encase forensic imager v7.09 user's guide

8/10/2019 EnCase Forensic Imager v7.09 User's Guide

1/35

GUIDANCE SOFTWARE | USERS GUIDE | ENCASE FORENSIC IMAGER

EnCaseForensic Imager VERSION 7.09

USERS GUIDE


2/35

Copyright 2013 Guidance Software, Inc. All rights reserved.

EnCase, EnScript, FastBloc, Guidance Software and EnCE are registered trademarks or trademarks owned by Guidance

Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and

brands may be claimed as the property of their respective owners. Products and corporate names appearing in this work may or

may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation

into the owners' benefit, without intent to infringe. Any use and duplication of this work is subject to the terms of the license

agreement between you and Guidance Software, Inc. Except as stated in the license agreement or as otherwise permitted under

Sections 107 or 108 of the 1976 United States Copyright Act, no part of this work may be reproduced, stored in a retrieval system

or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise. Product

manuals and documentation are specific to the software versions for which they are written. For previous or outdated versions of

this work, please contact Guidance Software, Inc. at http://www.guidancesoftware.com. Information contained in this work is

furnished for informational use only, and is subject to change at any time without notice.


3/35

Contents

CHAPTER 1

EnCase Forensic Imager User's Guide 3

Overview ............................................................................................................................................................ 5Launching EnCase Forensic Imager .................................................................................................................... 5Types of Acquisitions ......................................................................................................................................... 5Sources of Acquisitions ...................................................................................................................................... 5Types of Evidence Files ...................................................................................................................................... 6

EnCase Evidence Files ................................................................................................................................... 6Logical Evidence Files ................................................................................................................................... 6Raw Image Files ............................................................................................................................................ 6

Single Files .................................................................................................................................................... 6Acquiring a Local Drive ....................................................................................................................................... 7

Acquiring Non-local Drives ........................................................................................................................... 7Creating Encrypted Evidence Files ..................................................................................................................... 7

Creating an Encrypted Logical Evidence File ................................................................................................ 7Creating an Encrypted Evidence File .......................................................................................................... 14

Acquiring Other Types of Supported Evidence Files ........................................................................................ 20Verifying Evidence Files.................................................................................................................................... 20Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) .......................................... 21Using a Write Blocker ....................................................................................................................................... 22

Windows-based Acquisitions with Tableau and FastBloc Write blockers .................................................. 22Acquiring in Windows without a Tableau or FastBloc Write Blocker ......................................................... 22

Acquiring a Disk Running in Direct ATA Mode ................................................................................................. 23Acquiring Disk Configurations .......................................................................................................................... 23

Software RAID ............................................................................................................................................ 24RAID-10 ....................................................................................................................................................... 24Hardware Disk Configuration ..................................................................................................................... 24Windows NT Software Disk Configurations ................................................................................................ 24Support for EXT4 Linux Software RAID Arrays ............................................................................................ 25Dynamic Disk .............................................................................................................................................. 25Disk Configuration Set Acquired as One Drive ........................................................................................... 26Disk Configurations Acquired as Separate Drives....................................................................................... 26

Acquiring a DriveSpace Volume ....................................................................................................................... 27Canceling an Acquisition .................................................................................................................................. 28CD-DVD Inspector File Support ........................................................................................................................ 28

Reacquiring Evidence ....................................................................................................................................... 28Reacquiring Evidence Files ......................................................................................................................... 29Retaining the GUID During Evidence Reacquisition ................................................................................... 29

Adding Raw Image Files ................................................................................................................................... 29Restoring a Drive .............................................................................................................................................. 30


4/35

Index 33


5/35

In This Chapter

Overview

Launching EnCase Forensic Imager

Types of Acquisitions

Sources of Acquisitions

Types of Evidence Files

Acquiring a Local Drive

Creating Encrypted Evidence Files

Acquiring Other Types of Supported Evidence Files

Verifying Evidence Files

Acquiring Device Configuration Overlays (DCO) and Host Protected Areas

Using a Write Blocker

Acquiring a Disk Running in Direct ATA Mode

Acquiring Disk Configurations

Acquiring a DriveSpace Volume

Canceling an Acquisition

CHAPTER 1

EnCase Forensic ImagerUser's Guide


6/35

4 EnCase Forens ic Imager Vers ion 7.09 User's Guide

CD-DVD Inspector File Support

Reacquiring Evidence

Adding Raw Image Files

Restoring a Drive


7/35

EnCase Forens ic Imager User's Guide 5

Overview

With EnCase Forensic Imager, you can acquire, reacquire, and translate evidence files into EnCaseevidence files that include CRC block checks, hash values, compression, and encryption. EnCaseForensic Imager can read and write to current or legacy EnCase evidence files and EnCase ForensicImager logical evidence files.

