2020. 2. 21. 02:19ㆍ카테고리 없음
- EnCase Forensic
- Encase Forensic Software
- Encase Computer Forensics I Manual By Guidance Software Encase Download
During his career, Scott earned his law degree and began towork in electronic discovery and computer forensics. However, he recognizedthat communication in the workplace was a challenge. Working with P&G, whohelped him identify how to succeed at his peak, he was able to have a morevocal role – addressing team meetings – and eventually was assigned a personalinterpreter. Currently, he is on track towards a Master’s in Informatics and isinterested in insider risk which involves studying how to better protectinternal data from malicious employees, third parties, or businesspartners.
Guidance Software 215 north marengo avenue, 2nd floor pasadena, california 91101 phone: 626.229.9191 fax: 626.229.9199 e-mail: www.guidancesoftware.com EnCase Forensic v5.05 User ManualE n C a s eT MF o r e n s i c U s e rV e r s i o n5M a n u a lTable of Contents Legal Notice. 1 EnCase® License Agreement. License and Certain Restrictions. Non-Exclusive License. Support for the Law Enforcement/Government Edition of the PROGRAM. Support for the Corporate Edition of the PROGRAM. Support for the Corporate Deluxe Edition of the PROGRAM.
Premium License Support Program, Annual Payment Option. Premium License Support Program, Three-Year Payment Option. EnScript® Macros WARNING. Disclaimer of Warranties. Limitation of Liability and Damages. Export Restrictions. Government End Users.
General Provisions.1 1 1 1 1 3 3 3 3 4 4 4 4 5 6 6 6Preface. 9 Manual Organization.
9 Minimum Recommended Requirements. 9 Help Resources. 10 Technical Support. 10 EnCase Message Boards. 11 About Guidance Software. 11 EnCase Forensic. 11 EnCase Enterprise.
12 Guidance Software's Professional Development and Training. 12 Law Enforcement Courses. 12 Computer Forensics and Incident Response Courses. 12 Expert Courses.
13 Guidance Software's Professional Services Division. 13 Additional Corporate Services. 13What’s New in EnCase Version 5. 15 Enhanced User Interface. 15 Home Subtab.
17Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.ivField Intelligence Module v5.05 User ManualEntries subtab. Secure Storage Subtab. Email Subtab. History and WebCache Subtabs. File Extents, Permissions and Bookmarks Subtabs. Sources Subtab and Table Column.
Subjects Subtab. Local Keywords. EnCase LinEn Acquisition Utility. Additional File System Support. Symbolic Link Table Column. Ability to Create ENBCD From ISO Image.
Go To Parent. Acquisition Options. Quick Reacquisition Option. Read Ahead. Block Size. Restart Acquisition.
Globally Unique Identifiers (GUIDs). Evidence File Segment/Splitting File Size. CD/DVD Inspector File Support. Logon User Identification.
EnCase Installation Files and Folders. Export and Import of Bookmarks. Flag Lost Files Option.
Keyword Tester. Ability to Create a Logical Evidence File. Single Files Option. Filter Conditions. EnScripts Added to Filter Pane. PDF and Windows Help Files. Device Configuration Overlay (DCO) and Host Protected Area (HPA) Support.
Virtual PC Images. Support for SlySoft CloneCD‰ Images. PC Guardian Access. Additional Servlet Support. CD/DVD Module. FastBloc SE Module. Improved Enterprise Snapshot Functionality.
Enhanced EnScript Support.17 17 18 18 19 20 21 21 21 22 22 22 22 23 23 23 23 23 23 24 24 24 25 25 26 26 27 27 27 27 28 28 28 29 29 29 29 30 30 30 30Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.Table of ContentsvInstalling EnCase.
31 The EnCase Installation CD and Autorun. Disk 1 CD Installation Menu and Contents. Security Key Drivers Installation. Installing EnCase Version 5. Installing the Servlet. Software Updates.
To Download the Latest EnCase Version 5 Update. Configuration Questions. Security Key Questions.31 31 31 32 34 36 36 37 38Creating the EnCase Boot Disk.
