivers were properly installed, do the following:
A: Drivers for most supported types of devices are included in the Mobile Driver Pack, which
you can download fromOpenText My Support. If none of the drivers installed from the Mobile
Driver Pack work, try searching the web or contacting our support staff.
Q: Does EnCase Forensic support the acquisition of SIM cards that are located in many
GSM and even some CDMA phones?
CHAPTER 14 Acquiring Mobile Data 663
A: Yes, EnCase Forensic supports full acquisition of GSM and CDMA SIM cards from all
manufacturers.
Q: I acquired a GSM phone and later on I acquired the same GSM phone and I had more
results the second time around. What is causing this?
A: The first time you performed acquisition, the SIM card in the phone hadn't fully initialized
yet. When you power a phone with a SIM card, it takes anywhere from one to three minutes
for the phone to fully initialize the SIM card. If you perform acquisition before the SIM card is
done initializing, EnCase Forensic won't be able to acquire all the data located on the phone.
The solution to this is to wait one to three minutes before starting your acquisition.
Q: Can EnCase Forensic recover deleted text messages from phones and the SIM card?
A: Yes. EnCase Forensic can recover deleted SMS text messages from SIM cards and phones.
However, as with any deleted data, there is a possibility that some data recovered will be in
fragments and incomplete or that the data has been entirely overwritten. This all depends on
when the message was deleted and what other information had been written to the phone or
SIM card. Deleted data recovery can also depend on whether the plug-in(s) for your device
support deleted data recovery.
Q: Can EnCase Forensic acquire graphics/pictures from cell phones and PDAs?
A: Depending on the make and model of the device, yes. EnCase Forensic can acquire pictures
that are either downloaded or created through the use of the built in camera.
A: For some devices, it is necessary to place a file on the phone to gain access for acquisitions.
To acquire more of the memory, EnCase Forensic has to place a small file in an empty section
of the device memory which is removed after the acquisition. This is well documented in the
report and does not affect any user data.
Q. Why does the file DB_notify_register change when I acquire the device?
A: The file DB_notify_register is being constantly changed by the OS. Simply plugging the
WinCE device into the charging cradle changes it. Windows CE handles two types of
notification events: Timer events and system events. Timer events indicate that a specified
time has arrived such as an appointment or a meeting. System events are triggered when the
device encounters a change such as AC power connection or disconnection. To support these
two types of notification events, the base notification engine maintains two databases: DB_
notify_queue for timer events and DB_notify_register for system events.
664 EnCase Forensic User Guide Version 20.2
A:Such situation might occur if LG feature phone was acquired previously. If this is the case,
open the Device Manager, right-click LG Modem and disable it. After that, restart your PC and
launch the Acquisition Wizard again.
CHAPTER 15
WORKING WITH NON-ENGLISH
LANGUAGES
Overview 667
Overview
This chapter describes how to use EnCase when working with evidence in languages other than
English.
The Unicode standard attempts to provide a unique encoding number for every character
regardless of platform, computer program, or language. Unicode encompasses a number of
encodings. In this document, Unicode refers to UTF-16 (Unicode 16-bit Transformation
Format). Currently more than 100 Unicode code pages are available. Because EnCase
applications support Unicode, investigators can search for and display Unicode characters, and
thus support more languages.
EnCase also supports code pages, which describe character encodings for a particular
languages or set of languages that use the same superset of characters. In some cases, it is
necessary to assign a code page to properly display the language. Thus, EnCase supports both
Unicode character sets that do not require a code page as well as legacy character encodings
(for example, ISO Latin, Arabic, and Chinese) that do require a specific code page to display
properly. You need to use a code page in EnCase only when your non-English document
contains a set of these legacy character mappings.
EnCase supports character codes other than 16-bit Unicode for working with non-Unicode,
non-English-language text.
l Changing the default Code Page. See Changing the Default Code Page on the next page.
l Adjusting the date format. See Setting the Date Format on page 669.
l Assigning a Unicode font. See Assigning a Unicode Font on page 669.
l Creating non-English language search terms.
l Bookmarking non-English language text.
l Viewing Unicode files. See Viewing Unicode Files on page 670.
l Viewing Non-Unicode files.
language text, browse through tables and trees in non-English text, etc.
l You can override global settings when viewing content in the Text or Hex tabs of the View
pane. For more information, see Changing Text Styles on page 250.
Global internationalization settings are located in the Options dialog. From the Global tab you
can configure EnCase to display non-English characters in status bars and tabs, dialogs, tables,
data views (including text, hex, transcripts), and in the EnScript script editor.
1. Click Tools > Options. In the Options dialog select the Global tab.
2. Click Change Code Page. The Code Page dialog is displayed.
CHAPTER 15 Working with Non-English Languages 669
o Unicode specifies little-endian Unicode. If UTF-7 or UTF-8 is used, select Other, not
Unicode.
o Unicode Big-endian specifies big-endian Unicode.
o Other lets you select a specific code page from the list.
o Select the appropriate option and click OK.
3. Change the font to Arial Unicode MS or another available Unicode font and click OK.
4. Repeat for each interface element that you want to configure.
5. Click OK. The interface elements you selected in the Fonts tab are now configured to dis-
play characters according to the non-English, Unicode character set. See Font Options on
page 50 for more information.
To properly display the characters in certain code pages, you should select a Unicode display
font.
Characters that are not supported by the font or code page display as a default character,
typically either a dot or a square. Modify this character when using text styles in the Text and
Hex tabs of the View pane.
By default, EnCase displays characters in ANSI (8-bit) format on the Text and Hex tabs in
Courier New font. Viewing Unicode files requires modifications to both the formatting and the
font. First, the file or document must be identified as Unicode. This is not always
straightforward.
Text files (.txt) containing Unicode usually begin with a Unicode hex signature \xFF\xFE.
However, word processor documents written in Unicode are not so easy to identify. Typically,
word processor applications have signatures specific to the document, making identification of
the file as Unicode more difficult.
You can change the code page from either the Text or Hex tabs in the View pane by clicking
Codepage. A list of the most recently used codepages is displayed.
1. To select a new codepage, click Codepages. The Code Pages dialog is displayed.
2. Select the desired Unicode-based text style. See Changing the Default Code Page on
page 668.
3. EnCase updates the text displayed in the Text or Hex tab to reflect the new encoding.
CHAPTER 15 Working with Non-English Languages 671
Text Styles
The display of non-English language content is controlled by both the type face of the content,
and the text style applied to the content. A text style applies various font attributes, including:
l Line wrapping
l Line length
l Replacement character
l Reading direction
l Font color
l Class of encoding
l Specific encoding
Text styles are global and can be applied to any case after they are defined. Apply text styles in
the Text and Hex tabs in the View pane. See Changing Text Styles on page 250.
These instructions are for Windows 7 and Windows 8. Configuring other Windows versions is
similar.
1. Click Start and type change keyboard in the search bar, or click Start > Control Panel
> Change keyboards or other input methods. The Keyboards and Languages tab of the
Region and Language dialog is displayed.
2. Click the Change keyboards button. The General tab of the Text Services and Input Lan-
guages dialog is displayed.
3. In Installed services, click Add. The Add Input Language dialog is displayed.
4. Click on the plus box next to the language you want to add, click the plus box next to Key-
board, and click the checkbox next to the language you want to add.
5. Click OK.
672 EnCase Forensic User Guide Version 20.2
The keyboard is now be mapped to the selected language. Repeat steps 3 and 4 for any
additional languages you want to add.
1. Click the two letter language code in the notification area of the Windows taskbar.
2. Keyboard mapping options display. Select the language you want to use.
1. From the Windows Desktop, click Start, type charmap into the search box, and press the
Enter key, or click Start > All Programs > Accessories > System Tools > Character Map.
The Character Map utility is displayed.
CHAPTER 15 Working with Non-English Languages 673
2. Click the desired character, then click Select to add the character to the Characters to
Copy box.
3. Repeat step 2 to add more characters.
4. Click Copy, then paste the characters where you want to use them.
674 EnCase Forensic User Guide Version 20.2
CHAPTER 16
USING LINEN
Overview 677
Overview
The LinEn™ utility is an acquisition tool for creating evidence files using a Linux "live"
CD/DVD that does not alter any potential evidence on the drives to be acquired. You run the
LinEn CD/DVD on a Linux operating system to perform drive-to-drive and crossover
acquisitions.
LinEn runs in 32-bit mode, independently of the Linux operating system to quickly acquire data
from a large set of devices.
Note: Because it is not practical to modify the settings of a live Linux distribution,
ensure that the live distribution does not automatically mount detected devices.
1. Using your EnCase application on the investigator's machine, click Tools > Creat Boot
Disk. The Choose Destination dialog of the Create Boot Disk wizard is displayed.
2. Click ISO Image, then click Next. The Formatting Options dialog of the Create Boot Disk
wizard is displayed.
3. Provide a path and filename to the ISO image you downloaded earlier, or click Alter Boot
Table, and click Next. The Copy Files dialog of the Create Boot Disk wizard is displayed.
4. Right-click in the right pane of the Copy Files page, and click New. The file browser opens.
5. Enter or select the path to the LinEn executable, usually c:\program
files\encase8\linen, click OK, then click Finish. The Creating ISO progress bar is dis-
played on the Copy Files dialog. After the modified ISO file is created, the wizard closes.
6. Burn the ISO file onto a blank CD/DVD using the disk burning software of your choice.
You now have a boot disk to run Linux and LinEn while you acquire the subject Linux device.
Note: LinEn does not boot Windows 8 computers when UEFI Mode and Secure
Boot are enabled. The new UEFI (Windows 8 BIOS) has additional checks to prevent
malicious software from booting Windows 8 computers. Every operating system
requires a key. Linux cannot provide this, so it is not allowed to boot. You must
disable the UEFI to allow Linux to boot a Windows 8 computer.
678 EnCase Forensic User Guide Version 20.2
l SUSE 9.1
l Red Hat
l Knoppix
Note: Because of the dynamic nature of Linux distributions, We recommend that
you validate your Linux environment before using it in the field.
This process describes an ideal setup that effectively runs the LinEn application in a forensically
sound manner.
To prevent inadvertent disk writes, you must make modifications to the operating system.
Linux has an autofs feature, installed by default, that automatically mounts and writes to any
medium attached to the computer. It is essential that you disable autofs to prevent automatic
mounting.
If you intend to use a LinEn boot disk, you must have a live distribution, such as Knoppix, to
create a boot disk. If you intend to run LinEn on an installed version of Linux on your examiner
machine, we recommend SUSE or Red Hat.
For the Linux distributions discussed in relation to LinEn, obtain a distribution from one of the
following:
l Drive-to-drive acquisitions
l Crossover cable acquisitions
Drive-to-drive acquisitions provide the means to safely preview and acquire devices without
using a hardware write blocker. Drive-to-drive acquisitions use either the subject machine or
the forensic machine to perform the acquisitions.
Crossover cable acquisitions require both a subject and forensic machine. This type of
acquisition also does not require a hardware write blocker. It may be desirable in situations
where physical access to the subject machine's internal media is difficult or not practical. This is
the recommended method for acquiring laptops and exotic RAID arrays. This method is slower
than a drive-to-drive acquisition because data is transferred over a network cable, making it
especially sensitive to the speed of the network cards housed in both machines.
680 EnCase Forensic User Guide Version 20.2
l IDE Cable
l USB Cable
l Firewire
l SATA
l SCSI
1. The forensic machine, running LinEn from the LinEn Boot Disk, connected to the subject
hard drive.
2. The forensic machine, booted to Linux and running LinEn, connected to the subject hard
drive.
3. The subject machine, running LinEn from the LinEn Boot Disk , connected to the target
hard drive.
CHAPTER 16 Using LinEn 681
Drive-to-Drive Acquisition
Before you begin, identify the subject drive to be acquired and the storage drive to hold the
acquired evidence file.
If the FAT32 storage partition to be acquired has not yet been mounted, do so.
