Computer Forensics and Digital Investigation with EnCase Forensic v7

Computer Forensics and Digital Investigation with EnCase Forensic v7

by Suzanne Widup
Released May 2014
Publisher(s): McGraw-Hill
ISBN: 9780071807920

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Conduct repeatable, defensible investigations with EnCase Forensic v7

Maximize the powerful tools and features of the industry-leading digital investigation software. Computer Forensics and Digital Investigation with EnCase Forensic v7 reveals, step by step, how to detect illicit activity, capture and verify evidence, recover deleted and encrypted artifacts, prepare court-ready documents, and ensure legal and regulatory compliance. The book illustrates each concept using downloadable evidence from the National Institute of Standards and Technology CFReDS. Customizable sample procedures are included throughout this practical guide.

  • Install EnCase Forensic v7 and customize the user interface
  • Prepare your investigation and set up a new case
  • Collect and verify evidence from suspect computers and networks
  • Use the EnCase Evidence Processor and Case Analyzer
  • Uncover clues using keyword searches and filter results through GREP
  • Work with bookmarks, timelines, hash sets, and libraries
  • Handle case closure, final disposition, and evidence destruction
  • Carry out field investigations using EnCase Portable
  • Learn to program in EnCase EnScript

Table of contents

  1. Cover 
  2. Title Page
  3. Copyright Page
  4. About the Author
    1. About the Technical Reviewer
  5. Contents at a Glance
  6. Contents 
  7. Acknowledgments
  8. Introduction
    1. Why This Book?
    2. Who Should Read This Book
    3. What This Book Covers
    4. How This Book Is Organized
  9. Part I: Preparing for the Forensics Function
    1. Chapter 1: The Road to Readiness
      1. Forensic Readiness
      2. Policies
      3. Methodology
      4. Procedures
      5. Organizing the Work
      6. Infrastructure Considerations
      7. The Lab
      8. Staffing
      9. Summary
    2. Chapter 2: Getting Started
      1. Installing the Software
        1. DVD Installation
        2. Downloaded Installation
      2. Creating a New Case in EnCase
        1. The EnCase Home Screen
        2. The Case Screen
      3. Customizing the Interface
        1. The Case Options
        2. The Global Options
      4. Adding Your First Evidence
      5. Navigating EnCase
        1. The Tree Pane
        2. The Table Pane
        3. The View Pane
      6. Summary
    3. Chapter 3: EnCase Concepts
      1. The EnCase Case File
        1. Case Backups
      2. The EnCase Evidence File
        1. Reacquiring Evidence
        2. Using Encryption with Ex01 and Lx01 Files
        3. Using Encryption to Share Files with Other Parties
        4. Using Encryption in a Multi-Investigator Environment
      3. EnCase Configuration (ini) Files
      4. Case Templates
      5. Summary
  10. Part II: Beginning with EnCase Forensics
    1. Chapter 4: Adding Evidence
      1. Case Study: The NIST CFReDS Hacking Case
      2. Creating a Case Plan
      3. Adding Evidence: Acquisition with EnCase Forensic
        1. Add Local Device
        2. Add Network Preview
        3. Add Evidence File
        4. Add Raw Image
        5. Acquire Smartphone
        6. Add Crossover Preview
      4. EnCase Imager
      5. Summary
    2. Chapter 5: Processing Evidence
      1. Creating the NIST Hacking Case
      2. Adding and Verifying the Evidence
      3. Setting the Time Zone in EnCase
      4. The EnCase Evidence Processor
        1. Process Prioritization
        2. Default or Red-Flagged Modules
        3. Optional Modules
        4. Our First Evidence Processor Run
      5. Summary
    3. Chapter 6: Documenting Evidence
      1. Initial Case Documentation
      2. Files with Internal Structure
      3. Viewing the Evidence Processor Results
      4. Bookmarking Evidence Items
