200 likes | 331 Views
Intro to Cyber Crime and Computer Forensics CS 4273/6273 October 5, 2005. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Introduction to the EnCase Investigative Software. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. EnCase. Guidance Software
E N D
Intro to Cyber Crime and Computer Forensics CS 4273/6273 October 5, 2005 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
Introduction to the EnCase Investigative Software MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
EnCase • Guidance Software • Pasadena, California • Resources include • Software • Message Board • Web Site Update Section • EnCase Legal Journal • First Developed 1998
Windows Based Forensics • Forensic Data Acquisition and Analysis • Based on the Specifications of the Law Enforcement Community • Provides a mechanism for conducting and documenting searches of computer hardware. • Completely Non-Invasive
Limitations of Earlier Technology • Before EnCase… • Separate programs had to be used to image, store, verify the integrity of data. • Manual journals had to be kept to list hash values, and all notes about the investigation. • This required sometimes days of lab time.
The New Legal Standard • Courts in the U.S. provide a presumption of authenticity to computer evidence processed or generated by software or systems shown to be standard within the industry. • EnCase is one of the deFacto standard tools in the community. • Used by over 500 law enforcement agencies around the country. • Also used by many private agency investigators.
Features of EnCase 3.0 • Reads any IDE or SCSI hard drive or CD-ROM and save an exact image to disk. • Uses CRC and MD5 hashes • Password protection of evidence • View the entire drive image, including hidden and free space. • Search image for keywords. • View files with changing state of the file. • Treats list of sectors on the hard drive as flat array of sectors. No discussion of heads, cylinders and sectors.
Continued… • Analyze file and folder structure on all media using: • FAT-12 Floppies • FAT-16 Windows 95 • FAT-32 Windows 98 • NTFS Windows NT, 2000, XP • HFS, HFS+ • CD Compact Disks • EXT2 Linux • UFS Unix
Continued… • Combine any number of Evidence Files to create a Case. • Through a single examination, • View, search and sort evidence in all files within the case. • Records all evidence searches and bookmarks on typeset report.
Continued… • Analyze and authenticate file signatures • Allows investigator to build and use Hash Libraries to identify known files. • Has a built-in gallery view that enables rapid isolation and bookmarking of suspect graphic files. • Has a macro language that allows complex tasks to be automated.
Continued… • Provides ability to acquire and preview over network cable. • Built-in viewers for: • Registry files • Zip files • DBX files (Outlook Express) • Acquires Palm PDAs and RAIDS (Redundant Array of Inexpensive Disks)
Evidence Files • Central component of EnCase methodology • Consists of: • Header • Checksum and data blocks • MD5 block CRC 64 sectors of data Case Info MD5
Image Verification • Compute a CRC for each sector in the evidence file, and use that to verify that each block has not changed. Any deviations are noted in the Case File. • Automatic background process that happens every time another evidence file is added to the case.
Encase for DOS • Used for Imaging Subject Computers • Insert boot disk in subject machine and turn it on. • Boot to the DOS prompt and type en • A DOS interface will appear that will show physical drives on the left and logical drives on the right. • Imaging can now be done through network cable or laplink cable.
Previewing • Similar to acquiring but much faster. • Allows the investigator to view the data as if it was acquired, but with no record keeping. • Primarily used for deciding whether to pursue a full investigation. • Not possible to preview safely. Hard drive will change due to swap file activity. • Never investigate a previewed drive.
Acquisitions • Parallel Port Cable Acquisitions • Windows • DOS • Network Cable Acquisitions • Using provided “cross-over” network cable. • “Drive to Drive” in DOS • Subject and Target Drives both connected to the same motherboard.
Continued… • Acquiring RAIDS: DOS Mode • Hardware: array controlled by the RAID controller card. • Software: array controlled by the operating system. • Acquiring PDAs: Windows Mode • Palms supported: III, V, VII, M100, M105, Handspring (Neo, Prism, Edge, Pro)
Continued… • Acquiring Zip Disks: DOS • Acquiring Jaz Disks: DOS • Acquiring Floppy Disks: DOS or Windows • Other Media as long as driver software is available.
Investigating with EnCase • Acquire each subject drive and place in individual evidence files. • Create a new Case File. • Add evidence files into case one at a time. • Can also use raw image files like those created by other utilities. • Recover folders using the “recover folders” command. • Run Signature Analysis by doing search.
EnCase Message Board • http://www.EnCase.com • Exchange Ideas • Ask questions • Provide Answers • Discussions of all kinds • Requires username and password to prevent criminal access.