Navigate to the folder where LinEn resides and enter ./linen in the console. The LinEn main
window is displayed.
1. Select the Load menu > Local Devices option to add a local device to the Device Window.
2. The Add Local Device dialog is displayed. Here you can add one or more devices to LinEn.
682 EnCase Forensic User Guide Version 20.2
The Add Local Device dialog contains a list of all devices, both full drives and partitions.
PATH
The Path option changes the directory scanned for devices. Selecting Path and pressing Enter
opens a dialog that changes the directory according to your input.
DEVICE LIST
For each device, the following information is displayed:
The columns displayed in the Add Local Device window can be scrolled using the scroll bar at
the bottom or the left and right arrow keys.
One device is currently highlighted with a black background. Pressing the arrow keys moves
the highlighted selection. Pressing the PageUp and PageDown keys moves the highlighted
selection by one page. Pressing the Space key selects a device. Choose Select All from the Edit
menu, or press Ctrl+A to select all devices.
CHAPTER 16 Using LinEn 683
After selecting one or more devices, select Close to add the devices to LinEn. No processing of
the devices, such as hashing, is done at this time.
Devices Window
At startup, the Devices window is empty. It is populated when you add devices. After being
populated, the Device Window is displayed.
The Devices Window contains the following information for each device that has been added.
l Name: Filename of the block device as it is seen in the /dev directory. The same name is
displayed in EnCase.
l Label: Full path to the device.
l Sectors: Number of sectors for this device.
l Size: Size of the device in bytes.
l Status: Indicates if the device has been hashed or acquired. Values for this field are
Unknown, Running, Done, and Cancelled.
When a device is selected, its text is displayed on a black background. Selected devices can be
hashed, acquired, added, deleted or saved.
To remove the selected device, use the Delete option either from the menu, or by pressing the
Delete key. Note that this removes the device from LinEn only. No changes such as deleting
files or formatting are made to the actual device.
684 EnCase Forensic User Guide Version 20.2
Acquiring a Device
The Acquire menu option begins acquisition of the currently highlighted device. As acquisition
begins, the Acquire Device dialog is displayed with the following three tabs:
l Location
l Format
l Advanced
After you set the parameters in the Acquire Device dialog and click OK, acquisition begins. A
thread is added to the Thread Monitor.
The Acquire Device dialog Location tab displays the following fields and options.
l Name: Generates the name of the file in the Output Path control. By default, the Name
field has the same value as the name in the Devices Table in the Device Window.
Changing this value changes the name of the file.
l Evidence Number: Stored in the evidence file as Evidence Number.
l Case Number: Stored in the evidence file as Case Number.
l Examiner Name: Stored in the evidence file as Examiner Name.
l Notes: Free text up to 32 characters. Stored in the evidence file.
l Output Path: Evidence File Path. Use to enter or browse to a different output path.
CHAPTER 16 Using LinEn 685
l Alternate Path: A semicolon delimited list of alternate paths, used to enter or browse to
an alternate path. The alternate path provides a secondary location for LinEn to use for
continuing to write segments of the evidence file if the location designated by the Output
Path does not have enough space to write the entire evidence file.
The Acquire Device dialog Format tab displays the following fields and options.
Evidence File Format: Specifies the evidence file format. The default evidence file extension
is Ex01. A legacy evidence file (a file using the format in versions of EnCase prior to Version
8) is E01. Note that selecting Legacy enables the Passwordbutton. Using a password in
EnCase legacy evidence files is optional. To use one, click Password to open a dialog to
enter and confirm a password. Keep a record of the password in a secure location. EnCase
does not have a password recovery tool.
l Verification Hash: Dropdown list for hashing algorithms includes the following selections:
o None: No check boxes are selected.
o MD5: Selects MD5.
o SHA-1: Selects SHA-1.
o MD5 and SHA-1: Both check boxes are selected.
l Password button: Opens the Password dialog. This is enabled for E01 (legacy) evidence
files only.
The Acquire Device dialog Advanced tab displays the following fields and options.
Block Size (Sectors): (Minimum: 64, maximum: 1024). Higher block sizes allow slightly
faster acquisitions and create smaller evidence files. However, with large block sizes, when
evidence files are damaged, larger blocks of data are lost.
l Start Sector: Specifies the start sector (minimum: 0, maximum: maximum number of sec-
tors of the source).
l Stop Sector: Specifies the stop sector (minimum: 0, maximum: maximum number of sec-
tors of the source).
l Threadsbutton: Displays the Threads dialog.
CHAPTER 16 Using LinEn 687
o Reader Threads: Controls how many threads are reading from the source device,
enabled only if the file format is E01. (1-5 available; default is 0).
o Worker Threads: Controls data compression calculation, enabled for both EnCase
evidence file formats, E01 and Ex01. (1-20 available; default is 5).
If the device has not been acquired, the Name, Start Sector, and Stop Sector are populated
and all other fields are blank.
After acquiring begins, the Start time is displayed. When you select a device, if the device has
been acquired, the following information is displayed:
l Status: Acquiring (while the thread is running). Acquired (when the operation finishes).
l Start: Start time of the operation.
l Stop: Finish time of the operation.
l Time: Elapsed time of the operation.
l Start Sector: Start sector of the part of the device that is hashed. By default, if you hash
the full device, this value is 0.
l Stop Sector: Final sector of the part of the device that’s hashed. By default (if you hash
the full device), this is the maximum sector number.
l Verification MD5: MD5 hash of the part of the device that is hashed. This is displayed
only when you select MD5 in hash options.
l Verification SHA1: SHA1 hash of the part of the device that is hashed. This is displayed
only when you select SHA1 in hash options.
688 EnCase Forensic User Guide Version 20.2
If you acquire a device more than once, the display is cleared of old information, and displays
only new information.
If you try to hash a device that is currently being used in LinEn (for example, already hashing or
acquiring), a dialog asks if the current thread should be canceled. A new hashing thread for the
same device is created only when the current thread is not running.
The file name is automatically generated and cannot be changed. For example, acquisition
information for a device with the name "hdd1" is saved in: [current
directory]/hdd1.acq. If the file already exists, the new information is appended to the end
of the file.
1. Verify individual segments of the evidence file (for example, the .EO3 segment). This con-
firms that the files are not corrupted, but does not confirm that the files match the under-
lying device.
2. Hash the original device and the acquired evidence image, then compare the hashes to
make sure that the correct data has been acquired.
Hashing a Device
To hash a device, first load a device, as described in the Load Local Device section. Once
loaded, follow this process to perform a hash.
The Device/Hash option hashes a device or part of a device, using MD5, SHA1, or both. This
option opens the Hashing Device dialog.
CHAPTER 16 Using LinEn 689
Use this dialog to select the type of hash: MD5 or SHA1. You can also select both or no option.
The hash type options are checkboxes. You can select or clear them independently using the
Space bar.
Use this dialog to select start and stop sectors. When you open this dialog, the Start Sector
and Stop Sector fields are populated with 0 (Start Sector) and the maximum sector (Stop
Sector).
Clicking OK starts the hashing process, changes the status of the device in the Devices
Window, and creates a new thread in the Thread Monitor Window. Both hash values are
calculated in the same thread, so only one thread is started. If none of the check boxes is
selected, the dialog exits and no thread is created.
After completion, hash information is displayed in the Device Window. You can save this
information to a file.
The filename is generated automatically and cannot be changed. For example, a device with
the name hdd1 is saved in: [current directory]/hdd1.hash. If the file already exists, the
new information is appended to the end of the file.
The Evidence Files window contains information about the evidence displayed in the Evidence
box on the left and the segments they contain if the evidence has multiple files, shown in the
Files box on the right.
Changing the current selection in the Evidence list will refresh the list of the files.
The Verify Evidence button uses the current selection from the Evidence box to begin verifying
the entire evidence. If the evidence file does not have acquisition information, the verification
begins and verifies the evidence to ensure that the file is readable. In this example, the
verification is done after selecting all segments and clicking the Verify Single button. No hash
value is calculated.
The Verify Single button uses the current selection from the Files box and verifies the selected
evidence segments. The Single file verification only option reads a segment to make sure that it
is readable and that the information is consistent.
l If the evidence has not been verified, the Name, Acquisition, MD5, and SHA1 fields and
are populated. The other fields are blank.
l Once verification begins, the start time is shown.
l If the evidence has been verified, verification information for MD5 and SHA1 is displayed.
The following fields are optional. Their values depend on the results of the verification.
CHAPTER 16 Using LinEn 691
l Acquisition MD5: The MD5 hash of the evidence file when created. Not displayed if MD5
is not selected during the acquisition.
l Acquisition SHA1: The SHA1 hash of the evidence file when created. Not displayed if SHA1
is not selected during the acquisition.
l Verification status: Status of the verification.
l Verification MD5: Displays only if it does not match the Acquisition MD5 value after the
verification ends.
l Verification SHA1: Displays only if it does not match the Acquisition SHA1 value after the
verification ends.
ACQUISITION MD5
l Before the verification, this is the MD5 hash of the evidence file when it was created.
o If no errors occur, this value is replaced with the MD5 hash value.
o If the verification fails, this value remains and the verification MD5 is displayed.
ACQUISITION SHA1
l Before the verification, this is the SHA1 hash of the evidence file when it was created.
o If no errors occur, this value is replaced with the SHA1 hash value.
o If the verification fails, this value remains and the verification SHA1 is displayed.
VERIFICATION STATUS
l Unverified: Displays before evidence file verification begins.
l Verified: Displays after the verification thread finishes. Status values include:
o Verified, no errors: Indicates the verification process did not find any errors.
o Verify errors #: Displays the number of errors found during the verification process.
If the verification is started again, the display is cleared, and new information is displayed.
If a verification is already in progress (the thread status is displayed as Running) and you
attempt to verify the same evidence, a dialog is displayed giving you the option to cancel the
current thread. A new verification thread for the same device is created only when the current
thread is not running.
To add evidence files to the Evidence Files window, use the Add Evidence menu.
To remove the selected evidence, use the Delete option from the menu, or press the Delete
key.
The Save command saves the information to a file using the same name as the evidence file.
692 EnCase Forensic User Guide Version 20.2
The filename is automatically generated and cannot be changed. For example, a device with
name" hdd1" is saved in: [current directory]/hdd1.verify. If the file already exists,
the new information is appended to the end of the file.
Window Menu
The Window Menu is the starting navigation point for using LinEn. This window has five
options.
Console Window
The LinEn Console Window has the same function as the EnCase console. All error or
information messages display in this window. For example, when a verification or acquisition
finishes, the result is displayed in the Console window.
CHAPTER 16 Using LinEn 693
l Hashing
l Single file verification
l Evidence file verification
l Evidence acquisition
l Name: Name of the type of thread, such as hashing device, verify single, verify evidence,
acquire.
l Status: Thread status, such as running, suspended, canceled, done.
l Errors: The number of errors. This is blank if there are no errors.
l Progress: Percent completion, 100% = completed.
l File Path: A processing comment. For example, "Hashing: /dev/hda5" or "Verifying:
myfile.E01".
Threads are shown until removed by deletion. The status window shows a history of actions
performed.
Edit Menu
The top level window in Linen includes an Edit menu option. The Edit menu contains Delete
and Options selections, described below.
DELETE
Content deleted is context-dependent.
l If the current top window is the Device Window, the currently selected device is deleted
from the table. It is removed from LinEn, not deleted on disk. When a device is deleted it
is removed from the LinEn Devices Window.
l If the current top window is the Evidence Files Window, the currently selected evidence is
deleted.
l If the current top window is the Thread Monitor Window, the currently selected thread is
deleted. If the thread is currently running, LinEn asks if you want to cancel it.
If a running thread is associated with the current item you want to delete, LinEn will ask if you
want to cancel the thread before the item is removed from the table.
l If you select No, the thread is resumed and the item is not deleted.
l If you select Yes, the thread is cancelled and the item is deleted.
