EnCase 101

Overcoming Security on Mounted Drive Images

noreply@blogger.com (Larry E. Daniel, DFCP, EnCE, BCE) — Tue, 31 May 2011 23:52:00 +0000

In many cases, you will need to mount the Encase forensic image you are examining in order to run antivirus against the data, or run some other forensic tool like Drive Prophet or NetAnalysis.

One of the issues you must overcome to get access to all of the areas of the hard drive, if it is an NTFS drive, is the security that prevents you from accessing the users' data area on the drive.

To get access to the areas protected by the NTFS security, you must take ownership of the drive by changing the security settings. However, you cannot change security on a read-only drive.

Here is how you can overcome this in Encase without having to purchase another drive mounting tool. This does require that you have the option to mount drives as emulated disks in Encase.

First, in Encase, right click on the drive letter you need to mount and select "Mount as Emulated Disk"

Then click on he Client Info tab and uncheck disable caching. Browse to a location for the temporary cache.

Now, the operating system on your examination computer will believe that the drive is writable and will allow you to take ownership of the drive.

You can take ownership through the properties dialog by right clicking on the drive letter of the mounted drive and going to advanced properties.

Once it has completed the process of changing the ownership of the files and folders, you can navigate through the dive like any other hard drive on your computer.

How To Load DD Images into EnCase

noreply@blogger.com (Larry E. Daniel, DFCP, EnCE, BCE) — Mon, 05 Jul 2010 02:25:00 +0000

Version used: EnCase 6.16.2

If you are dealing with a forensic hard drive copy that is in DD format, it is a simple but not intuitive process to load that drive image into EnCase.

Here’s how you do it.

Step 1: From the File Menu, Select Add Raw Image

Step 2: Select the type of image you need to load. Is this example I am going to load a Disk Image

Step 3: Right click in the Component Files area and Select New

Step 4: Browse to the folder containing the images and sort them in ascending order.

Step 5: Select all of the parts of the DD image.

Step 6: Click OK to load the image parts into the Component Files dialog.

Step 7: Click OK again to load the parts into Encase

You should now see the drive image correctly mounted in EnCase.

Note: Some earlier versions of EnCase 6 actually required that you sort the parts in descending order. If you are using EnCase 6.01 - 6.12 and this does not work for you, try the process again with the image parts sorted in descending order.

Finding Yahoo Messenger Artifacts

noreply@blogger.com (Larry E. Daniel, DFCP, EnCE, BCE) — Sat, 03 Jul 2010 11:51:00 +0000

Image via Wikipedia

Sometimes you have to locate Yahoo Messenger artifacts when the program was not set to log anything. When that happens, chances are your only avenue will be to search for artifacts in unallocated space.

The most likely place to locate these artifacts will be in the pagefile.sys and the hiberfile.sys if it exists.

You will want to create a case level keyword of øÿYMSG as all Yahoo Messenger communications begin with that string.

When you create the keyword, you can just leave it as ASCII. No need to use GREP for this and it is not a whole word search.

For the first pass, run it against just the pagefile.sys.

You should get search hits that look like the following:

NOTE: The following is not a conversation between real people.

øÿYMSG T ûöY5À€bigbadlovindaddyÀ€4À€fluffybunnyfromspaceÀ€14À€ok great
øÿYMSG m ûöY1À€bigbadlovindaddyÀ€5À€fluffybunnyfromspaceÀ€14À€what are you doing now
øÿYMSG f ûöY1À€bigbadlovindaddyÀ€5À€fluffybunnyfromspaceÀ€14À€it is getting late
øÿYMSG B ûöY1À€bigbadlovindaddyÀ€5À€fluffybunnyfromspaceÀ€14À€I think I should go to bed soon
øÿYMSG 6 ûöY5À€bigbadlovindaddyÀ€4À€fluffybunnyfromspaceÀ€14À€why? It aint that late
øÿYMSG ? ûöY5À€bigbadlovindaddyÀ€4À€fluffybunnyfromspaceÀ€14À€I got to work in the morning
øÿYMSG J ûöY1À€bigbadlovindaddyÀ€5À€fluffybunnyfromspaceÀ€14À€ok see you laters

You cannot get dates or times from these artifacts. Nor will the artifacts give any indication of the direction of the chat.

You will also recover artifacts giving you other screen names using this method.

In a case I did using this method, I was looking for a phone number. No logging was turned on in Yahoo Messenger and no artifacts or saved sessions were available by looking at Yahoo Messenger itself.

By using this method, I did recover the conversation and the phone number that was needed by law enforcement.

Getting started with something new.

noreply@blogger.com (Larry E. Daniel, DFCP, EnCE, BCE) — Fri, 02 Jul 2010 22:28:00 +0000

I have wanted for a long time to start a new blog with tips and tutorials for those folks just getting started with or currently using Encase Forensics software.

Even if you don't use EnCase as your forensic software tool, I think you might find some of my tips helpful as they will show you how to find certain types of data in your examinations.

While my time is limited, I plan to share on this blog as often as I can.

I plan to get my first post up on EnCase in the next few days so stay tuned.

If you have suggestions for this blog or would like to see something covered, drop me an email or send me a DM on Twitter.

Happy forensicing!