39 Windows Acquisition Issues. Creating the EnCase Boot Disk. Steps to Create the EnCase Barebones Boot Disk.
Creating an EnCase Boot CD. Booting a Computer with the EnCase Boot Disk. EnCase Network Boot Disk. FAQs about EnCase Boot Disk.39 39 40 42 44 45 46EnCase for DOS. 47 Launching EnCase for DOS.
EnCase for DOS Functions. Locking / Unlocking (L). Quit.47 47 47 48 48 50 52 53EnCase LinEn Utility. 55 Description.
LinEn Setup. For SuSE 9.1. For Red Hat. Drive-to-Drive Acquisition. Preview or Acquisition via Crossover.55 57 57 57 58 59Previewing vs. 63 Limitations of Previewing.
Advantages of Previewing. Live Device and FastBloc Indicators. Preview Questions. Acquisition Questions.63 64 64 64 65Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.viField Intelligence Module v5.05 User ManualParallel Port Cable Acquisition.
67 Parallel Preview Acquisition Process. 67Network Cable Acquisition. 73 Creating the EnCase Network Boot Disk (ENBD) or LinEn CD. EnCase Network Boot Disk (ENBD). EnCase LinEn Utility. Using the ENBD.
Using the EnCase LinEn Utility. Troubleshooting LinEn connectivity issues. Preview or Acquisition. Windows XP SP2. Windows 2000, XP, and 2003.73 73 75 75 77 77 78 78 79Drive-to-Drive DOS Acquisition. 81 Drive Geometry Problems. Benefits and Drawbacks.
Steps to Follow. Acquiring Macintosh Devices. Acquiring Unix and Linux. After the Acquisition Is Complete.81 82 82 89 89 90FastBloc Acquisitions. 91 FastBloc Acquisition Process.
91 Live Device and FastBloc Indicators. 93 Acquiring in Windows Without FastBloc. 100 Acquiring in Windows with a non-FastBloc Write-Blocker. 101 After Acquisition Is Complete.
101Acquiring Disk Configurations. 103 Software RAID. Windows NT: Software Disk Configurations. Dynamic Disk. Hardware Disk Configuration.
Disk Configuration Set Acquired as One Drive. Disk Configurations Acquired as Separate Drives.
Validating Parity on a RAID-5. SCSI Drives and DOS.104 104 105 106 106 106 108 108 108Acquiring Palm PDAs. 109 Palms Supported. Getting Out of Console Mode. One Final Note on Palms.109 109 116 117Acquiring Removable Media.
119 Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.Table of ContentsZip / Jaz Disks. Floppy Disks. Write-Protecting a Floppy Disk. Superdisks (LS-120).
CD-ROM, CD-R, CD-RW. Flash media. Equipment needed to preview/acquire flash media.
How to acquire flash media. Examining flash media. Acquiring Multiple Pieces of Media.vii119 120 121 121 121 122 122 122 122 123First Steps. 125 Connecting to Remote Media.
SAFE Administration and User Accounts. Logging Into a SAFE Server. Creating a New Case.
Connecting to Media. Remote Acquisition. Time Zone Settings. Recover Folders on FAT Volumes.
Behind the Scenes with Recover Folders. Recovering NTFS Folders.
Lost Files in UFS and EXT2/3 Partitions. Signature Analysis. File Signatures.
Adding a New Signature. Starting a Signature Analysis.
Viewing Results. Hash Analysis. File Hashing. Creating a Hash Set. Importing Hash Sets.
NSRL Hash Sets. Rebuilding the Hash Library. Benefits of a Hash Analysis. Starting a Hash Analysis. Analyzing the Hash Results.
Initialize Case. FAT and NTFS Info Record Finder. File Finder.125 125 126 127 127 129 130 133 133 134 136 136 136 138 139 140 141 141 141 143 143 145 147 147 148 148 149 149 149 149Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.viiiField Intelligence Module v5.05 User ManualLink File Parser. 150 Find Unique EMail Address List.
150Navigating EnCase. 151 Creating a New Case. Case Management. Concurrent Case Management. The Options Dialog. Global Options.
Storage Paths. Adding Evidence Files to a Case.
Sessions Option. Error Messages. Verifying the Evidence. Adding Raw Image Files.