Note: The thread itself is not deleted from the Task Manager window, unless this is
the current window.
Note: When anything is deleted from current window, LinEn does not give you the
option to save textual data, such as hash results.
OPTIONS
The Options window sets commonly used variables.
CHAPTER 16 Using LinEn 695
HOME PATH
The Home Path field points to a directory. If the directory path does not exist, LinEn creates it
when you click OK. This directory is used as a root directory to organize stored information,
such as logs and evidence files.
LOGGING DIRECTORY
Logging Directory is a read-only field. It cannot be edited. It is displayed where the logs are
stored when saving information fields or the console.
Both the Logging Directory and Default Evidence Path fields contain recommended values. The
values in these fields are transferred to the corresponding fields in the Acquire dialog. You can
change the fields in the Acquire dialog.
696 EnCase Forensic User Guide Version 20.2
Note: You must use the -cl option to activate this feature.
Select an operation:
l -k for AcquireMode
l -o for HashMode
Note: You must choose either AcquiireMode or HashMode. LinEn displays an error
message if you attempt to use both.
You can enter command line options with a single dash and the shortcut (for example, -p
<Evidence Path>) or with a double dash and the full tag (for example, --EvidencePath
<EvidencePath>).
During the acquisition or hashing process, a pipe character (|) prints to the console for each
percentage completed.
Examiner's name
-x <Examiner> Examiner (maximum 64
characters).
Evidence number
-r <Evidence Number> EvidenceNumber (maximum 64
characters).
A semicolon delimited
list of alternate paths
-a <Alternate Paths> AlternatePath
(maximum 32,768
characters).
Level of compression
-d <Compress> Compress
(0=none, 1=fast, 2=best).
Error granularity in
-g <Granularity> Granularity sectors (minimum 1,
maximum 1024).
698 EnCase Forensic User Guide Version 20.2
Path to a configuration
file holding variables for
-f <Configuration File> File
the program (maximum
32,768 characters).
-? Help message.
Number of reader
-rdr <number> Readers threads (acceptable
value 1-5).
Number of worker
-wrk <number> Workers threads (acceptable
value 1-20).
ing.
l If (-cl) is set, users must pass all LinEn settings via a text file or via command line argu-
ments.
CONFIGURATION FILE
You can create a configuration file to fill in some or all of the variables. The configuration file
must be in the format OptionName=Value. All of these options have the same restrictions as
their command line counterparts.
Note: Any options specified on the command line take precedence over those in the
configuration file.
Once the selected operation is complete, results print to the console. Read errors and read
error sectors display only if there are actual errors.
HASHING RESULTS
Name: <EvidenceName>
Sectors: 0-<TotalSectors>
CHAPTER 16 Using LinEn 701
ACQUISITION RESULTS
<EvidenceName>: acquired to <EvidencePath>
1. Boot the target machine from the LinEn bootable device. Ensure the target machine has
an operable optical drive or USB port and can actually boot from a CD or bootable
LinEn device.
2. Connect the forensic machine to the subject machine using a crossover cable or an Eth-
ernet cable.
Note: If an Ethernet cable is used, both the target and forensic machine must have
gigabit Ethernet.
3. On the target machine running LinEn, ensure an IP address has been assigned correctly
to the default Ethernet adapter by typing ifconfig eth0. If the adapter does not have
an IP address assigned, assign one manually by typing ifconfig eth0 10.0.0.2
netmask 255.0.0.0. Verify the IP address assignment completed successfully by typ-
ing ifconfig eth0.
4. Navigate to the folder where LinEn resides and type ./linen in the console to run LinEn
in Server Mode.
5. When you select a device, a variation of the following information is displayed:
702 EnCase Forensic User Guide Version 20.2
6. On the forensic machine, modify the network adapter settings in Windows to place the
machines in the same network, IP address of 10.0.0.3 and subnet mask 2555.0.0.0. You
should be able to ping the target machine running LinEn at this point.
7. Launch EnCase on the forensic machine.
8. On the Home page, create a new case or open an existing case.
9. Click Add Evidence > Add Crossover Preview. The Add Crossover window is displayed,
and lists crossover devices.
10. Select Network Crossover, and click Select.
11. Select the physical disk or logical partition to acquire or preview and click OK.
You can preview and acquire the contents of the device through EnCase. For more information
about acquisition, see Acquiring Device Configuration Overlays (DCO) and Host Protected
Areas (HPA) on page 145 and Acquiring a Disk Running in Direct ATA Mode on page 147.
Overview 708
Overview
EnCase Decryption Suite (EDS) enables the decryption of encrypted files and folders by domain
and local users. EDS is included with EnCase Forensic in most countries. EDS supports the
following forms of encryption:
l Mounted files
o PST (Microsoft Outlook Data File)
o OST (Microsoft Offline Outlook Data File)
o S/MIME encrypted email in PST files
o NSF (Lotus Notes)
o Protected storage (ntuser.dat)
o Security hive
o Active Directory 2003 (ntds.dit)
o EnCase Logical Evidence File Version 2 Encryption
CHAPTER 17 EnCase Decryption Suite 709
If the disk is encrypted, EnCase Forensic requests user credentials (see Supported Encryption
Products below for a table listing required credentials for supported encryption products).
Note that the disk/volume encryption support in EnCase Forensic works only at the physical
level.
l If the credentials are not correct, the User Credential dialog is displayed again. If this
occurs, enter the correct credentials to exit the dialog or press Cancel.
l If the correct credentials are entered, EnCase Forensic decrypts the disk. No password
attacks are supported.
l Microsoft BitLocker
l GuardianEdge Encryption Plus/Encryption Anywhere/Hard Disk Encryption
l Utimaco SafeGuard Easy
l McAfee SafeBoot
l McAfee Endpoint Encryption
l WinMagic SecureDoc Full Disk Encryption
l PGP Whole Disk Encryption
l Checkpoint Full Disk Encryption
l Dell Full Disk Encryption (FDE)
l Apple File System (APFS) Encryption
GuardianEdge
X X
Encryption Plus
710 EnCase Forensic User Guide Version 20.2
GuardianEdge
Encryption X X X
Anywhere
GuardianEdge
Full Disk X X X
Encryption
Utimaco
X X
SafeGuard Easy
McAfee SafeBoot
X X X X Algorithm
Online
Dell Data
Machin
Protection
e Shield
Enterprise/Creda X X X
Credant Credant ID
nt Mobile
ID
Guardian Online
Dell Data
Protection
Enterprise/Creda X X
nt Mobile
Guardian Offline
Microsoft
X Key
BitLocker
Microsoft
Encrypting File X Keys
System (EFS)
ZIP X
CHAPTER 17 EnCase Decryption Suite 711
S/MIME X PFX
ADK Passphras
PGP Whole Disk requires e,
X
Encryption path and ADK,
passphrase WDRT
Key file
Key file path,
WinMagic
passwor Emergency
SecureDoc
d disk folder
path
Configuratio
n file path,
Vera X Keys
Decryption
key path
APFS Encryption X
Analyze EFS
The Analyze EFS command scans a volume for data and processes it. Alternately, you can run
Analyze EFS from the secure storage, which consecutively scans all volumes in a case.
1. Right-click the volume you want to analyze, then click Device > Analyze EFS from the
dropdown menu.
2. The first Analyze EFS dialog is displayed. Click Next.
3. The second Analyze EFS dialog is displayed with the Documents and Settings Path and
Registry Path fields populated by default. For unusual system configurations, data disks,
712 EnCase Forensic User Guide Version 20.2
and other operating systems, these values are blank. You can modify them to point to
the user profile folders and/or the registry path.
4. Click Next to begin the scan.
5. When the scan completes, the EFS Status dialog shows statistical information on keys
found and decrypted and registry passwords recovered.
6. When you finish reviewing the EFS status, click Finish.
Note: Analyze EFS can also open the Syskey and Password Recovery Disk
screens.
MISSING IMAGES
If images that should have rendered display as blank, select the gear dropdown menu in
Evidence view and click Clear invalid image cache.
Although the tab is always present in the interface, the EDS module must be installed to enable
most of the functionality.
Note: EnCase Forensic automatically saves keys and credentials used to decrypt
evidence in Secure Storage for future use. If your Secure Storage Tab is unpopulated
after decrypting evidence, save your case. Close and restart EnCase Forensic to
refresh Secure Storage.
Enter Items
ENTER SYSKEY
You can enter Syskey information before running the Analyze EFS wizard, or afterwards if the
wizard is already completed.
CHAPTER 17 EnCase Decryption Suite 713
USER PASSWORD
If you know the user password:
1. In the Table tab, click the hamburger icon, then click Enter Items from the dropdown
menu.
2. The Enter Items dialog opens to the User password tab.
3. Enter the password, then click OK.
If the Syskey is protected and you do not know the password, an attack on the SAM file for
user passwords will fail. This is a rare situation. Most Windows machines do not have a
protected Syskey. EnCase Decryption Suite includes a dictionary attack option to get past a
protected Syskey. You can obtain dictionary files from a number of sources. To open setup,
right-click the root of Secure Storage and select Dictionary Attack.
While Analyze EFS scans the registry, EnCase alerts you if the Syskey is password protected or
has been exported. In these cases, the Analyze EFS wizard prompts you to enter the Syskey
password or browse to the Syskey file location. The Syskey file is called startkey.key. You
should examine any removable media collected at a scene for the presence of this file. If the
Syskey file is recovered on removable media, it can be copied/unerased from EnCase to the
examination machine, and you can browse to the startkey.key location. This process is the
same as when you use the Password Recovery Disk.
1. With file on removable media, or copied to a hard drive, click the hamburger icon in the
Table tab, then click Enter Items from the dropdown menu.
2. Select the Password Recovery Disk tab.
3. Click File or Removable.
4. Enter the path or browse to it, then click OK.
714 EnCase Forensic User Guide Version 20.2
10. Click Next. A confirmation window displays details about the export.
11. Click Finish to complete the export.
12. Click the hamburger icon in the Table tab, then click Enter Items from the dropdown
menu.
13. In the Enter Items dialog, select the Private Key File tab.
14. Enter the path or browse to it.
15. Enter the Password in the next dialog, then click OK.
A status screen confirms successful completion and the Private Key is displayed in the
Secure Storage tab.
1. Click the hamburger icon in the Table tab, then click Enter Items from the dropdown
menu.
2. In the Enter Items dialog, select the Enter Mail Certificate tab.
3. Enter the path to the .PFX certificate and the password.
4. Click OK.
5. The .PFX cert is decrypted and stored in Secure Storage.
Associate Selected
To associate *nix users with volumes:
CHAPTER 17 EnCase Decryption Suite 715
l Name
l Encrypted
l Type
l Subtype
l Password
l Password Type
l Aliases: Security Identifiers (SIDs) that point to one or more SID entities. They include a
name and a comment.
l Groups: SIDs that point to one or more SID entities. They include a name and a com-
ment. These are defined groups such as Administrators and Guests.
l SAM Users: Local Users; details are listed in the Report tab of the View pane.
l Passwords: Found and examiner added passwords.
l Net Logons: Local Users; details are listed in the Report tab of the View pane.
l Nix User/Group: Unix users/groups.
l Lotus: Lotus Notes.
l Email Certificates: Certificates used for S/MIME decryption and signature verification.
l Disk Credentials: Persistent key cache for disk/volume encryption products.
l Master Keys: A master key that protects every user's private key. The master key itself is
encrypted with a hash of the user’s Windows password.
l Private Keys: Keys used in the decryption of EFS files.
l Internet Explorer (IE) Passwords: Passwords from IE 6.
l Policy Secrets: LSA secrets which include the default password and passwords for ser-
vices. Some of these secrets are not passwords but binary data placed there by the sys-
tem and applications.
l SAM Keys/Policy Keys/Dpapi/CERT: Items for internal use.
716 EnCase Forensic User Guide Version 20.2
Passware Integration
EnCase provides Passware v11.7 integration, which lets you export indexes and known
passwords as a dictionary for decrypting protected files. Using this feature requires a valid
installation of the Passware Kit.