With the LinEn utility, you can perform disk-to-disk acquisitions, and when you couple LinEn withEnCase Forensic Imager, you can perform network crossover acquisitions.

This User's Guide provides detailed information about all types of EnCase Forensic Imageracquisitions.

Note: EnCase Forensic Imager is not designed to be run on a suspect system, as it makes changes to the filesystem, including writing to temporary files.

Launching EnCase Forensic Imager

To launch the application, double click the EnCase Forensic Imager.exefile.

Running the EnCase Forensic Imager executable auto extracts the tool to your Windows Tempdirectory.

Types of Acquisitions

EnCase Forensic Imager can acquire evidence in four basic formats:

Current EnCase evidence files (.Ex01): .Ex01 format improves upon the .E01 format with LZcompression, AES256 encryption with keypairs or passwords, and options for MD5 hashing,SHA-1 hashing, or both.

Current Logical evidence files (.Lx01): .Lx01 format improves upon the .L01 format with LZcompression and options for MD5 hashing, SHA-1 hashing, or both. Encryption is notavailable for legacy logical evidence (.L01) files.

Legacy EnCase evidence files (.E01): . E01 format makes current acquisitions accessible tolegacy versions of EnCase Forensic Imager.

Legacy Logical evidence files (.L01): .L01 format makes current logical acquisitions accessibleto legacy versions of EnCase.

Sources of Acquisitions

Sources for acquisitions within EnCase Forensic Imager include:

Previewed memory or local devices such as hard drives, memory cards, or flash drives.

Evidence files supported by EnCase Forensic Imager, including legacy EnCase evidence files(.E01), legacy logical evidence files (.L01), current EnCase evidence files (.Ex01), currentlogical evidence files (.Lx01), DD images, VMware files (.vmdk), or Virtual PC files (.vhd). Youcan use these to create legacy EnCase evidence files and legacy logical evidence files, or youcan reacquire them as EnCase Forensic Imager .Ex01 or .Lx01 format, adding encryption, newhashing options, and improved compression.

Single files selected to create a Logical Evidence File from an existing evidence file or anacquired device.


8/35


Network crossover using LinEn and EnCase Forensic Imager to create .E01 files or .L01 files.This strategy is useful when you want to preview a device without disassembling the hostcomputer. This is usually the case for a laptop, a machine running a RAID, or a machinerunning a device with no available supporting controller.

Types of Evidence FilesEnCase Evidence Files

Legacy EnCase evidence files (.E01) are a byte-for-byte representation of a physical device orlogical volume. Current EnCase evidence files (.Ex01) can be encrypted; however, .Ex01 files arenot backward compatible with legacy versions of EnCase.

EnCase evidence files provide forensic level metadata, the device level hash value, and thecontent of an acquired device.

Dragging and dropping an .E01 or .Ex01 file anywhere on the EnCase Forensic Imager interfaceadds it to the currently opened case.

Logical Evidence Files

Logical evidence files (.L01) are created from previews, existing evidence files, or Smartphoneacquisitions. These are typically created after an analysis locates some files of interest, and forforensic reasons, they are kept in a forensic container.

Current logical evidence files (.Lx01) provide encryption and hashing options, but they are notbackward compatible with legacy versions of EnCase.

When an .L01 or .Lx01 file is verified, the stored hash value is compared to the entry's currenthash value.

If the hash of the current content does not match the stored hash value, the hash is followedby an asterisk (*).

If no content for the entry was stored upon file creation, but a hash was stored, the hash isnot compared to the empty file hash.

If no hash value was stored for the entry upon file creation, no comparison is done, and anew hash value is not populated.

Raw Image Files

Raw image files are a dump of the device or volume. There are no hash comparisons or CRCchecks. Therefore, raw image files are not as forensically sound as EnCase evidence files. Althoughthe files are not in EnCase evidence file format, EnCase Forensic Imager supports a number of

popular formats.

Before you can acquire raw image files, they must be added to a case. Raw image files areconverted to EnCase Forensic Imager evidence files during the acquisition process, adding CRCchecks and hash values if selected.

