AppDev / Computer Forensics and Digital Investigation with EnCase® Forensic v7 / Widup / 791-8 / Front Matter Blind Folio i Computer Forensics and Digital Investigation with EnCase ® Forensic v7 Suzanne Widup New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto 00-FM.indd 1 17/04/14 5:12 PM AppDev / Computer Forensics and Digital Investigation with EnCase® Forensic v7 / Widup / 791-8 Copyright © 2014 by McGraw-Hill Education (Publisher). All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of Publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. ISBN: 978-0-07-180792-0 MHID: 0-07-180792-6 e-Book conversion by Cenveo® Publisher Services Version 1.0 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-180791-3, MHID: 0-07-180791-8. McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative, please visit the Contact Us pages at www.mhprofessional.com. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. Information has been obtained by Publisher from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, Publisher, or others, Publisher does not guarantee to the accuracy, adequacy, or completeness of any information included in this work and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and McGraw-Hill Education (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. eBook 791-8 CR_pg.indd 1 17/04/14 3:46 PM AppDev / Computer Forensics and Digital Investigation with EnCase® Forensic v7 / Widup / 791-8 / Front Matter Blind Folio iii For My Family and Friends Without your patience, understanding, and unwavering support, I would never have been able to succeed. and For John Hoover, White Knight 00-FM.indd 3 17/04/14 5:12 PM AppDev / Computer Forensics and Digital Investigation with EnCase® Forensic v7 / Widup / 791-8 / Front Matter Blind Folio iv About the Author Suzanne Widup (@SuzanneWidup) has a wealth of experience in security engineering and analysis with a specialty in digital forensics in large enterprise environments. Her current work involves data breach research, including tracking publicly disclosed data breaches in the VERIS Community Database (VCDB). She is the founder of the Digital Forensics Association and the author of The Leaking Vault, a series of papers on publicly disclosed data breaches. Suzanne has served as the technical editor on two books: The Computer Incident Response Planning Handbook and The Computer Forensics InfoSec Pro Guide. She is a co-author of the widely read Verizon Data Breach Investigations Report and a frequent speaker at conferences on this and other topics. Suzanne holds a B.S. in Computer Information Systems from Saint Leo University, and an M.S. in Information Assurance from Norwich University. About the Technical Reviewer Joseph W. Shaw II has been working in information security for more than 19 years, with experience in various industry verticals. He is currently a manager at global professional services organization Alvarez & Marsal, where he provides expertise in digital forensics with an emphasis on incident response, Windows malware analysis, and reverse engineering. His current duties also include teaching Macintosh forensics, mobile device forensics, and incident response classes domestically through A&M and to foreign law enforcement agencies through the US Department of State’s Office of Antiterrorism Assistance. Joseph is a SANS Lethal Forensicator and holds the following certifications: CISM, CISSP, EnCE, and GAWN. His writing works also include being a contributing author to The Computer Forensics InfoSec Pro Guide and co-author of Unified Communications Forensics: Anatomy of Common UC Attacks with Nicholas Grant. You can find him on Twitter at @josephwshaw. 00-FM.indd 4 17/04/14 5:12 PM AppDev / Computer Forensics and Digital Investigation with EnCase® Forensic v7 / Widup / 791-8 / Front Matter Contents at a Glance Part I Preparing for the Forensics Function Chapter 1 The Road to Readiness   . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Chapter 2 Getting Started   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Chapter 3 EnCase Concepts   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Part II Beginning with EnCase Forensics Chapter 4 Adding Evidence   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Chapter 5 Processing Evidence   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Chapter 6 Documenting Evidence  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Part III Looking for Artifacts Chapter 7 Further Inspection   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Chapter 8 Analyzing the Case   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Chapter 9 Keywords and Searching   . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Part IV Putting It All Together Chapter 10 Conditions and Filters   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Chapter 11 Hash Analysis and Timelines   . . . . . . . . . . . . . . . . . . . . . . . . . 251 Chapter 12 Reporting   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Chapter 13 Wrapping Up the Case   . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 v 00-FM.indd 5 17/04/14 5:12 PM AppDev / Computer Forensics and Digital Investigation with EnCase® Forensic v7 / Widup / 791-8 / Front Matter vi Computer Forensics and Digital Investigation with EnCase Forensic v7 Part V Automation in EnCase Chapter 14 EnCase Portable and App Central   . . . . . . . . . . . . . . . . . . . . . . 307 Chapter 15 An EnScript Primer   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Part VI Appendixes Appendix A Rosetta Stone for Windows Operating Systems   . . . . . . . . . . . . . . 383 Appendix B EnCase Version 7 Keyboard Shortcuts   . . . . . . . . . . . . . . . . . . . . 385 Appendix C Sample Run Books  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Appendix D EnScript Class Hierarchy   . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 Index   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 00-FM.indd 6 17/04/14 5:12 PM AppDev / Computer Forensics and Digital Investigation with EnCase® Forensic v7 / Widup / 791-8 / Front Matter Contents Acknowledgments   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi Introduction   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Part I Preparing for the Forensics Function Chapter 1 The Road to Readiness   . