Basic EnCase

Creating a Case

• Templates: has an extension of .CaseTemplate and is stored in the Users\Documents\EnCase\Templates folder.

• Case information items with default values

• Bookmark folders and notes

• Tag names

• Report template

• User-defined report styles

• Base Case Folder: By default, your cases will be stored in your Documents or My Documents folder.

• Primary Evidence Cache : When EnCase loads an evidence item for viewing, it parses and stores metadata associated with that evidence item. Each acquired evidence item is assigned a GUID, and a folder by that GUID name will contain the cached data associated with that evidence item.

• Secondary Evidence Cache: This location is for previously created caches

• Case Info: several fields into which you can or should enter data pertaining to the case. The fields will vary according to the template you select in Templates

EnCase Folder Structure

• EnCase creates subfolders called Email, Export, Tags, and Temp.

• User need to manually created Evidence and EvidenceCache.

EnCase View

Placeholder

Verify Evidence

Evidence tab > drop down menu > Verify File Integrity > File Integrity/ MD5/SHA-1 / CRC Errors

Note: Add Evidence will automatically verify the new evidence file added to the case, also reopening the case will verify the evidence files which is not verified yet.

Timeline view

Tree Pane > Set Included > Timeline view > Higher Resolution or Lower Resolution

Date Types > select which timestamps to be viewed

Timeline View

Sort

First sort (either one of the following):

• Open sort menu from Table toolbar

• Double click the header of the column you want to sort

Second sort:

• Hold down the Shirt key > double click the column header

Sort in opposite direction:

• CTRL + double click column header

• CTRL + SHIFT + double click the column header

Remove Sort:

• Remove sort in the Sort menu

• Double click

Gallery view

• See images -> Set Include Folders button in the Tree pane, you can direct the content of the Table pane

• EnCase displays images based on the file extension. After the file signature analysis has been completed, the files will display based on their file header information.

Disk view

• Evidence tab -> Place the cursor on device -> Device -> Disk View

• By default, you see a series of colored square blocks, each representing one sector. If you would prefer that each block represent a cluster, simply click the check box next to View Clusters on the toolbar for this view.

• Blue blocks are allocated sectors or clusters.

• The gray blocks with the raised bump in the center are unallocated sectors or clusters.

• Go to a sector by typing in the sector number -> Go To feature from its menu on the Disk View toolbar

File Types view

• Add File Type View > File Types > New

• Add a File Viewer Open With > File Viewers > New File Viewer

View > File Types

New File Type

Evidence Processor

Right Click > Process

Evidence Processor

Task	Description
Prioritization	Prioritisation option
Recover folders	Recover files that have been deleted or corrupted on FAT and NTFS volumes Note: When you turn on the Recover folder structure of NTFS 3.0 files option, recovery will take longer, but will reconstruct (folder tree); if you left that unchecked, all found folders will be grouped together without tree structure.
File signature analysis	Determine if the extension of a file has been altered and whether or not the extension matches the file type as specified by the file’s header
Protected file analysis	Identify encrypted and password-protected files with the Passware Encryption Analyzer
Thumbnail creation	Creates image thumbnails for faster display in the EnCase® GUI
Hash analysis	Generate MD5 and/or SHA1 hash values for files and compare against your case Hash Library
Expand compound files	Expand compound and compressed files, such as ZIP, RAR, GZIP, TAR, THUMBS.DB, CLOOP, and BZIP2
Find email	Extract individual messages from e-mail archive files, such as PST (Microsoft® Outlook), NSF (Lotus® Notes), DBX (Microsoft® Outlook Express), EDB (Microsoft® Exchange), AOL, MBOX, and EMLX (Macintosh).
Find Internet artifacts	Collect Internet-related artifacts, such as browser histories and cached web pages. You also have the option to search unallocated space for the Internet artifacts.
Search for keywords	Search raw (not transcript) text for specific keywords.
Index text and metadata	Create an index for when you need to search for keywords in compound files (Microsoft Office 2007 and 2010) and across large amounts of data. You can adjust the parameters for index creation, such as the minimum word length to index and whether to use a noise file (which does not index specific and common words).
System Info Parser	Report on the core system information for Linux and Windows, including: User activity (Linux only) Operating system Hardware Software Accounts/users Network information Shared/mapped drives USB Devices Network Shares Advanced : Windows Registry Time zone setting Auto start Hardware User activity User defined keys Network Shares Other AutoRuns
Windows Artifact Parser	Report on Windows artifacts, including Link files Recycle Bin files MFT (NTFS Master File Table) transactions Option: All or selected files, and/or unallocated clusters
Snapshot (Live preview of devices only)	Running processes, open ports, logged on users, etc.

File Signature Analysis

Create a new file signatures

View > File Types

Click New on the File Types table toolbar

Change the extensions or Description of the file types

Running File Signature Analysis against Selected Files

• Blue check the specific files you want to run signature analysis on.

• Click Entries. In the dropdown menu, click Hash\Sig Selected. The Hash\Sig Selected dialog displays.

• Select Verify file signatures to run signature analysis.

• Click OK and refresh the device after running

Entries > Hash\Sig Selected

File Signature Analysis

extension	header	Header in Table	Extension	Signature	Signature Analysis
picture.jpg	FF D8 FF E0	Known	Known and matches	JPEG Image Standard	Match
picture.dll	FF D8 FF E0	Known	Known and incorrect	JPEG Image Standard	Alias
anyfile.zza	FF D6 FE FF	Unknown	Unknown		Unknown
picture.jpg	D8 D8 FF E0	Unknown	Known and doesn't match		Bad Signature

• Search for different types of results with filter

• Find Entries by Signature

• The results will be in Result tab

Hash Analysis

Creating hash libraries and hash sets

• Before you can create any hash sets from within EnCase, you must first create a hash library container, which is a folder containing a series of file-based, database-like structures into which EnCase will store hash sets.

Create a folder

• Tools -> Manage Hash Libraries

Tools > Manage hash library

• Manage hash libraries -> new hash library

New hash library > Select the folder (container) you created

• Importing legacy hash sets into EnCase

Importing legacy EnCase hash sets

Adding hash values to the hash sets and library

• Query the hash libraries for a MD5 hash

• Manage Hash Library -> Query

Manage Hash Library > Query

• Add to hash library -> Right Click New Hash Set

Add to Hash Library > Right click New Hash Set

Using hash values to identify/exclude files

• Entries -> Hash\Sig Selected

• Find Entries by Hash Category -> Result tab

Hash Analysis Summary

• Creating a Hash Library

  • Tools > Manage Hash Library

  • New button

  • Browse for a folder -> click OK

• Import hash sets from another library

  • Tools > Manage Hash Library

  • Click Import from the toolbar

• Creating a Hash Set

  • Tools > Manage Hash Library

  • click New Hash Set. The Create Hash Set dialog appears

• Adding Hash Values to a Hash Set

  • Hash the item by right click item Entries -> Hash\Sig Selected

  • Right click Entries -> Add to hash library

  • Choose the hash library to add to

  • Select one existing hash sets or create new hash set by right clicking

  • Select Fields

Add to hash library

• Adding Hash Values to a Hash Set from Results