Single Files

You can export single files from a previewed/mounted device.


9/35


Acquiring a Local Drive

Before you begin, verify that the local drive to be acquired was added to the case.

1.

To protect the local machine from changing the contents of the drive while its content isbeing acquired, use a write blocker. See Using a Write Blockeron page22.

2.

Verify that the device being acquired shows in the Tree pane or the Table pane as writeprotected.

Acquiring Non-local Drives

The LinEn utility acquires non-local drives by performing a network crossover acquisition. Whenyou use the LinEn utility to acquire a disk through a disk-to-disk acquisition, you must add theresulting EnCase evidence file to the case using the Add Device wizard.

Creating Encrypted Evidence Files

Creating an Encrypted Logical Evidence File

To create an encrypted logical evidence file:

1.

In the Evidencetab, select one or more entries in the left pane. Right click, then click Acquire> Create Logical Evidence Filefrom the dropdown menu.

Note: The folder highlighted when you click Create Logical Evidence Fileis treated as theroot folder for including entries in the logical evidence file. Only blue checked child entriesinside that folder are included. To include files from more than one folder, you must highlighta folder that is a common parent. For instance, in the example above, if you wanted toinclude files from both the System Volume Information and $Recycle Bin folders, you wouldneed to highlight either C, v7_Sample_Evidence, or Entries.


10/35


2.

The Create Logical Evidence File dialog displays. It opens to the Locationtab by default.

3.

In the Locationtab:a.

Enter the evidence file name.b.

Enter the evidence number.c.

Enter the case number.d.

Enter the examiner name.e.

Add notes, if desired.f.

Check the Add to existing evidence filecheckbox if you want to add this file to an existinglogical evidence file. You must specify the output path to an existing logical evidence filethat is not locked.

g.

Specify the output path for the logical evidence file.

4.

In the Logicaltab:


11/35


Sourceis the root level folder or device containing blue checked items to include in the

logical evidence file.

Filescontains the number of files and the total size of the file or files to include in the logical

evidence file.

Target folder within Evidence Fileis an optional user-specified folder that is created inside

the logical evidence file. Any selected files in the source location are placed inside this folder.

This is useful for organizing multiple additions to a single logical evidence file.

Include contents of filescheckbox: If checked, file content data displays in the View pane

when you open the logical evidence file.

File in usecheckbox: If checked, the hash is computed when the file is read from evidence.

This is valuable when previewing live data that may have changed since initially calculating

the hash value.

Include original extentscheckbox: If checked, original extent information is added to the

logical evidence file. Physical Location, Physical sector, and File Extents columns in the logical

evidence file will match the original entries.

Include contents of folder objectscheckbox: If checked, folder content data displays in the

View pane when you open the logical evidence file.

Lock file when completedcheckbox: If checked, the logical evidence file is locked after

creation.

5.

In the Formattab:


12/35


a.

For the Evidence File Format, select Current (Lx01). This is the default.b.

From the Entry Hashdropdown menu, select a hashing algorithm:

None

MD5(default)

c.

Specify Compressionas Enabled(default) or Disabled.d.

Specify the File Segment Size (MB)(minimum: 30MB, maximum 8,796,093,018,112MB,default: 2048MB).

6.

Click the Encryptionbutton to open the Encryption Details dialog.

Note: By default, Encase Forensic Imager saves encryption keys to the My Documents folderof the current user profile. To save the encryption keys to a different location, right click inthe Encryption Details dialog, then click Change Root Pathfrom the dropdown menu.

7.

Click the key icon in the upper pane to open the New Encryption Key dialog.


13/35


8.

Click Nextto generate a new encryption key.

9.

After the key is generated, the Password dialog displays.

10.

Enter a name for the encryption key, then enter a password and enter the password again toconfirm it. The Password Quality bar indicates if the password you entered is acceptable.

11.

When you have entered an acceptable password, confirm the password, then click Finish.


14/35


12.

EnCase Forensic Imager prompts you to save the public key file you just created.

13.

Back in the Encryption Details dialog, click Updateto display a checkbox for the key you justcreated.


15/35


14.

Click the checkbox for the new key, then click OK.

Using an Existing Public Key

If you want to use an existing public key, copy the .PublicKey file to the My Documents folder ofthe current user profile, then click Update.


16/35


Creating an Encrypted Evidence File

To create an encrypted evidence file:

1.