        1. Types of Bookmarks
        2. Viewing Bookmarks
      5. The Blue Check
      6. The Selected Box
      7. The Set Include (Home Plate)
      8. Tagging
        1. Managing Tags
      9. Summary
  11. Part III: Looking for Artifacts
    1. Chapter 7: Further Inspection
      1. More on the Evidence Processor Modules
        1. The System Info Parser (Continued)
        2. The File Carver
        3. The Windows Artifact Parser
      2. Other Modules
        1. Archive
        2. Internet
        3. Thumbnails
        4. Email
        5. Registry
      3. Summary
    2. Chapter 8: Analyzing the Case
      1. The Case Analyzer
      2. Windows Artifacts
      3. Customizing the Case Analyzer
        1. Case Analyzer Report Conventions
        2. SQLite Manager (Firefox)
        3. SQL Basics
        4. Customizing Our Report
      4. Parsing Email
        1. Outlook Express
        2. Web-Based Email
      5. Summary
    3. Chapter 9: Keywords and Searching
      1. Keywords and Searching
        1. Logical vs. Physical Searches
        2. Searching in the Evidence Processor
        3. Viewing Search Results
        4. Searching in the Evidence Browser
        5. Evidence and Cache Locations
        6. Troubleshooting the Evidence Cache
      2. Index Searches
        1. Search Operators
      3. Using GREP Operators
        1. The GREP Wildcards
        2. Grouping and GREP
        3. Ranges and Logical Operators
      4. Summary
  12. Part IV: Putting It All Together
    1. Chapter 10: Conditions and Filters
      1. Conditions
        1. Running an Existing Condition
        2. Creating a New Condition
        3. Condition Logic
        4. Nesting Terms
        5. Running the Condition
      2. Filters
        1. Running a Filter
        2. Editing a Filter
        3. Adding a New Filter
        4. Sharing a Filter
      3. Summary
    2. Chapter 11: Hash Analysis and Timelines
      1. Working with Hash Sets and Libraries
        1. Creating a New Hash Library
        2. Adding Case Results to Your Hash Library
        3. Importing the NSRL Hash Library
        4. Importing Legacy Hash Results into Your Hash Library
        5. Running Queries Against Your Hash Libraries
        6. Using Hash Libraries for Hash Analysis
      2. Viewing Timeline Data in EnCase
      3. Summary
    3. Chapter 12: Reporting
      1. Generating Your Report
      2. Customizing Existing Report Templates
        1. Report Object Code
        2. Changing the Graphic on the Title Page
      3. Creating a New Report Template
        1. Using Styles
        2. Building the Report Tree Hierarchy
        3. Associating Bookmark Folders with Report Sections
        4. Controlling Which Sections Display
      4. Summary
    4. Chapter 13: Wrapping Up the Case
      1. Evidence Lifecycle Management
      2. The Digital Evidence Lifecycle
        1. Acquisition Phase
        2. Processing Phase
        3. Analysis Phase
        4. Presentation Phase
        5. Archival Phase
        6. Disposal Phase
      3. Case Closure Criteria
      4. Inactive Case Review
      5. Archiving a Case
        1. Preparing a Case Package
      6. Physical Media Considerations
      7. Summary
  13. Part V: Automation in EnCase
    1. Chapter 14: EnCase Portable and App Central
      1. EnCase Portable Basics
        1. What Is Included
        2. Installing from the Downloaded Product
        3. Installing from the DVD
      2. Preparing EnCase Portable for Redeployment After Use
        1. Restoring Using EnCase Forensic—Requires Forensic Dongle
        2. Restoring Using the DVD—Does Not Require a Forensic Dongle
        3. Restoring Using an Update File—Does Not Require a Forensic Dongle
      3. Preparing Additional Storage Devices for Use with Portable
        1. Preparing Storage Devices with EnCase Forensics—Scripted Method
        2. Preparing Storage Devices with Windows Explorer—Quick Method