EnCase can export data to Passware after processing evidence with the Evidence Processor
and creating an index, or after running Analyze EFS. EnCase displays a warning if no index exists
or if Analyze EFS was not previously run.
EnCase creates a text configuration file for Passware that includes system information.
When you add additional words to the Passware dictionary list, EnCase exports the full
dictionary list, overwriting previously exported data.
You can begin the export process alternately by right-clicking an evidence file entry, then
selecting Open with > Passware.
The result is Passware displays data associated with the evidence file selected.
1. Install the SafeBoot Installer available for download at OpenText My Support or by con-
tacting OpenText Support.
From the SafeBoot server, copy the following files to the locations indicated. The files on your
SafeBoot Client machine (c:\Program Files\SafeBoot) do not work.
o It also contains a pointer to the port the server should speak on and its public and
private key information. Make sure that this port is open so the server and clients
can communicate.
o This file is required for online usage and keeps the communication port open
between SafeBoot server and clients.
o The SafeBoot clients V5+ can send encrypted data to a V5 server.
o V4 clients cannot send encrypted data to a V5 server, so for online use, change
AuthType to zero in the .ini file so you can decrypt both V5 and V4 clients.
o If you do not have or cannot get the SDMCFG.INI file, try creating a new empty text
file with this name instead. It must be there to work (even if it is an empty file).
2. Restart EnCase.
Once these steps are completed, SafeBoot is displayed in the Help/About screen.
Note: If the Export Restricted license flag is not enabled or the integration DLL files
are not properly installed, the physical device mounts, but the encrypted file
structure cannot be parsed. Since SafeBoot overwrites the original MBR for the boot
disk only, always preview the boot disk first, then preview any other disk in a multi-
disk machine configuration.
The offline dialog is similar. The Online checkbox is blank and only the Machine Name,
Transfer Database field, and Algorithm are available:
4. Save the case once a successful decryption is complete. The credentials entered in the dia-
log are stored in Secure Storage, eliminating the need to enter them again.
When a decryption is successful, the Tree pane shows a SafeBoot folder, the Table pane
contains a list of decrypted files while the Text pane shows contents of a decrypted file.
CHAPTER 17 EnCase Decryption Suite 719
Note: The Safeboot encryption .dll causes EnCase to crash when the encryption
algorithm for the server does not match the one implemented in SBAlg.dll.
720 EnCase Forensic User Guide Version 20.2
l Username/password
l Challenge/response
When decrypting data that uses this form of encryption, begin as follows:
1. Add your evidence or preview the local disk that contains the Check Point encrypted
volumes.
2. Go to the Evidence tab.
3. A dialog is displayed and prompts you for credentials. EnCase supports two types of
authentication: username/password and challenge/response. EnCase determines which
type of authentication is used based on the username you enter in the dialog.
1. Select Evidence > Table, and select a disk. A dialog is displayed showing the username
and location of the recovery file path.
2. Click Next.
3. The Password Authentication dialog is displayed, with the password in the text field.
4. Click Finish to decrypt the selected disk.
The screenshot belowshows a successful decryption. Note the folder tree in the Evidence tab,
and the DLL files listed in the Table tab.
CHAPTER 17 EnCase Decryption Suite 721
If the decryption was unsuccessful or if the user canceled the dialog, this screen is displayed:
722 EnCase Forensic User Guide Version 20.2
Note that the highlighted string "Protect!" in the View pane is a Check Point indicator that the
disk is encrypted.
Challenge-Response Authentication
For challenge-response authentication:
1. Select Evidence > Table, and select a disk. A dialog is displayed showing the username
and location of the recovery file path.
2. Click Next.
3. The following dialog indicates that the Challenge-Response form of Check Point Full Disk
Authentication was used to encrypt the selected disk. Use the Check Point tool to gen-
erate a response for the challenge shown in the dialog. Copy the response value from the
tool to the EnCase dialog.
CHAPTER 17 EnCase Decryption Suite 723
4. Click Finish.
If the EnCase Evidence tab and the Table pane display as they do below, with no partitions,
folders, or files visible, and if the "Protect!" string is visible in the View pane, then the
decryption failed (or the user canceled the dialog). It is possible that the response is incorrect
or that Check Point is unable to decrypt the selected disk.
724 EnCase Forensic User Guide Version 20.2
When BitLocker is enabled, a large file is created that holds all unallocated (UAC) space, minus
six gigabytes.
You can find a list of currently supported versions of BitLocker in your product's latest release
notes.
CHAPTER 17 EnCase Decryption Suite 725
The recovery password is stored in a file with a GUID name (for example, AE15E17A-C79E-4D3F-
889F-14FBF6E0F9E.TXT).
These keys are matched by Key Protector GUID in the BitLocker metadata.
3. The Recovery Key option button is selected by default. Browse to the location of the
required .BEK recovery key.
4. Browse to the folder containing BitLocker keys and select the specified .BEK file.
CHAPTER 17 EnCase Decryption Suite 727
5. Click OK.
6. Copy and paste the recovery password into the BitLocker Credentials dialog.
7. Click OK.
The following AutoUnlock registry keys are displayed for three volumes:
The following displays Secure Storage after the Analyze EFS process:
730 EnCase Forensic User Guide Version 20.2
1. Add a BitLocker encrypted primary RAID 5 volume into EnCase using Add Device or drop
and drag. This primary volume consists of:
o The boot disk
o The BitLocker volume (which is not encrypted)
2. Add each additional physical disk using Add Device or drop and drag.
Note: The BitLocker Credentials dialog does not display until you finish building the
RAID.
3. When you finish building the RAID, EnCase displays the BitLocker Credentials dialog.
4. Provide the credentials. See Decrypting a BitLocker Encrypted Device Using Recovery Key
on page 725 or Decrypting a BitLocker Encrypted Device Using Recovery Password on
page 727 for details.
5. Click OK. EnCase decrypts all available volumes.
When you preview a machine's disk or open an evidence file, the Master Boot Record (MBR) is
checked against known signatures to determine whether the disk is encrypted. The SecureDoc
signature is WMSD.
Each SecureDoc user has a key file which can contain multiple keys encrypted using a password
associated with the file.
CHAPTER 17 EnCase Decryption Suite 733
l Administrators can encrypt/decrypt drives, reset passwords, add keys to a key file, etc.
l Users can change their passwords only.
l SDForensic.dll
l SDC.dll
l SDUser.dll
Note: The 32-bit version of EnCase supports the integration.
The disk view shows encrypted information in the Text and Hex panes for encrypted drives.
Note: To obtain decrypted data, perform a local acquisition on the result of the
remote acquisition by providing the correct credentials.
1. Connect a WinMagic SecureDoc managed SED to the forensic workstation. Only the
128MB Master Boot Record shadow file system is available to the OS.
734 EnCase Forensic User Guide Version 20.2
To decrypt, you need a cert file for your dongle to activate the EDS module in EnCase, and you
will need two DLLs that can only be obtained if you have access to a licensed copy of
GuardianEdge. These DLLs can be found under C:\Program Files\GuardianEdge.
l The EPCL32.dll file placed in the \lib\PC Guardian-Guardian Edge\EPHD folder in your
EnCase installation.
l The EPcrypto.dll file placed in the \lib\PC Guardian-Guardian Edge\EPHD folder in your
EnCase installation.
l Username
l Password
l The EPCL32.dll file placed in the \lib\PC Guardian-Guardian Edge\EAHD folder in your
EnCase installation.
l The EAECC.dll file placed in the \lib\PC Guardian-Guardian Edge\EAHD folder in your
EnCase installation.
l Username
l Password
l Domain
Upon previewing an encrypted device or adding a physical evidence file of an encrypted device,
EnCase prompts for the credentials. Once the correct credentials are added, the file and folder
structure of the device is displayed unencrypted.
EnCase also supports decryption for Symantec Endpoint Encryption, the successor product to
GuardianEdge encryption products. To view supported versions of Symantec
Endpoint Encryption, see Symantec Endpoint Encryption Support on page 737.
l AES128
l AES256
the examiner machine: a 32-bit examiner machine requires 32-bit DLL files, and a 64-bit
examiner machine requires 64-bit DLL files.
The following DLL files are required to decrypt an SEE encrypted device on a 32-bit examiner
machine:
l EAECC.dll
l EPCL32.dll
The following DLLs files are required to decrypt an SEE encrypted device on a 64-bit examiner
machine:
l EAECC.dll
l EPCL.dll
Note: The version of the EAECC.dll must match the product version of SEE.
In addition to the above, you may need to install the following if they are not already present
on the system:
You can obtain the DLL library you need from the SEE installation folders on the client machine.
1. Make sure you have the EnCase Decryption Suite module with PC Guardian support
installed. Check by selecting Help > About....
2. In the domain field, enter EA#DOMAIN as the client administrator account.
CHAPTER 17 EnCase Decryption Suite 737
PC Guardian-Guardian Edge\EAHD\EAECC.dll
PC Guardian-Guardian Edge\EAHD\EPCL32.dll
PC Guardian-Guardian Edge\EAHD\msvcp71.dll
PC Guardian-Guardian Edge\EAHD\msvcr71.dll
PC Guardian-Guardian Edge\EAHD\EPCL32.dll
PC Guardian-Guardian Edge\EAHD\EPcrypto.dll
If you are using a GuardianEdge Overall Authority (GEOA) account, you must use EA#DOMAIN
for the domain.
o PGPsdk.dll
o PGPsdk.dll.sig
5. Place these four files in your EnCase Forensic installation folder: [Encase_
Installation_Dir]\Lib\PGP\WDE
Once these files are added to the correct folder, you can decrypt evidence encrypted with
Symantec Endpoint Encryption.
To use Sophos SGN, you must obtain keys from a forensic administrator.
Decrypting a Disk
To decrypt a disk containing Sophos SGN encrypted partitions:
1. Open the SafeGuard Management Center to create a virtual client on the Sophos SGN
server.
2. The SafeGuard Management Center is displayed.
3. Select the Keys and Certificates option from the left navigation pane.
4. The Keys and Certificates section is displayed.
5. Under Keys and Certificates select Virtual Clients.
6. Virtual Clients is displayed in the right pane.
7. Select Actions > Add Virtual Client.
CHAPTER 17 EnCase Decryption Suite 739
A Challenge/Response session is initiated to get the plain KEK whose ID was selected
previously from the Sophos SGN server.
To populate the EnCase Challenge/Response dialog with data obtained from the Sophos SGN
website, complete the steps described in the following section.
740 EnCase Forensic User Guide Version 20.2
The plain DEK of the partition is derived from the KEK obtained previously thus decrypting the
sector data.
1. Return to the EnCase Challenge/Response dialog and enter the response codes obtained
from the Sophos SGN website in the Response Code fields.
2. Click OK to complete the challenge/response data collection process.
3. The plain DEK identified by the selected key ID is returned.
l AES192
l AES256
l DES
l 3DES
742 EnCase Forensic User Guide Version 20.2
1. In the SGE credentials dialog, enter a username but leave the password field blank.
2. Click OK.
3. A Challenge Response dialog is displayed with the challenge code in blue/bold font. Keep
this dialog open while performing the next steps.
CHAPTER 17 EnCase Decryption Suite 743
4. Log in as Administrator. Click the Windows Start button, then click All Programs
> Utimaco > SafeGuard Easy > Response Code Wizard.
5. The Welcome dialog is displayed.
6. Click Next to begin generating a one time password (OTP). The Authorization Account dia-
log is displayed.
7. Click Next. The Remote User ID dialog is displayed.
8. Enter the User ID that was used to derive the challenge code, then click Next.
9. The Challenge Code dialog is displayed. Enter the challenge code generated by EnCase
from step 3.
10. Click Next. The Remote Command dialog is displayed.
11. Select One time logon, then click Next.
12. The Summary dialog is displayed with the response code displayed in blue/bold font.
13. In the EnCase dialog from step 3, select the code length and enter the response code to
enable decryption of the selected encrypted evidence.