In the Evidencetab, select one or more entries in the left pane. Right click, then click Acquire

> Acquirefrom the dropdown menu.

Note: If a physical device is added (a device that contains one or more volumes, such asdevice 2,3,4, etc), EnCase can either acquire the entire physical device, or a single volumecontained within that device. It depends on what you highlight in the tree pane.

o

Highlighting Entriesand acquiring acquires the entire physical device.o Highlighting the device number (for example, 1, 2, 3, 4) or the evidence name (for

example, Hunter XP or V7_Sample_Evidence) acquires the entire physical device.o

Highlighting the volume (C, D, E, F, etc.) acquires that volume.o

Highlighting any folder or entry inside a volume acquires only the volume that containsthe highlighted entry.

If a volume (not a physical device) is added (for example, C, D, E, F, but not 1, 2, 3, 4), then thevolume is acquired regardless of what you highlight.


17/35


2.

The Acquire Device dialog displays. It opens to the Locationtab by default.

3.

In the Locationtab:

a.

Enter the evidence file name.b.

Enter the evidence number.c.

Enter the case number.d.

Enter the examiner name.e.

Add notes, if desired.f. Restart Acquisitionrestarts a canceled or disconnected acquisition. If the acquisition was

interrupted, but not canceled, that acquisition cannot be restarted.g.

Accept the designated Output Path, or browse to another location.h.

Enter an optional Alternate Pathif desired.

4.

In the Formattab:


18/35


a.

For the Evidence File Format, select Current (Ex01). This is the default.b.

Specify Compressionas Enabled (default) or Disabled.c.

From the Verification Hashdropdown menu, select a hashing algorithm:

MD5(default)

SHA-1

MD5 and SHA-1

d.

Specify the File Segment Size (MB)(minimum: 30MB, maximum 8,796,093,018,112MB,default: 2048MB).

5.

Click the Encryptionbutton to open the Encryption Details dialog.

Note: By default, Encase Forensic Imager saves encryption keys to the My Documents folderof the current user profile. To save the encryption keys to a different location, right click inthe Encryption Details dialog, then click Change Root Pathfrom the dropdown menu.

6.

Click the key icon in the upper pane to open the New Encryption Key dialog.


19/35


7.

Click Nextto generate a new encryption key.

8.

After the key is generated, the Password dialog displays.

9.

Enter a name for the encryption key, then enter a password and enter the password again toconfirm it. The Password Quality bar indicates if the password you entered is acceptable.

10.

When you have entered an acceptable password, confirm the password, then click Finish.


20/35


11.

EnCase Forensic Imager prompts you to save the public key file you just created.

12.

Back in the Encryption Details dialog, click Updateto display a checkbox for the key you justcreated.


21/35


13.

Click the checkbox for the new key, then click OK.

Using an Existing Public Key

If you want to use an existing public key, copy the .PublicKey file to the My Documents folder ofthe current user profile, then click Update.


22/35



In addition to the native EnCase Forensic Imager file formats, .Ex01, .E01, .Lx01, and .L01, EnCaseForensic Imager supports SafeBack files (.001), VMware files (.vmdk), and Virtual PC files (.vhd)directly. To add any of these types of evidence files:

1.

Select Add Evidence Filefrom the Add Evidence view of the Home tab, or click the AddEvidencedropdown menu while in the Evidencetab and select Add Evidence File.

2.

The Add Evidence File Dialog displays. Use the dropdown menu at the bottom right corner ofthe dialog to change to the appropriate file extension for your evidence or choose the AllEvidence Filesoption.

3.

Navigate to the location of your evidence and select the first file of the evidence set as youwould for EnCase evidence files, then click Open.

Verifying Evidence Files

Verify Evidence Files checks CRC values of selected files. It is a way to ensure that evidence is not

tampered with. Verified CRC information is written out to a log file. From the Evidencetab, youcan check the CRC Errorstab in the bottom pane and bookmark any sectors that contain errors.

To perform an Evidence File verification:

1.

Acquire the evidence files.

2.

Add the evidence files to your case.

3.

Click Tools Verify Evidence Files.

4.

The Verify Evidence Files file dialog opens.


23/35


5.

Select one or more evidence files, then click Open.During verification, a progress bar displaysin the bottom right corner of the window.

Acquiring Device Configuration Overlays (DCO) and Host

Protected Areas (HPA)EnCase Forensic Imager can detect and image DCO and/or HPA areas on any ATA-6 or higher-leveldisk drive. These areas are detected using LinEn or a Tableau write blocker.