SafeBack and VMware Images. Single Files.
Logical Evidence Files. Docking and Undocking. EnCase Views.
The Set Include Option Button. The Cases Tab.
File Types. File Signatures. File Viewers. Security IDs. Text Styles. Hash Sets. EnScript Types.
EnCase Forensic
Table Pane View. Table View Columns Explained. Organizing Columns.151 153 153 154 155 157 158 158 159 160 164 167 169 170 171 173 175 176 176 177 177 177 178 178 178 183 184 184 185 185 188 189 190 190 191 192 200Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.Table of ContentsRearranging Columns.
Hiding and Showing Columns. Sorting Files in Columns. EnCase Icon Descriptions.
Gallery View. America Online.ART files. Timeline View.
Report View. EnScript View. View (Bottom) Pane. Date and Time Questions.ix200 201 201 202 210 212 213 214 215 215 219 220Viewing Files. 221 Copy/UnErasing Files. Copying/UnErasing Bookmarks. Copying Entire Folders.
Viewing Files Outside of EnCase. File Viewers.
Setting up a File Viewer. File Types. File Viewing FAQs.221 223 224 225 225 225 226 226E-Mail and Internet Artifacts. 229 E-Mail. Using the Email Option. E-mail Attachments tab.
Email Table Columns Explained. Finding Web Artifacts. Time interpretations formats. History Table Columns Explained.
Web Cache. Finding Web Cache data. WebCache Table Columns Explained.229 230 233 233 235 235 236 237 238 239 240Keyword Searches.
243 Creating Keyword Groups. Entering Keywords. Search Options.
International Keywords. Keyword Tester Tab.
Encase Forensic Software
Exporting/Importing Keywords. Exporting Keywords.243 244 245 246 247 248 248Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.xField Intelligence Module v5.05 User ManualImporting Keywords. Adding Keyword Lists. Starting a Search. Search Options. Viewing Search Hits.
Bookmarking Search Hits. The Refresh Button. Canceling a Search.250 251 251 252 253 258 258 259Viewing Compound Files. 261 Registry Files.
OLE Files. Compressed Files. Outlook Express E-Mail. Base64 and UUE Encoding. MS Outlook E-Mail.
NTFS Compressed Files. Search Compressed NTFS Files and Folders. Thumbs.db.261 262 264 264 265 266 267 267 268EnScript and Filters. 269 EnScript Path. Include Folder. Running EnScripts.
Editing EnScripts. The EnScript Library. Editing Filters. Starting and Stopping Filters. Creating a Filter.
Creating a Condition. Queries.270 270 271 271 272 273 273 274 274 275 275 275Advanced Analysis. 277 Recovering Partitions.
Adding Partitions. Deleting Partitions. Recovering Folders from a Formatted Drive.
Web Browsing History. Reading What the Subject Threw Away. Making Sense of a DriveSpace Volume. Cracking Encrypted or Password Protected Files.
System Snapshot.277 277 281 282 282 284 285 286 286Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.Table of ContentsVolatile Data Defined.
Volatile Data Components. Volatile Data Capture Using Snapshot.
Open Ports. Open Ports Table Columns. Active Processes. Processes Table Columns.
Encase Computer Forensics I Manual By Guidance Software Encase Download
Open Files. Network Interfaces and Users.xi286 287 287 288 288 289 290 292 292Foreign Language Support (Unicode). 295 Viewing Unicode Files. Unicode Fonts. Changing Font Size. Font Recommendations.
Viewing Non-Unicode Files. Right to Left (RTL) Languages. Foreign Language Keyword Searches. Copying and Pasting. Character Map. Regional Settings. Foreign Language Bookmarking.
Rich Edit Control in Bookmarks. More Information.297 299 302 302 303 306 307 307 308 310 311 313 314Restoring Evidence. 315 Physical vs. Logical Restore. Preparing the Target Media. Physical Restore.
Logical Restore. Booting the Restored Hard Drive. Restoration FAQs.315 316 316 320 320 322Archiving Evidence. 323 What Should Be Archived. 323 Verifying Evidence Files. 324 Cleaning House.