744 EnCase Forensic User Guide Version 20.2
In contrast, EnCase examines each hard drive individually. This creates a problem:
l SafeGuard Easy overwrites the Master Boot Record (MBR) of the boot disk only.
l Only the boot disk is detected as encrypted and then decrypted (when the correct cre-
dentials are entered).
This means EnCase support for SafeGuard Easy is limited to decrypting only the boot disk,
because this is the only drive detected as encrypted by examining the MBR.
WORKAROUNDS
There are two workarounds for this problem.
The information in the newly restored kernel gives you access to disk 2.
To enable EnCase Forensic to identify and decrypt Dell Data Protection Enterprise/Credant
Mobile Guardian files:
There are two scenarios for decrypting files that have been encrypted with Dell Data Protection
Enterprise/Credant Mobile Guardian:
1. The dialog populates with a known user name and password, Server, Machine ID, and
Shield Credant ID (SCID). If the credentials are correct, Dell Data Protection Enter-
prise/Credant Mobile Guardian files are processed and decrypted with no further action
needed.
o If the registry file is unencrypted, then the Server, Shield CID, and Machine ID are
prepopulated for the boot volume disk.
o In an offline scenario, the Online checkbox is blank and the Machine ID and SCID
fields are unavailable.
2. Save the case when a successful decryption is complete. The credentials entered in the
dialog are stored in Secure Storage, eliminating the need to re-enter them.
l Confirm that your EnCase Forensic license includes the EnCase Decryption Suite (EDS).
EDS is included with EnCase Forensic in most countries.
l Download and run the Credant Installer on your examiner machine. You can obtain the
installer from OpenText My Support. The installer places required Credant DLLs and the
CEGetBundle.exe application in the EnCase Forensic \EnCase8\Lib\Credant Tech-
nologies\CMG subdirectory of your examiner machine.
l Obtain the URL for the Dell Data Protection Enterprise/Credant Mobile Guardian Device
Server.
l Obtain an Administrator username and password.
o The Dell Data Protection Enterprise/Credant Mobile Guardian administrator must
have privileges specific to the version of Dell Data Protection Enterprise/Credant
Mobile Guardian used with the encrypted files.
CHAPTER 17 EnCase Decryption Suite 747
1. From a computer that can communicate with the Dell Data Protection Enter-
prise/Credant Mobile Guardian Server, run the CEGetbundle.exe utility from the Win-
dows command prompt.
o CEGetBundle.exe is included in the Credant Installer, which also installs the DLLs
necessary for the decryption.
o Copy the integration DLLs and MAC file to the target device.
o Supply the parameters as follows: CEGetBundle [-L] XURL -aAdminName -
AAdminPwd [-DAdminDomain] [-dDuid] [-sScid] [-uUsername] -
oOutputFile -oOutputFile -IOutputPwd
2. Place the .bin file downloaded from the Dell Data Protection Enterprise/Credant Mobile
Guardian server in a path accessible from the examiner machine. Open EnCase Forensic
and create a new case or open an existing one. EnCase Decryption Suite must be installed
on the Examiner machine.
Note: In legacy mode, you must execute this utility for each user targeted for
investigation on the target device while specifying the same output file. The keys for
each user are appended to this output file.
3. Acquire a device with Dell Data Protection Enterprise/Credant Mobile Guardian encryp-
ted files, or load an evidence file into the case. The Enter Credentials dialog is displayed,
prompting you for the username, password, server/offline server file, machine ID, and
Shield Credant ID (SCID) information only.
Note: In offline mode, the only information you must provide is the password and
server/offline server file (full path and filename to the .bin file downloaded using the
CEGetBundle.exe utility).
When EnCase decrypts Dell Data Protection Enterprise/Credant Mobile Guardian files, the key
information is placed in Secure Storage within EnCase Forensic, and saved with the case. You
do not have to re-enter this information.
To enable EnCase Forensic to identify and decrypt Dell Full Disk Encryption:
1. Obtain a whole disk recovery key from the Remote Management Console.
2. Mount the evidence, and provide the whole disk recovery key when prompted.
The current version of Dell Data Protection supports the following modes:
CHAPTER 17 EnCase Decryption Suite 749
l Microsoft EFS files that have already been decrypted. See Analyze EFS on page 711.
l An EnCase Forensic machine with EnCase Decryption Suite and Credant DLLs installed.
l The CredDB.CEF file residing in the folder. This is essential, since it contains the inform-
ation to get to the decryption key.
o If the file is encrypted, the CredDB.CEF stream is automatically stored with the file
as metadata.
o If the file is decrypted, the CredDB.CEF stream is not automatically stored, as it is
not needed. This does not prevent you from storing the stream by specifically saving
it to the LEF.
Note: If an encrypted file is decrypted and added, this is noted and displayed in the
report.
There are two scenarios for using McAfee EE in EnCase: Online and Offline. Both are described
in the following sections.
Upon connecting, EnCase analyzes the Master Boot Record to detect the McAfee Endpoint
Encryption boot signature, then a dialog is displayed.
ONLINE SCENARIO
Check Online and supply this information:
The Keycheck ID is pre-populated, as read from the device. The keycheck uniquely
identifies the device.
OFFLINE SCENARIO
Clear the Online checkbox and get the recovery file either directly from the ePolicy
Orchestrator (ePO) server or by using RequestMachineKey.exe from a machine that can
access the ePO Server.
When using the offline method, enter the recovery file in the McAfee Endpoint Encryption
Recovery File field.
When using either the Online or Offline method, EnCase stores the credentials entered in the
dialog in Secure Storage, eliminating the need to re-enter them.
When decryption is successful, results display in the Tree pane. Save the case.
l In online mode, EnCase Forensic automatically identifies Vera encrypted files and
prompts for the user configuration file. Next, EnCase Forensic communicates directly to
the Vera portal via the internet to obtain the appropriate decryption keys. Online mode is
the default decryption mode.
Note: To prevent EnCase Forensic from prompting to decrypt new files, check
Offline Mode in the Vera Credentials dialog or under Vera Encryption in the Tools
drop down menu. To trigger the Vera Credentials dialog after it has been
canceled, uncheck Offline Mode. Then close and reopen the Evidence view.
l In offline mode, EnCase Forensic is operating on a machine that is not connected to the
internet. In this mode, you are not automatically prompted to provide Vera configuration
files. Instead, Vera configuration files are manually exported from the offline machine and
transferred to a separate online machine that obtains the appropriate decryption keys
via the internet using the VeraEx command line utility. Decryption keys are then trans-
CHAPTER 17 EnCase Decryption Suite 751
ferred back to the offline machine running EnCase Forensic and are imported into the
case.
1. On the online machine, navigate to OpenText My Support and sign into your account.
2. Open the folder that contains your version of EnCase Forensic.
3. Download and run VeraInstaller.exe on both the online and offline machines.
For more information about decryption keys, see the Secure Storage Tab section.
1. In the Tools drop down menu under Vera Encryption, select Export Entries.
2. Specify an output file name and path for the .JSON configuration file.
752 EnCase Forensic User Guide Version 20.2
3. Transfer the configuration file to C:\VeraEx on the machine with online access to the
Vera portal. If the VeraEx utility was installed to a different location, use that path
instead.
4. On the machine with online access, open Windows Command Prompt as an admin-
istrator and navigate to C:\VeraEx.
5. Execute the following command: VeraEx.exe /cfg:{ExportFileName}.json
/out:{ImportFileName}.json. See Using the VeraEx Utility for a complete list of com-
mands.
6. Transfer the Vera decryption key to the machine running EnCase Forensic.
7. On the machine running EnCase Forensic, navigate to Vera Encryption in the Tools drop
down menu, and select Import Entries.
8. Select the file that was transferred in step 6. EnCase Forensic decrypts the files and saves
the configuration files and decryption keys in Secure Storage. For more information
about decryption keys, see the Secure Storage Tab section. If the file cannot be decryp-
ted, you are prompted to locate the appropriate decryption key.
Option Description
/? Display command information and usage.
Option Description
Specifies the full path and file name of the Vera connection and
configuration file associated with documents referenced in the
specified export files. This option may be specified more than
once. Wildcard characters ? and * may be used in the file name
to specify all matching files.
/cfg:filename
At least one Vera connection and configuration file must be
specified or loaded from an export file.
Specifies the full path and file name of the output file that will
/out:filename
contain the extracted Vera document metadata and keys.
EnCase Forensic does not parse CoreStorage volumes present on physical images.
1. Add an APFS encrypted image to your case using one of the following methods:
o Preview the hard drive
o Use the Add Device wizard
o Drag evidence files into EnCase Forensic
2. Mount the evidence by clicking on the device name. When APFS encryption is detected,
the Enter Password dialog window appears.
3. Type the password and click OK. The image is decrypted and the password is stored in
Secure Storage.
Note: APFS volumes are independently encrypted, so you are prompted to enter
the decryption password for each encrypted volume, even if the volumes share the
same password.
754 EnCase Forensic User Guide Version 20.2
The macOS compatible agent needs to be deployed to the target machine. The default location
is in your SAFE installation folder under …Agents/osxintel/installer/installer.zip.
1. Navigate to the SAFE directory that contains the zip for macOS.
2. Run the following command to unzip the package: unzip installer.zip
3. Copy installer.pkg to the target machine.
4. Run the following command to install and run the agent:
installer -pkg ./installer.pkg -target /
The number of devices on your target machine may differ from the screenshot above, but it
will use the same disk labeling convention. Devices labeled disk[#] are containers that hold
system information about the APFS volumes within. APFS volumes share the same disk
number, with the added s[#], such as diskos1.
If a volume is encrypted, EnCase should detect the APFS encryption and prompt you for your
FileVault password.
In this scenario, adding disk0 will result in parsing two partitions: disk0s1 (the C drive) and
disk0s2 (a container):
You can view the disk structure on the target machine within macOS to match the structure
provided in the SAFE Network Preview:
2. Click on the Sidebar menu at the top left corner and select Show All Devices. The sidebar
expands to show containers and volumes for this device.
3. Verify that the device name selected in Disk Utility matches the device you have mounted
using the SAFE Network Preview.
CHAPTER 17 EnCase Decryption Suite 757
DECRYPTING CONTAINERS
EnCase Forensic parses the volumes selected during the SAFE Network Preview. If one or more
of the volumes are encrypted, you are prompted to enter the FileVault password. After the
volume is parsed, the password is stored in SecureStorage for future use.
It is not necessary for FileVault to be enabled on a target machine to view data. However,
issues may arise when examining a machine that has FileVault turned on.
This section shows you how to enable FileVault on a target machine and view a list of users
who have been enabled for FileVault decryption. Authentication issues are sometimes the
reason why an APFS encrypted volume fails to decrypt.
Enable FileVault on the target machine and specify an account for decryption:
4. Click on the lock icon in the lower left corner of the dialog. A password dialog displays.
5. Enter the Administrator’s password.
6. Click Turn on FileVault. You are presented with a list of users associated with this
machine.
758 EnCase Forensic User Guide Version 20.2
7. Click on the Enable User button for the account that will access FileVault. A new dialog
appears, presenting you with different method to unlock your disk.
8. Select the option to use a recovery key. You will be asked to login with the key, and the
machine will restart.
If FileVault has been enabled on the target machine, it may be possible that your user has not
been properly authorized, or that the adminuserrecoveryinfo.plist file has not been
updated. After you have enabled FileVault, perform the following steps:
5. Compare the output of this list to the list displayed in step 7 of Troubleshooting FileVault
Accounts to verify that the correct users have been enabled for FileVault.
You must have PFX (PKCS 12 standard) certificates installed prior to parsing. PST, EDB, and
MBOX mail containers are supported.
5. Enter the path to the PFX certificate and the password, then click OK.
The certificate is stored in Secure Storage under E-Mail Certificates folder when the proper
password is entered. After you import the required certificates into Secure Storage, you can
parse the email container files using the View File Structure feature in the Entry View.