This applies to EnCase Forensic Imager applications using:

Tableau LinEn when the Linux distribution used supports Direct ATA mode

The application now shows if a DCO area exists in addition to the HPA area on a target drive.

HPA is a special area located at the end of a disk. It is usually configured so the casual observercannot see it, and so it can be accessed only by reconfiguring the disk. HPA and DCO are extremelysimilar: the difference is the SET_MAX_ADDRESS bit setting that allows recovery of a removedHPA at reboot. When supported, EnCase Forensic Imager applications see both areas if theycoexist on a hard drive.

It is important to note that if you choose to remove a DCO, it will make a permanent change to thedrive controller of the device.


24/35


Using a Write Blocker

Write blockers prevent inadvertent or intentional writes to an evidence disk. Their use isdescribed in these sections:

Windows-based Acquisitions with Tableau and FastBloc Write Blockerson page22

Acquiring in Windows without a Tableau or FastBloc Write Blockeron page22

Windows-based Acquisitions with Tableau and FastBloc Write blockers

The following write blockers are supported in EnCase Forensic Imager:

Tableau T35es Tableau T35es-RW Tableau T4

Tableau T6es

Tableau T8-R2

Tableau T9

FastBloc FE FastBloc 2 FE v1 FastBloc 2 FE v2 FastBloc LE

FastBloc 2 LE

FastBloc 3 FE

Computer investigations require a fast, reliable means to acquire digital evidence. These arehardware write blocking devices that enable the safe acquisition of subject media in Windows toan EnCase evidence file.

The hardware versions of these write blockers are not standalone products. When attached to acomputer and a subject hard drive, a write blocker provides investigators with the ability to

quickly and safely preview or acquire data in a Windows environment. The units are lightweight,self-contained, and portable for easy field acquisitions, with on-site verification immediatelyfollowing the acquisition.

Support for Tableau write blocker devices enables EnCase Forensic Imager to:

Identify a device connected through the Tableau device as write blocked. Access the Host Protected Area (HPA) and access, via removing, the Device Configuration

Overlay (DCO) area of a drive using the Tableau device.

Note: EnCase Forensic Imager does not support access of DCO areas via EnScript. By default,HPA is automatically disabled on the device.

Acquiring in Windows without a Tableau or FastBloc Write Blocker

Never acquire hard drives in Windows without a write blocker because Windows writes to anylocal hard drive visible to it. Windows will, for example, put a Recycle Bin file on every hard drivethat it detects and will also change Last Accessed date and time stamps for those drives.

Media that Windows cannot write to are safe to acquire from within Windows, such as CD-ROMs,write protected floppy diskettes, and write protected USB thumb drives.


25/35


Acquiring a Disk Running in Direct ATA Mode

If the Linux distribution supports the ATA mode, you will see a Mode option. You must set themode before acquiring the disk. An ATA disk can be acquired via the drive-to-drive method. TheATA mode is useful for cases when the evidence drive has a Host Protected Area (HPA) or DriveControl Overlay (DCO). Only Direct ATA Mode can review and acquire these areas.

Ensure LinEn is configured as described in LinEn Setup Under SUSE, and autofs is disabled(cleared). Linux is running in Direct ATA Mode.

1.

If the FAT32 storage partition to be acquired has not been mounted, mount it.

2.

Navigate to the folder where LinEn resides and type ./linenin the console.

3.

The LinEn main screen displays.

4.

Select Mode, then select Direct ATA Mode. You can now acquire the disk running in ATAmode.

5.

Continue the drive-to-drive acquisition with Step 3 of Performing a Drive-to-Drive AcquisitionUsing LinEn.

Acquiring Disk Configurations

Guidance Software uses the term disk configurationinstead of RAID. A software disk configurationis controlled by the operating system software (or LVM software), whereas a controller cardcontrols a hardware disk configuration. In a software disk configuration, information pertinent tothe layout of the partitions across the disks is located in the registry or at the end of the disk,depending on the operating system; in a hardware disk configuration, it is stored in the BIOS ofthe controller card. With each of these methods, you can create six disk configuration types:

Spanned Mirrored Striped

RAID-5

RAID-10

Basic


26/35


Software RAID

EnCaseForensic Imager applications support these software RAIDs:

Windows NT: see Windows NT Software Disk Configurations

Windows 2000: see Dynamic Disk Windows XP: see Dynamic Disk Windows 2003 Servers: see Dynamic Disk Windows Vista: see Dynamic Disk

Windows Server 2008: see Dynamic Disk

Windows Server 2008R2: see Dynamic Disk

Windows 7: see Dynamic Disk

RAID-10

RAID-10 arrays require at least four drives, implemented as a striped array of RAID-1 arrays.