329 Understanding Bookmarks. Highlighted Data Bookmark. Integers.329 330 331 332 333Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.xiiField Intelligence Module v5.05 User ManualDates. Notes Bookmark. Folder Information Bookmark.
Notable File Bookmark. File Group Bookmark.
Documentation Options for Threads. Bookmark Options. Move or Copy Bookmarks. Notable (Bookmarks table). Exporting Bookmarks.333 333 334 335 337 338 340 343 343 344 348 348 348The Report. 351 Presenting the Findings.
Reordering Bookmarks for Reports. Presenting Multiple Images. Exporting the Report. Documenting All Files and Folders Contained on Media. Presenting Search Results.351 354 356 358 361 362Appendix A. 367 Forensic Terminology.
PC Hardware. Hard Drive Anatomy.
Hard Drive Layout. File System Concepts. File Systems. Disk Configurations Explained. Evidence Storage. Evidence Files Explained.367 367 368 370 372 374 376 379 381Appendix B.
383 GREP. 383 GREP Syntax. 383 GREP Examples. 384Appendix C. 389 Third Party Utilities. Quick View Plus.
MBXtract.389 389 389 389 389 390Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.Table of ContentsDecode Shell Extension. Disk Compare. Mailbag Assistant. PST Cracker.
CD-R Diagnostic. Dir to HTML.xiii390 390 390 390 390 390 391 391Appendix D. 393 The Forensic Lab. Field Acquisitions.
Lab Analysis. Need Additional Information?.393 393 394 394Index.
395Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.xivField Intelligence Module v5.05 User ManualCopyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.Legal Notice EnCase® License Agreement Copyright EnCase® version 5 is furnished under this license agreement (this “Agreement”) and may be used only in accordance with the terms of this Agreement. Copyright 19982006 Guidance Software, Inc. All Rights Reserved.Definitions PROGRAM is defined as the computer program “EnCase” including the software in executable form only and the single dongle hardware key with which this Agreement is included or remotely re-programmed by COMPANY, and any updates or maintenance releases thereto that COMPANY may provide to you. COMPANY is defined as Guidance Software, Inc., a California Corporation.License and Certain Restrictions This Agreement applies to both the trial and full versions of the PROGRAM. Do not use the PROGRAM until you have carefully read the following Agreement.
This Agreement sets forth the terms and conditions for licensing of the PROGRAM from COMPANY to you, and installing the PROGRAM indicates that you have read and understand this Agreement and accept its terms and conditions. If you do not agree with this Agreement, promptly return the PROGRAM and accompanying items to COMPANY within ten (10) days of purchase for a full refund with receipt. Absent such return, the PROGRAM will be deemed accepted by you upon shipment.Non-Exclusive License Authorized Use.
You are granted a limited non-exclusive license to use a copy of the enclosed PROGRAM on the computer(s) used by a single individual. By your useCopyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.2EnCase Forensic v5.05 User Manualof the PROGRAM pursuant to this Agreement, you recognize and acknowledge COMPANY's proprietary rights in the PROGRAM. You may not distribute the PROGRAM, including any demonstration version of the PROGRAM, to third parties without the written authorization from COMPANY. You may copy the “encase.exe”, “en.exe”, and “LinEn” executables to create and verify EnCase® evidence files, but you may not make or distribute copies of such executables, or copies, including demonstration versions, of the PROGRAM, for use in conjunction with any third party software.
You may make additional backup copies of the PROGRAM for your own use, as long as only one copy may be used at any one time. No copies or duplicates of the dongle hardware key may be made. You may not copy the printed materials, if any, accompanying the PROGRAM, or print multiple copies of any user documentation.
Applicable copyright laws protect the PROGRAM in its entirety. The PROGRAM also contains COMPANY trade secrets, and thus you may not decompile, reverse engineer, disassemble, or otherwise reduce the PROGRAM to human-perceivable form or disable any functionality that limits the use of the PROGRAM. You may not modify, adapt, translate, rent, sublicense, assign, loan, resell for profit, distribute, or network the PROGRAM, disk, or related materials or create derivative works based upon the PROGRAM or any part thereof. You may not publicly display the PROGRAM or provide technical training or instruction for monetary compensation or other consideration in any form. Your license is automatically terminated if you take any of the actions prohibited by the paragraph.