      4. Managing and Configuring EnCase Portable
        1. The Portable Management Interface
        2. File Types in EnCase Portable
      5. Running Jobs in the Field
        1. Collecting from a Powered-On Computer
        2. Collecting from a Powered-Off Computer
        3. The Report Builder
      6. On-Scene Analysis
      7. After the Collection—Back at the Forensic Lab
      8. EnCase App Central
      9. Summary
    2. Chapter 15: An EnScript Primer
      1. The Basics of EnScript
      2. The EnScript Environment
        1. The EnScript Help Function
        2. The EnScript Types Tab and the Class Browser
        3. Anatomy of an EnScript
        4. Our First EnScript
      3. Variables
        1. Variables and Their Scope
      4. Operators
      5. Looping Constructs—Controlling the Flow of an EnScript
        1. The If, Else If, and Else Statements
        2. The For Statement
        3. The While and Do While Statements
        4. The Break and Continue Statements
        5. The Switch, Case, Default Statement
        6. The Foreach, Forall and Forroot Statements
        7. The Ternary Operator
        8. The Debugger
      6. Functions
        1. Passing by Reference or Value
      7. Classes
        1. What Is a Class?
        2. The Aircraft Class
        3. The Constructor
      8. Summary
  14. Part VI: Appendixes
    1. Appendix A: Rosetta Stone for Windows Operating Systems
    2. Appendix B: EnCase Version 7 Keyboard Shortcuts
      1. EnCase Keyboard Shortcuts Quick Reference
    3. Appendix C: Sample Run Books
      1. Creating a New Case (Chapter 2)
      2. Relocating Evidence Manually (Chapter 2)
      3. Backing Up the Current Case (Chapter 3)
      4. Reacquiring .E01/.Ex01 Evidence (Chapter 3)
      5. Reacquiring .L01/.Lx01 Evidence (Chapter 3)
      6. Encrypting an Evidence File (See Reacquiring Evidence)
      7. Adding/Acquiring a Local Device (Chapter 4)
      8. Adding an EnCase Evidence File (Logical or Physical) (Chapter 4)
      9. Adding a Raw Image (Chapter 4)
      10. Acquiring a Smartphone (Chapter 4)
      11. Creating a New Case (Chapter 5)
      12. Verifying an Evidence File without Opening a Case (Chapter 5)
      13. Setting the Time Zone (Chapter 5)
      14. Processing and Preparation of Initial Case Evidence (Chapter 5)
      15. Mounting Files with Internal Structure (Compound Files) Individually (Chapter 6)
      16. Manually Verifying Evidence (Chapter 6)
      17. Regenerating the Case.sqlite Database (Chapter 8)
      18. Searching in the Evidence Browser (Chapter 9)
      19. Running an Existing Condition (Chapter 10)
      20. Running an Existing Filter (Chapter 10)
      21. Creating a Hash Library (Chapter 11)
      22. Creating a New Hash Set Inside the Library (Chapter 11)
      23. Adding Results to Your Hash Library from a Case (Chapter 11)
      24. Importing the NSRL Hash Library (Chapter 11)
      25. Generating a Report (Chapter 12)
      26. Creating a New Report Template (Chapter 12)
      27. Preparing a Case Package for Archiving (Chapter 13)
      28. Wiping a Drive with EnCase (Chapter 13)
      29. Restoring the EnCase Portable USB Device (Chapter 14)
        1. Using EnCase Forensics—Requires Forensic Dongle
        2. Using the DVD—No Forensic Dongle Required
        3. Using the File Update—No Forensic Dongle Required
      30. Preparing Additional Storage Devices for Use with EnCase Portable (Chapter 14)
      31. Launching EnCase Portable Management (Chapter 14)
      32. Collecting from a Powered-On Computer (Chapter 14)
      33. Collecting from a Powered-Off Computer (Chapter 14)
      34. Importing Evidence from EnCase Portable into EnCase Forensic (Chapter 14)
    4. Appendix D: EnScript Class Hierarchy
  15. Index

Product information

  • Title: Computer Forensics and Digital Investigation with EnCase Forensic v7
  • Author(s): Suzanne Widup
  • Release date: May 2014
  • Publisher(s): McGraw-Hill
  • ISBN: 9780071807920