Hardware Disk Configuration

Hardware disk configurations can be acquired:

As one drive

As separate drives

Windows NT Software Disk Configurations

In a Windows NT file system, you can use the operating system to create different types of diskconfigurations across multiple drives. The possible disk configurations are:

Spanned Mirrored Striped RAID 5

Basic

The information detailing the types of partitions and the specific layout across multiple disks iscontained in the registry of the operating system. EnCase Forensic Imager applications can readthis registry information and resolve the configuration based on the key. The application can thenvirtually mount the software disk configuration within the EnCase Forensic Imager case.

There are two ways to obtain the registry key:

Acquiring the drive

Backing up the drive

Acquire the drive containing the operating system. It is likely that this drive is part of the diskconfiguration set, but in the event it is notsuch as the disk configuration being used for storagepurposes onlyacquire the OS drive and add it to the case along with the disk configuration setdrives.

To make a backup disk on the subject machine, use Windows Disk Manager and select Backupfrom the Partition option.


27/35


This creates a backup disk of the disk configuration information, placing the backup on a CD orDVD. You can then copy the file into your EnCase Forensic Imager application using the Single Filesoption, or you can acquire the CD or DVD and add it to the case. The case must have the diskconfiguration set drives added to it as well. This process works only if you are working with arestored clone of a subject computer. It is also possible a registry backup disk is at the location.

In the EnCase Forensic Imager Evidence tab, select the device containing the registry or the

backup disk and all devices which are members of the RAID. Click the Openbutton to go to theEntry view of the Evidence tab. Select the disk containing the registry, click the dropdown menuon the upper right menu of the Evidence tab. Select Device, then select Scan Disk Configuration.At this point, the application attempts to build the virtual devices using information from theregistry key.

Support for EXT4 Linux Software RAID Arrays

EnCase Forensic Imager provides the ability to parse EXT4 Linux Software RAID arrays (for Ubuntuversion 9.1 and version 10.04), using the Scan for LVMoption in the Device dropdown menu.

These configurations are supported:

RAID 1 (mirror) RAID 10

Note: EnCase Forensic Imager does not support partial reconstruction of RAIDs. After parsing, allRAID devices must have full descriptors or the process will fail.

Dynamic Disk

Dynamic Disk is a disk configuration available in Windows 2000, Windows XP, Windows 2003Server, Windows Vista, Windows 2008 Server, Windows 7, and Windows 2008 Server R2. Theinformation pertinent to building the configuration resides at the end of the disk rather than in aregistry key. Therefore, each physical disk in this configuration contains the information necessary

to reconstruct the original setup. EnCase Forensic Imager applications read the Dynamic Diskpartition structure and resolve the configurations based on the information extracted.

To rebuild a Dynamic Disk configuration, add the physical devices involved in the set to the case.In the Evidencetab, select the devices involved in the Dynamic Disk and click the Openbutton onthe menu bar to change to the Entries view of the Evidence tab. Select the devices then click thedropdown menu at the top right of the Evidencetab. Select Deviceand choose Scan DiskConfiguration.

If the resulting disk configurations seem incorrect, you can manually edit them by returning to thehighest Evidence view of the Evidencetab. Select the Disk Configurationoption, click thedropdown menu from the top right corner of the Evidencetab, and select Edit Disk Configuration.


28/35


Disk Configuration Set Acquired as One Drive

Unlike software disk configurations, those controlled by hardware contain necessary configurationinformation in the cards BIOS. Because the disk configuration is controlled by hardware, EnCaseForensic Imager cannot automatically reconstruct the configurations from the physical disks.

However, since the pertinent information to rebuild the set is contained within the controller, thecomputer (with the controller card) actually sees a hardware disk configuration as one (virtual)drive, regardless of whether the set consists of two or more drives. Therefore, if the investigatoracquires the set in its native environment, the disk configuration can be acquired as one drive,which is the easiest option. The best method for performing such an acquisition is to conduct acrossover network cable acquisition.