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Forensic Readiness   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Policies  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Methodology   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Procedures   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Organizing the Work   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Infrastructure Considerations   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 The Lab   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Staffing   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Summary   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Chapter 2 Getting Started   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Installing the Software   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 DVD Installation   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Downloaded Installation   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Creating a New Case in EnCase   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 The EnCase Home Screen   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 The Case Screen   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Customizing the Interface   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 The Case Options   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 The Global Options   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 vii 00-FM.indd 7 17/04/14 5:12 PM AppDev / Computer Forensics and Digital Investigation with EnCase® Forensic v7 / Widup / 791-8 / Front Matter viii Computer Forensics and Digital Investigation with EnCase Forensic v7 Adding Your First Evidence   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Navigating EnCase   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 The Tree Pane   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 The Table Pane   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 The View Pane   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Summary   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Chapter 3 EnCase Concepts   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 The EnCase Case File   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Case Backups   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 The EnCase Evidence File   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Reacquiring Evidence   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Using Encryption with Ex01 and Lx01 Files   . . . . . . . . . . . . . . . . . . . . . . . 65 Using Encryption to Share Files with Other Parties   . . . . . . . . . . . . . . . . . . . 72 Using Encryption in a Multi-Investigator Environment   . . . . . . . . . . . . . . . . . 74 EnCase Configuration (ini) Files   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Case Templates   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Summary   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Part II Beginning with EnCase Forensics Chapter 4 Adding Evidence   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Case Study: The NIST CFReDS Hacking Case   . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Creating a Case Plan   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Adding Evidence: Acquisition with EnCase Forensic   . . . . . . . . . . . . . . . . . . . . . . . 88 Add Local Device   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Add Network Preview   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Add Evidence File   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Add Raw Image   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Acquire Smartphone   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Add Crossover Preview   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 EnCase Imager   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Summary   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Chapter 5 Processing Evidence   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Creating the NIST Hacking Case   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Adding and Verifying the Evidence   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 00-FM.indd 8 17/04/14 5:12 PM AppDev / Computer Forensics and Digital Investigation with EnCase® Forensic v7 / Widup / 791-8 / Front Matter Contents ix Setting the Time Zone in EnCase   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 The EnCase Evidence Processor   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Process Prioritization   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Default or Red-Flagged Modules   . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Optional Modules   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Our First Evidence Processor Run   . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Summary   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Chapter 6 Documenting Evidence  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Initial Case Documentation   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Files with Internal Structure   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Viewing the Evidence Processor Results   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Bookmarking Evidence Items   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Types of Bookmarks   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Viewing Bookmarks   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 The Blue Check   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 The Selected Box   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 The Set Include (Home Plate)   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Tagging   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Managing Tags   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Summary   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Part III Looking for Artifacts Chapter 7 Further Inspection   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 More on the Evidence Processor Modules   . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 The System Info Parser (Continued)   . . . . . . . . . . . . . . . . . . . . . . . . . . 156 The File Carver   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 The Windows Artifact Parser   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Other Modules   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Archive   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Internet   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Thumbnails   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Email   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Registry   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Summary   . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 00-FM.indd 9 17/04/14 5:12 PM