The Artifacts tab lets you view and work with content.
l A Whole Disk Recovery Token (WDRT) from the PGP Universal Server
l An Additional Decryption Key (ADK) from the client machine
l The user's passphrase
Note: The PGPEnCase.dll resides in the installation folder of EnCase (typically
C:\Program Files\EnCase8\lib\PGP\WDE). When using ADK
authentication, the PGPEnCase.dll should be copied to the same location.
2. Click the Users tab to go to the Internal Users page. Note which user displays the Recov-
ery icon associated with a user name.
3. Click the user name associated with the Recovery icon. The Internal User Information
page is displayed.
4. Click the Whole Disk Encryption button to see the machine associated with this user.
5. Click the WDRT icon.
CHAPTER 17 EnCase Decryption Suite 761
6. The Whole Disk Recovery Token page is displayed. Note the token key consisting of 28
alphanumeric characters.
7. In EnCase, enter the token key in the Whole Disk Recovery Token field of the PGP Whole
Disk Encryption credentials dialog, then click OK.
Note: You can enter the token key with or without dashes.
2. Click OK.
762 EnCase Forensic User Guide Version 20.2
The EnCase suite can decrypt encrypted Notes Storage Facility (.nsf) documents and send
them to recipients within the same Domino server.
It also has an NSF file that represents the user's mailbox in 8.3 format in the default path
<domino installation folder>\data\mail\<user>.nsf.
Each Domino server user has a corresponding NSF file representing that user's mailbox in 8.3
format. The default path is <Domino Installation Folder>\Data\Mail\<user>.nsf.
CHAPTER 17 EnCase Decryption Suite 763
The Lotus Notes client is set up to use the local mailbox. Synchronization between the local
and server mailboxes occurs according to a replication schedule determined by the Domino
administrator.
Encryption of the local mailbox is not mandatory but it is advisable, because without
encryption a person familiar with the NSF file structure could read email without needing Lotus
Notes.
1. Obtain the corresponding ID file from the Domino server. All user ID files are backed up
on the server either on disk as a file or in the Domino directory as an attachment to
email.
2. Parse it using View File Structure, so that the private key is inserted in Secure Storage.
Encrypted Block
The example below shows an encrypted block at offset 0x22000:
764 EnCase Forensic User Guide Version 20.2
The decryption algorithm uses a seed that is based on the basic seed from the header and the
block offset.
Decrypted Block
The example below shows an example of a decrypted object map at offset 0x22000:
CHAPTER 17 EnCase Decryption Suite 765
If the corresponding ID file cannot be parsed successfully, the Secure Storage is not populated
with the data needed to parse the locally encrypted NSF; thus, the Lotus volume is empty.
For versions of Windows prior to Vista, you must install Microsoft Windows Rights
Management Services Client 1.0 (SP2) before running the RMS standalone installer.
EnCase stores the credentials you entered, so you do not need to enter them again.
CHAPTER 17 EnCase Decryption Suite 767
MSO
1. Right-click the MSO protected file you want to decrypt (that is, a Word document created
with Office 2003), then click View File Structure. The View File Structure dialog is dis-
played.
2. Select the Find RMS Content checkbox, then click OK.
3. The Microsoft RMS SuperUser Credentials dialog is displayed.
4. Enter a username and password, then click OK.
5. EnCase decrypts RMS protected files in the volume.
EnCase stores the credentials you entered, so the next time you do not need to enter them
again.
OPC
1. Right-click the OPC-protected file you want to decrypt (that is, a Word document created
with Office 2007), then click View File Structure. The View File Structure dialog is dis-
played.
2. Follow steps 2 through 5 in MSO, above.
1. Right-click the PST file, then click View File Structure. The View File Structure dialog is dis-
played.
2. Select the Find RMS Content checkbox, then click OK.
3. The Microsoft RMS SuperUser Credentials dialog is displayed.
4. Enter a username and password, then click OK.
In Windows 2000, however, the Master Key is protected by the user’s password hash with a
mechanism that slows down any attack. The Master Key protects the user’s private key, and
the user’s private key protects a key within the $EFS stream that allows for decryption of the
EFS encrypted file.
Dictionary Attacks
Software implementing the dictionary attack method usually uses a text file containing a large
number of passwords and phrases. Each is tried in turn in the hope that one of the words or
phrases in the file will decrypt the data involved.
A large number of dictionary files (sometimes called word lists) are on the Internet, or you can
create your own list. Creating your own list may be preferable if the person under investigation
has particular interests that can be included in the list.
The web has freeware utilities you can use to create a dictionary from combinations of letters,
numbers, and characters up to a predefined length. A search engine search for "Free Wordlist
Generator" yields a number of options.
EDS can attack NT-based user account passwords and cached net logon passwords using a
dictionary attack.
CHAPTER 17 EnCase Decryption Suite 769
Built-In Attacks
Specific items have associated passwords. If they are not automatically retrieved, you can use
a trial and error mechanism.
l Local users
l Network users that logged on (cached domain users)
l Syskey (password mode only)
l Master Key, if the user’s SAM or domain cache can’t be accessed (due to corruption,
account deletion or Syskey protection). This is much slower than attacking Local/Network
Users.
EXTERNAL ATTACK
Local users can be attacked with third party tools including freeware tools, whose performance
is much greater than EnCase because they can run on many computers at the same time
and/or use rainbow tables. EnCase can export the local user’s password hashes in the
PWDUMP format that most tools read. This is done from the User List:
The User List of Secure Storage displays Local Users, Domain Users, Nix Users, and/or Nix
Groups from the local machine or evidence file. Information includes:
770 EnCase Forensic User Guide Version 20.2
INTEGRATED ATTACK
Words to be tested may be derived from three sources:
Depending on the settings, a dictionary attack can test thousands of passwords contained in a
dictionary file in a very brief time frame. It is usual to try a dictionary attack first, then progress
to a brute force attack if the password(s) cannot be found.
CHAPTER 17 EnCase Decryption Suite 771
Any information concerning the possible structure/character length of the password helps
dramatically.
772 EnCase Forensic User Guide Version 20.2
CHAPTER 18
VIRTUAL FILE SYSTEM
Overview 775
Overview
The Virtual File System (VFS) module enables investigators to mount computer evidence as a
read-only, offline network drive for examination through Windows Explorer. The feature allows
investigators several examination options, including using third-party tools to examine
evidence served by EnCase.
The VFS module enables the use of third-party tools against hard drives previewed through a
FastBloc device or a crossover cable, including deleted files.
You can mount evidence at one of four levels; however, you can designate only one mounting
point at a time. To change the mounting point, you need to dismount the evidence and
mount at a new level to include the desired devices.
The four evidence mounting levels and associated VFS capabilities include:
Using the Server extension, you can also mount evidence to be shared with other investigators
through a LAN. The Virtual File System Server is discussed later.
To mount a single drive or device in a case file or a single volume or folder on a drive, click
Device > Share > Mount as Network Share.
Since VFS is mounting the evidence as a network shared drive, a local port must be assigned.
To allow recovery from errors in Windows, the VFS service runs for the life of the Windows
session. This means that the port number can be assigned the first time the VFS service is run
to mount evidence. Afterwards, the port number is grayed out and the assigned port number
cannot be changed.
1. On the Server Info tab, set the local port or use the default setting.
2. Set the Max clients allowed, up to the maximum number of clients purchased for VFS.
Note: The Windows session must be closed to assign a new port number.
3. Click the Client Info tab to set the volume letter to be assigned to the network share in
Windows Explorer.
4. Windows Explorer assigns the next available volume letter by default. You can also use
any other unassigned letter.
Assigning a specific volume letter can be useful when attempting to virtually reconstruct
a mapped network drive, such as for a database.
If you currently have mapped networked drives or if you allow Windows to assign the
drive letter, it takes a few seconds for Windows to query the system to find an available
drive letter.
A confirmation dialog informs you that the mount was successful with the volume letter. The
"shared hand" icon is displayed at the level you designated as the mount point for the shared
drive.
You can mount at the device, volume, or folder level with VFS. To do this:
CHAPTER 18 Virtual File System 777
1. Select the Entry you want to mount in the entry window. Click Device > Share > Mount
As Network Share.
2. The Windows Explorer view of the mounted entry is displayed.
Compound Files
You can mount several different compound files, including Microsoft Word, Excel, Outlook
Express, and Outlook, in the EnCase interface.
This is an example of an encrypted evidence file when VFS is used in conjunction with EDS:
778 EnCase Forensic User Guide Version 20.2
This is a view of the encrypted file in its decrypted state when using VFS in conjunction with
EDS:
CHAPTER 18 Virtual File System 779
For more information on using EDS to decrypt EFS protected files and folders, see EnCase
Decryption Suite.
RAIDs
You can browse RAIDs mounted inside EnCase in Windows Explorer. In this example, a
software RAID 5 comprised of three drives was mounted, then made available for browsing in
Windows Explorer with Virtual File System.
780 EnCase Forensic User Guide Version 20.2
Deleted Files
The Virtual File System module lets you view deleted and overwritten files in Windows
Explorer.
An investigator may locate a file in Windows Explorer to view or analyze and find that it is not
possible to open the file. If a file does not open, review the original data in the EnCase interface
to see if the file is valid, and is not corrupted or partially overwritten.
For investigators, this means the RAM (sector) slack and drive (file cluster) slack are not
available to third-party tools through the Virtual File System in Windows Explorer as a single
file. However, you can access the data in slack with third-party tools.
1. Launch EnCase.
2. Open a new case.
3. Click Add evidence > Add Local Device.to load the device.
4. Click Next to read the available local devices.
5. Clear any checkmarks from the Read File System column.
When the device is loaded into EnCase, the partition and file system are not read and
interpreted. You can then mount the entire device with VFS and have it be available for
examination in Windows Explorer as unused disk area, including slack space.
Another option is to copy only slack area from evidence to the examination computer as a
logical file.
The file containing the slack from the evidence is now available for examination by third party
utilities on the local examination machine.
In this example, the /(root) partition is represented by the high-dot. The /home partition is
represented by ∙home.
In this example, the /(root) partition of a Solaris workstation is mounted and the parent
folder name (the partition name) is displayed as the high-dot.
CHAPTER 18 Virtual File System 783
Note: Windows has a limit of 264 characters in a full path and file name. This
limitation may impact some examinations in Windows Explorer, especially for Unix
and Linux devices. In this situation, the investigator may need to mount at the
partition or folder level.
1. Double-click the Virtual File System thread bar at the bottom right of the screen, then
click Yes.
2. The thread bar at the bottom right disappears, indicating the evidence was successfully
dismounted.
Note: Be sure to dismount evidence that is served through VFS before closing
EnCase. A reminder message is displayed if you try to close the case or EnCase while
evidence is mounted with VFS.
When an investigator selects a folder in Windows Explorer, the data is served by EnCase and
displayed in Windows Explorer. As you browse directories in Windows Explorer, the file names
784 EnCase Forensic User Guide Version 20.2
populate in the VFS Name column, so an investigator can determine which file is being
examined. EnCase appends a pound sign (#) to the end of duplicate filenames in the same
folder in Windows Explorer.
1. Mount the evidence through VFS either locally on the examiner machine, or remotely
through the VFS Server.
You can mount the evidence at the device, volume, or folder levels as described
previously. The "shared hand" icon indicates the level of the virtual file system mount.
CHAPTER 18 Virtual File System 785
In the example below, the Symantec AntiVirus Scan for Viruses option is run by right-clicking
the drive.
The antivirus software can read the Virtual File System presented to Windows Explorer. The
requested data is served by EnCase to Windows Explorer, then to the program for scanning.
The examination reports and logs generated by the third-party tools can be reviewed and
included in the investigator's report.
l Double-click a file served by VFS to open the data with the program assigned according to
the file extension.
3. Select the desired extension. The Details for section lists the program designated for that
extension.