Note: The LinEn boot disk for the subject computer needs to have Linux drivers for that particular RAIDcontroller card.

To acquire the set:

1.

Keep the disk configuration intact in its native environment.

2.

Boot the subject computer with a Live Linux Boot Disk containing the LinEn utility andconfigured with the drivers for the RAID controller card.

3.

Launch the LinEn utility.

Note: The BIOS interprets the disk configuration as one drive, so EnCase Forensic Imagerapplications will as well. The investigator sees the disk configuration as one drive.

4.

Acquire the disk configuration as you normally acquire a single hard drive, depending on themeans of acquisition. Crossover network cable or drive-to-drive acquisition isstraightforward, as long as the set is acquired as one drive.

If the physical drives were acquired separately, or could not be acquired in the nativeenvironment, EnCase Forensic Imager can edit the hardware set manually.

Disk Configurations Acquired as Separate Drives

Sometimes acquiring the hardware disk configuration as one drive is not possible, or the methodof assembling a software disk configuration seems incorrect. Editing a disk configuration requiresthis information:

Stripe size Start sector

Length per physical disk

Whether the striping is right handed

You can collect this data from the BIOS of the controller card for a hardware set, or from theregistry for software sets.

When a RAID-5 consists of three or more disks and one disk is missing or bad, the application canstill rebuild the virtual disk using parity information from the other disks in the configuration,which is detected automatically during the reconstruction of hardware disk configurations usingtheScan Disk Configuration command.


29/35


To acquire a disk configuration set as one disk:

1.

Add the evidence files to one case.

2.

On the Evidencetab, click the down arrow in the far right corner to display a dropdownmenu, then click Create Disk Configuration.

3.

The Disk Configuration dialog displays. Enter a name for your disk configuration. Click theappropriate disk configuration.

4.

Right click the empty space under Component Devices and click New.

5.

Enter the start sector and size of the selected disk configuration, select the drive image whichbelongs as the first element of the RAID, then click OK.

6.

Repeat steps 4 and 5 for each additional element drive of the RAID in order.

7.

Back at the main Disk Configuration screen, set the Stripe Size, select whether this is aPhysical Disk Image, and whether it uses Right-Handed Striping.

8.

Once you are sure that the settings and order of the drives is correct, click OK.EnCaseForensic Imager will generate a new item in your Evidencetab containing the RAID rebuilt toyour specifications. This new Disk Configuration can be acquired to an EnCase evidence fileand processed in the Evidence Processor just like a physical drive.

Acquiring a DriveSpace Volume

DriveSpace volumes are only recognized as such after they are acquired and mounted into a case.On the storage computer, mount the DriveSpace file as a volume, then acquire it again to see thedirectory structure and files.

To acquire a DriveSpace volume:

1.

A FAT16 partition must exist on the forensic PC where you will Copy/Unerase the DriveSpacevolume. A FAT16 partition can be created only with a FAT16 OS (such as Windows 95).

2.

Run FDISK to create a partition, then exit, reboot, and format the FAT16 partition usingformat.exe.

3.

Image the DriveSpace volume.

4.

Add the evidence file to a new case and search for a file named DBLSPACE.000orDRVSPACE.000.


30/35


5.

Right click the file and copy/unerase it to the FAT16 partition on the storage computer.

6.

In Windows 98, click Start All Programs Accessories System Tools DriveSpace.

7.

Launch DriveSpace.

8.

Select the FAT16 partition containing the compressed .000 file.

9.

Select Advance Mount DRVSPACE.000, then click OK, noting the drive letter assigned to it.The Compressed Volume File (.000) from the previous drive is now seen as folders and files ina new logical volume.

10.

Acquire this new volume.

11.

Create the evidence file and add to your case. You can now view the compressed drive.

Canceling an Acquisition

You can cancel an acquisition while it is running. After canceling, you can restart the acquisition.

To cancel an acquisition while it is running:

1.

At the bottom right corner of the main window, double click the Thread Statusline. TheThread Status dialog displays.

2.

Click Yes. The acquisition is canceled. You can restart it at a later time.

CD-DVD Inspector File Support

EnCase Forensic Imager applications support viewing files created using CD/DVD Inspector, athird-party product. Treat these files as single files when adding them, as zip files, or as compositefiles when using the file viewer. Drag single files into the application.

Reacquiring Evidence

When you have a raw evidence file generated outside an EnCase application, reacquiring it resultsin the creation of an EnCase evidence file containing the content of the raw evidence file andproviding the opportunity to hash the evidence, add case metadata, and CRC block checks.

