# Basic EnCase
## Creating a Case
* **Templates**: has an extension of .CaseTemplate and is stored in the Users\Documents\EnCase\Templates folder.
* Case information items with default values
* Bookmark folders and notes
* Tag names
* Report template
* User-defined report styles
* **Base Case Folder**: By default, your cases will be stored in your Documents or My Documents folder.
* **Primary Evidence Cache** : When EnCase loads an evidence item for viewing, it parses and stores metadata associated with that evidence item. Each acquired evidence item is assigned a GUID, and a folder by that GUID name will contain the cached data associated with that evidence item.
* **Secondary Evidence Cache**: This location is for previously created caches
* **Case Info**: several fields into which you can or should enter data pertaining to the case. The fields will vary according to the template you select in Templates
### EnCase Folder Structure
* EnCase creates subfolders called Email, Export, Tags, and Temp.
* User need to manually created Evidence and EvidenceCache.
## EnCase View
Placeholder
## Verify Evidence
Evidence tab > drop down menu > Verify File Integrity > File Integrity/ MD5/SHA-1 / CRC Errors
*Note: Add Evidence will automatically verify the new evidence file added to the case, also reopening the case will verify the evidence files which is not verified yet.*
## Timeline view
Tree Pane > Set Included > Timeline view > Higher Resolution or Lower Resolution
Date Types > select which timestamps to be viewed
## Sort
First sort (either one of the following):
* Open sort menu from Table toolbar
* Double click the header of the column you want to sort
Second sort:
* Hold down the Shirt key > double click the column header
Sort in opposite direction:
* CTRL + double click column header
* CTRL + SHIFT + double click the column header
Remove Sort:
* Remove sort in the Sort menu
* Double click
## Gallery view
* See images -> Set Include Folders button in the Tree pane, you can direct the content of the Table pane
* EnCase displays images based on the file extension. After the file signature analysis has been completed, the files will display based on their file header information.
## Disk view
* Evidence tab -> Place the cursor on device -> Device -> Disk View
* By default, you see a series of colored square blocks, each representing one sector. If you would prefer that each block represent a cluster, simply click the check box next to View Clusters on the toolbar for this view.
* Blue blocks are allocated sectors or clusters.
* The gray blocks with the raised bump in the center are unallocated sectors or clusters.
* Go to a sector by typing in the sector number -> Go To feature from its menu on the Disk View toolbar
## File Types view
* Add File Type View > File Types > New
* Add a File Viewer Open With > File Viewers > New File Viewer
## Evidence Processor
| Task | Description |
| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Prioritization | Prioritisation option
|
| Recover folders | Recover files that have been deleted or corrupted on FAT and NTFS volumes
Note: When you turn on the Recover folder structure of NTFS 3.0 files option, recovery will take longer, but will reconstruct (folder tree); if you left that unchecked, all found folders will be grouped together without tree structure.
|
| File signature analysis | Determine if the extension of a file has been altered and whether or not the extension matches the file type as specified by the file’s header |
| Protected file analysis | Identify encrypted and password-protected files with the Passware Encryption Analyzer |
| Thumbnail creation | Creates image thumbnails for faster display in the EnCase® GUI |
| Hash analysis | Generate MD5 and/or SHA1 hash values for files and compare against your case Hash Library |
| Expand compound files | Expand compound and compressed files, such as ZIP, RAR, GZIP, TAR, THUMBS.DB, CLOOP, and BZIP2 |
| Find email | Extract individual messages from e-mail archive files, such as PST (Microsoft® Outlook), NSF (Lotus® Notes), DBX (Microsoft® Outlook Express), EDB (Microsoft® Exchange), AOL, MBOX, and EMLX (Macintosh). |
| Find Internet artifacts | Collect Internet-related artifacts, such as browser histories and cached web pages. You also have the option to search unallocated space for the Internet artifacts. |
| Search for keywords | Search raw (not transcript) text for specific keywords. |
| Index text and metadata | Create an index for when you need to search for keywords in compound files (Microsoft Office 2007 and 2010) and across large amounts of data. You can adjust the parameters for index creation, such as the minimum word length to index and whether to use a noise file (which does not index specific and common words). |
| System Info Parser | Report on the core system information for Linux and Windows, including:
- User activity (Linux only)
- Operating system
- Hardware
- Software
- Accounts/users
- Network information
- Shared/mapped drives
- USB Devices
- Network Shares
Advanced : Windows Registry
- Time zone setting
- Auto start
- Hardware
- User activity
- User defined keys
- Network Shares
- Other AutoRuns
|
| Windows Artifact Parser | Report on Windows artifacts, including
- Link files
- Recycle Bin files
- MFT (NTFS Master File Table) transactions
Option: All or selected files, and/or unallocated clusters
|
| Snapshot (Live preview of devices only) | Running processes, open ports, logged on users, etc. |
## File Signature Analysis
### Create a new file signatures
### Running File Signature Analysis against Selected Files
* Blue check the specific files you want to run signature analysis on.
* Click Entries. In the dropdown menu, click Hash\Sig Selected. The Hash\Sig Selected dialog displays.
* Select Verify file signatures to run signature analysis.
* Click OK and refresh the device after running
### File Signature Analysis
| extension | header | Header in Table | Extension | Signature | Signature Analysis |
| ----------- | ----------- | --------------- | ----------------------- | ------------------- | ------------------ |
| picture.jpg | FF D8 FF E0 | Known | Known and matches | JPEG Image Standard | Match |
| picture.dll | FF D8 FF E0 | Known | Known and incorrect | JPEG Image Standard | Alias |
| anyfile.zza | FF D6 FE FF | Unknown | Unknown | | Unknown |
| picture.jpg | D8 D8 FF E0 | Unknown | Known and doesn't match | | Bad Signature |
* Search for different types of results with filter
* Find Entries by Signature
* The results will be in Result tab
## Hash Analysis
### Creating hash libraries and hash sets
* Before you can create any hash sets from within EnCase, you must first create a hash library container, which is a folder containing a series of file-based, database-like structures into which EnCase will store hash sets.
* Tools -> Manage Hash Libraries
* Manage hash libraries -> new hash library
* Importing legacy hash sets into EnCase
### Adding hash values to the hash sets and library
* Query the hash libraries for a MD5 hash
* Manage Hash Library -> Query
* Add to hash library -> Right Click New Hash Set
### Using hash values to identify/exclude files
* Entries -> Hash\Sig Selected
* Find Entries by Hash Category -> Result tab
### Hash Analysis Summary
* Creating a Hash Library
* Tools > Manage Hash Library
* New button
* Browse for a folder -> click OK
* Import hash sets from another library
* Tools > Manage Hash Library
* Click Import from the toolbar
* Creating a Hash Set
* Tools > Manage Hash Library
* click New Hash Set. The Create Hash Set dialog appears
* Adding Hash Values to a Hash Set
* Hash the item by right click item Entries -> Hash\Sig Selected
* Right click Entries -> Add to hash library
* Choose the hash library to add to
* Select one existing hash sets or create new hash set by right clicking
* Select Fields
* Adding Hash Values to a Hash Set from Results