4. Click Change.
5. Select or browse to the new program.
WordPad can open most text-based files to let you view the contents.
When you open a file mounted with Virtual File System in Windows Explorer with a third-party
tool, the Windows operating system controls the temporary file creation on the operating
system drive. Remember to check the Windows Temp folder to perform any necessary post-
examination cleanup.
VFS Server
The Virtual File System module has a server extension so that investigators can share the
mounted evidence with other investigators on the local area network through VFS. The
extension lets clients mount the network share served by the VFS Server through a network
connection, under the following conditions:
CHAPTER 18 Virtual File System 787
l Only the machine that is running the VFS Server needs a security key (dongle) inserted.
A security key is not required to connect to the VFS Server and access the served data in
Windows Explorer.
l The client machine(s) must have EnCase installed to access the VFS client drivers, but can
run in Acquisition mode.
The number of clients that can connect to the VFS Server depends upon the number of
VFS Server connections purchased. This information is contained in the VFS Certificate or
is programmed into the security key.
To determine if the VFS Server is enabled and to view the number of available client
connections:
1. On the VFS Server machine (with the security key inserted), open EnCase.
2. Open the case file(s).
3. Select the appropriate VFS mount point level:
o Case
o Drive/device
o Volume
o folder
5. Since this is the VFS Server machine, select Establish local server for the location on the
Server Info tab.
6. Enter a Port number or use the default: 8177. The Server IP Address is grayed out since
the server's IP address is the one assigned to the machine where the mount is taking
place.
7. Note the server machine's IP address for use with the client.
8. Set the maximum number of clients who can connect to the server. The default is the
maximum allowed by your VFS Server certificate.
788 EnCase Forensic User Guide Version 20.2
Since VFS is mounting the evidence as a networked shared drive, the serving port must be
assigned. To allow recovery from errors in Windows, the VFS service runs for the life of the
Windows session from that port.
The VFS Server can also serve the data locally to the investigator's machine. It uses one of the
server connections.
1. Select Allow IP Range and specify the high and low IP values.
o If you are serving the share to remote clients only, clear Mount share locally. The
volume letter is disabled.
The VFS Server mounts the share and allows connections on the assigned port. The shared
hand icon is displayed at the VFS mount point. You can continue your examination while it is
shared. Performance depends on the size and type of the examined evidence, processing
power of the server and client machines, and the bandwidth of the network.
On the client machine, the share is available in Windows Explorer as gsisvr with the assigned
drive letter. The shared computer evidence can be examined as previously described.
A confirmation window reports that the evidence is dismounted and the connection closed.
The shared hand icon is removed, indicating that Windows Explorer has disconnected the
shared drive. Close EnCase on the client computer.
On the VFS Server machine, when all clients are finished and have dismounted the share, close
the VFS Server.
1. Double-click the flashing Virtual File System bar in the lower right corner of EnCase.
2. You are prompted to dismount the evidence file. You can now close EnCase.
790 EnCase Forensic User Guide Version 20.2
Make sure the security key is installed and working properly; check the title bar to ensure that
the software is not in Acquisition mode. You do not need to have the security key installed on
a machine connecting to a remote VFS Server.
If you are using cert files, the certificate file is issued for a specific security key. Check the
security key ID to verify it is the correct one issued for the certificate.
Check to see how many machines are connected to the server, and determine how many
clients are permitted to connect to a VFS Server by selecting About EnCase from the Tools
menu on the machine running the VFS Server. Determine the number of allowed clients by
looking at the number listed next to the Virtual File System Server module.
Note: If none of these troubleshooting steps resolves your issue, contact OpenText
Support.
Overview 793
Overview
EnScript is designed to allow a user with some knowledge of programming to access deeper
functionality of EnCase Forensic, automate tasks, and create functional applications that can
be shared with others.
EnScript is an object-oriented language with inheritance, virtual functions, type reflection, and
a threading model.
EnScript supports COM libraries from other applications and enables you to automate
document processing tasks and remote data retrieval through DCOM. You can also integrate
with .NET assemblies in the form of DLL files.
It is a case-sensitive language that ignores any whitespace not part of a quoted string.
EnScript source code is processed internally as Unicode, but is stored as 8-bit text unless non-
ASCII text is present.
You can access EnCase App Central from within EnCase Forensic. Select EnScript > EnCase App
Central from the application title bar to open a browser and be directed to
https://www.guidancesoftware.com/app.
EnScript Programmers
If you are an EnScript programmer, you can sign up to be a member of the EnCase Developers
Network and share your EnScript applications on the EnCase App Central platform. A sign up
form is available on the EnCase App Central home page.
As an EnCase App Central Developer Network developer, you will receive the following:
794 EnCase Forensic User Guide Version 20.2
EnScript Launcher
The EnScript Launcher makes it easier to locate and run EnScripts in EnCase Forensic. The
launcher allows you to set up multiple EnScript databases you can search from a single, helpful
menu.
When the launcher opens for the first time, you are prompted to specify up to two different
file paths. You can update these paths at a later time if needed. The EnScript Launcher queries
both locations for EnScripts when you search.
Once configured, the EnScript Launcher scans the provided paths recursively, keeping them up
to date.
1. In the EnScript dropdown menu, click EnScript Launcher, or use the keyboard shortcut
Ctrl+Shift+R.
2. Enter the desired search term(s) and press Tab. Search results display in the Matching
Scripts area.
3. Use the up and down arrow keys to highlight the required script, then press Enter to
select the script.
The EnScript Launcher retains the list of paths and rescans all designated file paths whenever
loaded by EnCase Forensic at startup. You can also manually edit or view your file paths via the
Edit Paths button or rescan via the Rescan Paths button.
Note: The EnScript Launcher does not check for duplicate script paths. Avoid
entering script paths that overlap. Also, EnScripts run with the launcher do not
display in the MRU list under the EnScript toolbar menu.
CHAPTER 20
PHYSICAL DISK EMULATOR
Overview 797
Overview
The EnCase Physical Disk Emulator (PDE) module allows investigators to mount computer
evidence as a local drive for examination through Windows Explorer. The PDE module permits
investigators to employ numerous options in their examinations, including the use of third-
party tools with evidence served by EnCase.
We are committed to the concept of providing an integrated product to our customers. Third-
party tools continue to be developed to complement the core functions and features of
EnCase, and we encourage their creation and use. PDE allows third-party access to all
supported computer evidence and file system formats. EnCase continues its evolution
towards becoming a server of forensic data, whether in an image file, a preview of an offline
computer or hard drive, or a live machine on a network.
USING PDE
1. Select the device to mount as a physical disk under Entries in the Tree pane in the Evid-
ence tab and select Device > Share > Mount as Emulated Disk.
2. The Mount as Emulated Disk dialog is displayed.
PDE does not use any other options in the Mount as Emulated Disk dialog Server Info tab.
CACHE OPTIONS
If you select a physical device or volume (not a CD), you can decide whether to cache data. By
default, caching is disabled. Use the write cache if programs require access to the files in an
emulated read/write mode.
When a cache is enabled, changes made by programs are sent to a separate cache file specified
on your local system.
To create a new write cache file for an EnCase Differential Evidence File:
To use an existing write cache file, select Use existing cache and browse to the existing write
cache file in the Write cache path field. Make sure to use a write cache file that was created
with the evidence you are currently mounting.
Caching is necessary for PDE to function with VMware. In this state, Windows caches file
deletions and additions. This is used to boot the drive with VMware as described later in this
section. Caching is also necessary when mounting certain volume types.
CD OPTIONS
If a CD is mounted, EnCase enables the CD Session to view option, which lets you specify which
session on a multi-session CD should display in Windows. The default session is the last
session on the active CD, which is the one usually seen by Windows.
CHAPTER 20 Physical Disk Emulator 799
This lets Windows add the evidence file as a drive with its own drive letter.
Note: If using VMware, you must have the physical device number.
Verify that the evidence file has been mounted with a drive letter by browsing in Windows
Explorer. The drive letter lets you use third-party tools.
l Open hidden files: within a Windows folder, select Tools > Folder Options. Click the View
tab and select Show hidden files, folders, and drives.
l View deleted and system files and unallocated clusters.
l Mount an evidence file using the EnCase Virtual File System module.
Files and folders on the mounted device can be used in Windows in the same manner as an
additional drive, although changes will be written to cache (if in use) instead of to the device
itself.
1. In EnCase, click Device > Share > Save emulated disk state.
EnCase saves the cache in the path specified for write caching. An instance number is
appended to the cache file every time you save, after the initial save. You can later use these
cache files to remount the evidence in its saved state, but you must have all of the preceding
cache files located in the same directory.
1. Double-click the flashing Physical Disk Emulator indicator in the lower right of the applic-
ation window.
2. Click Yes in the Thread Status window to cancel the disk emulation.
The purpose of the final cache is to create a compressed and merged Differential Evidence File
(*.D01) containing the cached data. Select the Save Emulated Disk State option to have
multiple cache files for the same mounted evidence session. The final cache merges all these
files. If you do not need to save the final file, select Discard final cache.
Use the Differential Evidence File to open the evidence file and view the emulated disk with the
cached changes applied.
CHAPTER 20 Physical Disk Emulator 801
After the disk mounts, Windows Explorer reflects the cached changes.
When the device is dismounted, a status screen is displayed indicating the disk dismounted
successfully.
Note: Be sure to dismount evidence that is served through PDE before exiting. A
reminder message is displayed if you attempt to close the case or EnCase while
evidence is mounted with PDE.
When opening a file mounted with PDE in Windows Explorer with a third party tool, the
Windows operating system controls the temporary file creation on the operating system drive,
and any necessary post-examination cleanup is more involved.
1. Open the file served by PDE to have Windows Explorer request and receive the data from
EnCase.
2. Open the data with the assigned program according to the file extension.
MALWARE SCANNING
A common use for EnCase PDE is to mount computer evidence for scanning for viruses,
Trojans, and other malware programs.
1. Mount the drive or volume from the evidence file through PDE.
2. In Windows Explorer, select the newly mounted drive.
If an antivirus program is installed and integrated with Windows Explorer, it can scan for
viruses. The program reads the emulated disk presented to Windows Explorer. EnCase serves
the requested data to Windows Explorer, then to the program for scanning.
Initial Preparation
VMware version 4.5.1, build 7568 or later is required for the Physical Disk Emulator to work
properly.
CHAPTER 20 Physical Disk Emulator 803
Windows 2000, XP, and 2003 Server all use the C:\Documents and Settings folder
for user profiles and folders.
Windows NT and 2000 use the C:\WINNT folder for the system root.
Windows 9X, XP and 2003 Server use the C:\Windows folder for the system root.
2. Mount the physical disk containing the operating system using Physical Disk Emulator.
Make sure to enable caching.
3. Determine the physical disk number assigned to it using one of these methods:
Select the Disk Management option: right-click My Computer in Windows, then select
Manage.
Note: A problem may occur with VMware that prohibits VMware from booting a
virtual machine located on a physical disk that is preceded numerically by a SCSI,
FireWire, or USB drive. For best results, ensure that only IDE drives are connected
to the machine when you choose to mount it as an emulated disk in the EnCase
interface. This can be verified in Disk Management.
Note: If you encounter a message stating, "The specified device is not a valid
physical disk device," it is likely a result of this problem. Do not use PDE to mount
drives in an evidence file or preview the local computer. Windows, particularly XP,
fails (displaying a blue screen) if it detects multiple instances of the same drive. Use
only evidence files of other machines.
7. In the Name the Virtual Machine dialog, enter a virtual machine name.
8. Click Browse to change the location for VMware's configuration files, if necessary.
9. Click Next.
10. Specify the amount of memory for VMware to use, then click Next.
11. Select the type of network to use, then click Next.
12. Click Next to accept the default setting in the Select I/O Adapter Types dialog.
13. Select Use a physical disk (for advanced users) and ignore any subsequent warning mes-
sages.