You may also want to reacquire an existing EnCase evidence file to change the compressionsettings or the file segment size.


31/35


Reacquiring Evidence Files

Start by adding the evidence file(s) to your case as previously described. You can reacquireevidence either from the Evidencetab or through the Evidence processor. To acquire in theEvidencetab:

1.

Select the items you want to reacquire.

2.

Click the Openbutton to change to the Entries view of the Evidencetab.

3.

Highlight the item you want to reacquire, click Acquireon the top menu, and select Acquirefrom the dropdown menu.

4.

Complete the Acquire Device dialog as you would for previewed evidence.

5.

You can repeat steps 3 and 4 for each device or volume you want to reacquire.

Retaining the GUID During Evidence Reacquisition

EnCase Forensic Imager now provides an option that retains the GUID when evidence isreacquired. To retain the GUID, select the

Keep GUIDcheckbox that displays in the

Advancedtab

of the Acquire Device dialog. To open the Acquire Device dialog, select the device for acquisition.

Adding Raw Image Files

Reacquiring raw evidence files like DD images or CD-ROM .iso files embeds the device contentswithin an EnCase evidence file adding case metadata, CRC block checks and, optionally, the hashvalue of that image.

To acquire a raw evidence file:

1.

In the Add Evidencedropdown menu, click Add Raw Image.


32/35


2.

The Add Raw Image dialog opens.

3.

Drag and drop the raw images to be acquired. The raw images to be added are listed in the

Component Files list. For DD images or other raw images consisting of more than onesegment, the segments must all be added in their exact order from first to last.

4.

Click the Generate true GUIDcheckbox for EnCase Forensic Imager to generate a uniqueGUID if a match is found.

5.

Accept the defaults in the Add Raw Image dialog or change them as desired, then click OK.

6.

A Disk Image object displays in the Evidencetab.

7.

You can reacquire this image as you would any other supported evidence or previeweddevice.

Restoring a Drive

The following steps describe how to restore a drive. Note that before you begin, you first need toadd evidence to the case.

1.

From the EnCase Forensic Imager top toolbar, select the Evidence option from the Viewdropdown.

2.

In the Table view, click the evidence file with the device you would like to restore.

3.

From the Device dropdown on the Evidence tab menu, select Restore. The Restore dialogdisplays.


33/35


4.

Click Next to collect local hard drives.

5.

From the list of Local Devices, click the drive you want to restore.

6.

Click Next. The Drives dialog displays.

7.

Select options for wiping and verification.

8.

Click Finish.

9.

A dialog displays asking you to verify the local drive selection. Verify that you are restoring tothe correct drive by typing Yes, then click OK.

The bar in the lower right corner of the screen tracks the progress of the restore.


34/35


35/35

A

Acquiring a Disk Running in Direct ATA Mode 23

Acquiring a DriveSpace Volume 27

Acquiring a Local Drive 7

Acquiring Device Configuration Overlays (DCO) and

Host Protected Areas (HPA) 21

Acquiring Disk Configurations 23

Acquiring in Windows without a Tableau or

FastBloc Write Blocker 22

Acquiring Non-local Drives 7


20

Adding Raw Image Files 29

C

Canceling an Acquisition 28

CD-DVD Inspector File Support 28

Creating an Encrypted Evidence File 14

Creating an Encrypted Logical Evidence File 7

Creating Encrypted Evidence Files 7

D

Disk Configuration Set Acquired as One Drive 26

Disk Configurations Acquired as Separate Drives

26

Dynamic Disk 25

E

EnCase Evidence Files 6

EnCase Forensic Imager User's Guide 3

H

Hardware Disk Configuration 24

L

Launching EnCase Forensic Imager 5

Logical Evidence Files 6

O

Overview 5

R

RAID-10 24

Raw Image Files 6

Reacquiring Evidence 28

Restoring a Drive 30

Retaining the GUID During Evidence Reacquisition 29

S

Single Files 6

Software RAID 24

Sources of Acquisitions 5

Support for EXT4 Linux Software RAID Arrays 25

T

Types of Acquisitions 5

Types of Evidence Files 6

U

Using a Write Blocker 22

V

Verifying Evidence Files 20

W

Windows NT Software Disk Configurations 24

Windows-based Acquisitions with Tableau and

FastBloc Write blockers 22

Index