You may not transfer the PROGRAM to a third party, or sell the computer on which the PROGRAM is installed to a third party, without written consent from COMPANY and written acceptance of the terms of this Agreement by the transferee. If you transfer the PROGRAM with the written consent of COMPANY, you must transfer all computer programs and documentation and erase any copies residing on computer equipment. Your license is automatically terminated if you transfer the PROGRAM without the written consent of COMPANY. You are to ensure that the PROGRAM is not made available in any form to anyone not subject to this Agreement. A transfer fee of $150 will be charged to transfer the PROGRAM (not applicable to transfers associated with orders from VARs, distributors, or resellers or intra-company transfers). At all times, full title and ownership of the PROGRAM shall remain with COMPANY.
You are granted a non-exclusive license to utilize the PROGRAM subject to the terms of this Agreement.Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.Legal Notice3Support There are five separate levels of support available: (1) Support for the Law Enforcement/Government Edition of the PROGRAM, (2) Support for the Corporate Edition of the PROGRAM, (3) Support for the Corporate Deluxe Edition of the PROGRAM; (4) Premium License Support Program (“PLSP”), annual payment option, which is available to law enforcement and government only; and (5) PLSP, three-year payment option, which is available to law enforcement and government only. The five separate levels of support have the following terms:Support for the Law Enforcement/Government Edition of the PROGRAM As part of your license of the PROGRAM, you will receive one year of telephone and E-mail support only in accordance with COMPANY's standard telephone and E-mail support policies, and you are entitled to receive updates (e.g., version 5.01 to version 5.05), if any, of version 5 of the PROGRAM only for one (1) year from the date of purchase.
Support will begin upon the effective date of this Agreement, which is defined as the date the PROGRAM is licensed to you. After the initial year of support, you may elect to continue your support for additional periods of time for a separate fee. Such continued support will include during the applicable time period only: (i) telephone and E-mail support, and (ii) updates (e.g., version 5.01 to version 5.05), if any, of version 5 of the PROGRAM.Support for the Corporate Edition of the PROGRAM As part of your license of the PROGRAM, you purchased one, two, or three years of support. For the applicable time period purchased, you will receive: (i) telephone and E-mail support, (ii) updates (e.g., version 5.01 to version 5.05), if any, of version 5 of the PROGRAM, and (iii) any major releases of the PROGRAM (e.g., version 5 to version 6), and subsequent updates, if any, of such release, during such applicable time period. Support will begin upon the effective date of this Agreement, which is defined as the date the PROGRAM is licensed to you. After the initial period of support that you purchased, you may elect to continue your support for additional periods of time for a separate fee.Support for the Corporate Deluxe Edition of the PROGRAM As part of your license of the PROGRAM, you licensed EnCase® Virtual File System, EnCase® Physical Disk Emulator, and EnCase® Decryption Suite, and you purchased one, two, or three years of support. In addition, you will receive FastBloc® Software Edition upon public release of such product by COMPANY.
For the applicable time period purchased, you will receive: (i) telephone and E-mail support, (ii) updates (e.g., version 5.01 to version 5.05), if any, of version 5 of the PROGRAM, Copyright © 2006 Guidance Software, Inc. May not be copied or reproduced without the written permission of Guidance Software, Inc.4EnCase Forensic v5.05 User Manual(iii) any updates to EnCase® Virtual File System, EnCase® Physical Disk Emulator, and/or EnCase® Decryption Suite, and (iv) any major releases of the PROGRAM (e.g., version 5 to version 6), and subsequent updates, if any, of such release, during such applicable time period.
Support will begin upon the effective date of this Agreement, which is defined as the date the PROGRAM is licensed to you. After the initial period of support that you purchased, you may elect to continue your support for additional periods of time for a separate fee.Premium License Support Program, Annual Payment Option PLSP is available only to law enforcement and government agencies. If you purchased PLSP, annual payment option, you have agreed to pay for three years of PLSP with three annual payments: the first annual fee upon purchase, the second annual fee on the first anniversary of your purchase, and the third annual fee on the second anniversary of your purchase.