14. Select the disk that represents the mounted drive using PDE.
15. Accept the default setting of Use Entire Disk, then click Next.
16. Accept the default disk file specified in the Specify Disk File dialog, then click Finish.
If the disk file is not recognized as a virtual machine, you can change the name of the file.
Do not change the .vmdk extension.
VMware returns to the main screen, displaying the newly created virtual machine.
1. Start VMware.
2. Click the link for Start this virtual machine next to the green arrow. The evidence file is
write protected by EnCase, but PDE enables a write cache that interacts with VMware as if
it were mounting a disk in read/write mode. When the virtual machine starts, the oper-
ating system is displayed as if the forensic machine were booting the drive. It boots in the
same manner as the native machine.
As with booting restored hard drives, the virtual machine may require a user name and
password to proceed.
Since popups can cause driver problems, save the state of the virtual machine regularly.
CHAPTER 20 Physical Disk Emulator 805
WHAT DO I DO IF I SEE THE MESSAGE "THE FILE SPECIFIED IS NOT A VIRTUAL DISK"
AFTER RUNNING THE NEW VIRTUAL MACHINE WIZARD?
After completing the new virtual machine wizard in VMware, you may receive an error
message ("The file specified is not a virtual disk."). This issue is with VMware. Running the new
virtual machine wizard again usually resolves this issue.
Instructions for using the snapshot are on the VMware Knowledge Base at
https://kb.vmware.com/selfservice/microsites/search.do?language=en_
US&cmd=displayKC&externalId=1009402. The speed of the suspend and resume operations
depends on how much data changed while the virtual machine was running. In general, the
first suspend operation takes slightly longer than later operations. When you suspend a virtual
machine, it creates a file with a .vmss extension. This file contains the entire state of the virtual
machine. When you resume the virtual machine, its state is restored from the .vmss file.
1. If your virtual machine is running in full screen mode, return to window mode by pressing
Ctrl + Alt.
2. On the VMware Workstation toolbar, click Suspend.
3. When VMware Workstation completes the suspend operation, it is safe to exit VMware
Workstation (File > Exit).
1. Start VMware Workstation and choose a virtual machine you have suspended.
2. Click Resume on the VMware Workstation toolbar.
Note that any applications you were running when you suspended the virtual machine
are running and the content is the same as when you suspended the virtual machine.
You can obtain additional VMware troubleshooting information from their knowledge base at:
https://kb.vmware.com/selfservice/microsites/microsite.do
PDE Troubleshooting
PHYSICAL DISK EMULATOR IS NOT LISTED UNDER MODULES WHEN ACCESSING
ABOUT ENCASE FROM THE HELP MENU
If you are using cert files, check to see that the PDE certificate is located in the Certs
directory (typically C:\Program Files\EnCase8\Certs).
CHAPTER 20 Physical Disk Emulator 807
Make sure the security key is installed and working properly (check the title bar to
ensure that the program is not in Acquisition mode).
If you are using cert files, check the security key ID to verify it is the correct one issued for
the certificate.
Although menus exist for PDE Server operation, they are currently not functional.
This error message may occur if Windows is accessing a file on the mounted device (for
example, the directory is opened in Windows Explorer or a file is opened in a third-party
application). To resolve the issue, close all Windows applications accessing the mounted
device, then click OK.
This issue is due to the device driver not being released properly. The only way to resolve
this issue is to close all applications (including the EnCase application) and reboot the
forensic machine. You should not encounter the error again when the machine is
rebooted.
Note: If these troubleshooting steps do not resolve your issue, contact OpenText
Support.
808 EnCase Forensic User Guide Version 20.2
CHAPTER 21
FASTBLOC SE
Overview 811
Troubleshooting 813
810 EnCase Forensic User Guide Version 20.2
CHAPTER 21 FastBloc SE 811
Overview
The following chapter is a guide to help you troubleshoot problems that you may encounter
when using EnCase Forensic. For immediate assistance, contact OpenText Support.
Three modes are available when using the FastBloc SE module on a USB, FireWire or SCSI
device:
l Write Blocked: A write blocked device is protected against writing to or modifying files
when the device is attached to a PC. Files deleted from or added to the device display in
Windows as modified, but the modifications are saved in a local cache, not on the device
itself. This mode does not display errors when attempting to write to the drive.
l Write Protected: A write protected device is protected against writes or modifications
when the device is attached to a PC. If writes or modifications to the device are attemp-
ted, Windows displays an error message.
l None: Removes write blocking from a device previously write blocked.
6. Click Close.
1. Click the New icon on the top toolbar to open a new case and complete the required
information.
2. Click the Add Device icon.
3. Blue check Local Drives in the right pane, then click Next.
In the Choose Devices window, on the write blocked channel, the device and volume (if
present) each have a green box around their icons in the Name column, and a bullet is
displayed in the Write Blocked column for each.
6. Click Close.
1. Select the Safely Remove Hardware icon in the System Tray in the lower right corner of
the task bar. In Windows 7 and Windows 8, the icon is labeled Safely Remove Hardware
and Eject Media.
2. Remove the device physically when the wizard confirms safe removal.
Troubleshooting
THE WRITE BLOCK OPTION DOES NOT DISPLAY IN THE TOOLS MENU
Check that the security key is in the machine. If the security key is missing or not functioning
properly, EnCase opens in Acquisition mode.
Check to see if the subject hard drive is spinning. If the device is connected via an external
drive bay, shut down the computer and try connecting the power connector (not the data
connector) to a Molex® power cable directly from the computer. Restart the computer. If the
drive starts spinning, shut down the computer again and swap cables.
If the subject drive does not spin, or is making unusual sounds (whirring, clicking, etc.), the
drive may be defective and you may be unable to acquire it by usual methods.
If the subject drive is spinning, check the data cables. If you are using an 80-wire cable, try
using a 40-wire cable.
Check the USB or FireWire port to ensure proper functioning. Insert a known good device.
Make sure the port is recognized in Device Manager.
You may have a corrupt version of EnCase. Uninstall EnCase, then download and reinstall the
latest version.
814 EnCase Forensic User Guide Version 20.2
Try to acquire on a different machine. This helps pinpoint the problem, as it may be a
hardware or operating system conflict.
If you are acquiring to external media (that is, the storage media is an external hard drive)
transfer rates are significantly slower than with a directly connected hard drive.
If the forensic machine has an old or slow storage drive, the acquisition is limited by the drive's
write speed.
If you are acquiring a newer drive, an 80-wire cable allows faster throughput. Ensure the
FireWire/USB cable is securely connected at both ends.
If FireWire is not available, use a USB 2.0 connection (USB 2.0 is up to 40 times faster than USB
1.0). In addition, when using USB, limit any other CPU-intensive tasks during the acquisition,
since these contribute to a loss of transfer speed.
Use FireWire ports whenever possible, since the interface is faster than USB.
THERE ARE DIFFERENT HASH VALUES EACH TIME THE DRIVE IS HASHED
This indicates a failing drive. Because the number of sector errors increases each time, hash
values change. Since the first acquisition typically contains the least number of bad sectors,
use the file from that acquisition for analysis.
CHAPTER 21 FastBloc SE 815
If the subject drive is in an enclosure when you try to acquire it, it may become hot during the
acquisition. Try removing the drive from the enclosure to keep it cooler. This may reduce the
number of sector errors.
816 EnCase Forensic User Guide Version 20.2
CHAPTER 22
TROUBLESHOOTING ENCASE FORENSIC
Overview 819
Overview
The following chapter is a guide to help you troubleshoot problems that you may encounter
when using EnCase Forensic. For immediate assistance, contact OpenText Support.
If No Cert or No V7 Cert displays in the window title bar, verify that the correct certs are placed
in the License Manager certs folder. If Acquisition displays in the window title bar, the program
has lost contact with your security key. There are several possible causes:
Cause Action
The security key is
Order a replacement from OpenText Support.
damaged
There may be times when a processing job performs prohibitively slow or becomes
unresponsive. The following steps can resolve these issues:
1. Optimize EnCase Forensic data transfer rate by ensuring all case files, cache files, and evid-
ence files are on distinct, local drives.
2. Optimize the system cache.
o Go to Tools > Options.
o Select the Debug tab.
o Set Maximum value to 80% of total system RAM in MB. Leave the Minimum value at
1 MB. Select OK.
o Close and restart EnCase Forensic.
3. Perform the steps outlined in the section Removing Previous Files and Artifacts.
4. Verify that your evidence image was generated by an EnCase product. Images generated
by third party applications are not supported.
CHAPTER 22 Troubleshooting EnCase Forensic 821
Be sure to back up all files and folders before performing the following steps:
1. Navigate to C:\Users\%username\AppData\Roaming\EnCase\.
2. Delete the entire contents of this folder.
3. Navigate to C:\ProgramData\EnCase\.
4. Delete the entire contents of this folder.
5. Uninstall EnCase Forensic.
6. Restart your machine.
7. Install EnCase Forensic, appending the installation path with the product version. See
Installing EnCase Forensic for more information.
822 EnCase Forensic User Guide Version 20.2
SUPPORT
OpenText Corporation
275 Frank Tompa Drive
Waterloo, Ontario
Canada, N2L 0A1
Acquired Data -
Motorola 610
A Acquired Data - Nokia
A Device Can Be Mounted GSM 615
Locally, But a Local Acquired Data - Nokia
Server Cannot Be Set Symbian 564
Up 790
Acquired Data - Palm OS 573
Accessing the Local Disk in
Windows Explorer 799 Acquired Data - Portable
Devices 645
Accessing the Share 783
Acquired Data - Psion 569
Acquired Data 492
Acquired Data -
Acquired Data - Memory Samsung 534
Cards 645
Acquired Data - Samsung
Acquired Data - Alcatel 603 CDMA 623
Acquired Data - Android 520 Acquired Data - Sanyo
Acquired Data - CDMA 630
BlackBerry 544 Acquired Data - SIM
Acquired Data - CDMA Cards 639
Devices 603 Acquired Data - Sony
Acquired Data - iPod 514 Ericsson 635
Deleting All Jobs from the Portable Displaying HFS+ File System
Device 381 Compressed Files 276
EnCase Forensic 25
E
Encrypted Block 763
Edit Menu 694
Encrypting File System 777
Editing a Filter 263
Encrypting Media 281
Editing Bookmark Content 357
Encryption 386
Editing Bookmark Folders 357
EnScript 25, 44, 56, 60, 74-75, 147,
Editing Bookmarks 357 162, 176, 192, 197, 202, 209, 226,
261, 263-264, 284, 375, 413, 431,
Editing Conditions 268 445, 475-476, 668, 791, 793-794,
803
Editing Default Options 219
EnScript Application UI 209
Editing Report Templates to Include
Bookmark Folders in EnScript Programming Language
Reports 453 Overview 793
Editing the Report Template to Enter Items 712
Display Comments in
Reports 458 Entering Non-English Content
without Using Non-English
Editing the Report Template to Keyboard Mapping 672
Include the Item Path in
Reports 455 Entries View Right Click Menu 259
Evidence Cache 57
F
Evidence File Formats Supported by
EnCase PDE 797 FAQs 429
GuardianEdge Encryption
Support 734 I
Hiding Empty Report Sections 471 Importing Data from RIM BlackBerry
1.x-7.x Backup Files 650
Importing Data from RIM BlackBerry iOS Logical Acquisition 489
10.x Encrypted Backup
Files 651 iOS Physical Acquisition 489
Installing EnCase 35
L
Installing the SAFE and License
Launching EnCase 85
Manager 37
Launching Processor Options from
Internal Files and File System
the Results Tab 207
Files 780
LG CDMA FAQ 606
Internet Artifacts 390
LG Devices with Android OS 4.4.2-
Internet Explorer Artifacts 182
5.1.1 531
Introduction 25
LG GSM FAQ 608
License Manager Options 48 Lotus Notes Local Encryption
Support 762
LinEn Command Line 696
Single Notable File Bookmarks 348 Supported Models- Symbian 6.1 549