desktop imaging using encase - jurinnov - eric vanderburg

Desktop Imaging Using EnCase

October 2009

Timothy Opsitnick, EsqSenior PartnerEric A. VanderburgManager, Information Systems and Security

© 2009 Property of JurInnov Ltd. All Rights Reserved

© 2009 Property of JurInnov Ltd. All Rights Reserved

Overview• What is a Forensic Acquisition• Why is it done• I’ve Never Done it before! How am I supposed to

do it?

•Please interrupt us if you have a questions

2

© 2009 Property of JurInnov Ltd. All Rights Reserved

What is Computer Forensics?Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data.

Forensic Acquisition is the foundation on which the Forensic examination is set. Without the proper foundation, anything else an examiner does is open to question.

3

© 2009 Property of JurInnov Ltd. All Rights Reserved

What is Forensic Acquisition?Forensic Acquisition is a specific process to capture every single piece of digital data available on storage media.

It is a bit by bit copy. Every single digital 1 and 0 are capturedIt is not a mirror image nor a clone, although some people think these terms are interchangeable.

4

© 2009 Property of JurInnov Ltd. All Rights Reserved

An actual clone drive

5

© 2009 Property of JurInnov Ltd. All Rights Reserved

WHY?Why not just use windows to copy the

files?Special software is used to capture not only

active files (files that are available to the operating system), but deleted files, system configuration data and their associated metadata. Data is preserved unchanged. Special files called image files are created and can be used to clone a hard drive or used directly in an examination. They are easily verifiable, portable and often are standardized between different brands of forensic software. No windows limitations.

6

© 2009 Property of JurInnov Ltd. All Rights Reserved

Logical vs Physical

• Forensic Harvesting - Logical v Physical– Logical

•Data that is visible via the O.S.

– Physical•Logical + File Slack + Unallocated

Space + system areas (MBR, Partition table, FAT)

7

© 2009 Property of JurInnov Ltd. All Rights Reserved

Forensic Tools

8

• Foresnsic Acquistition software include:• EnCase• FTK• WinHex• Ilook• Specially modified Linux software

© 2009 Property of JurInnov Ltd. All Rights Reserved

Acquisition (HOW?)

Cables from Rear of Computer

9

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initial Setup

Connect Destination Hard Drive

10

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initial Setup

Data and Power Cable from Computer

11

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initial Setup

Rear of Hard Drive

12

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

13

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

14

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

15

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

16

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

17

© 2009 Property of JurInnov Ltd. All Rights Reserved

DO NOT select dynamic disk!

18

NO

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

19

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

20

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

21

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

22

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

23

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

24

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

25

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

26

© 2009 Property of JurInnov Ltd. All Rights Reserved

Initialize and Format

27

© 2009 Property of JurInnov Ltd. All Rights Reserved

Create Folder Structure

28

Step 3

© 2009 Property of JurInnov Ltd. All Rights Reserved

29

Connect Source Drive

© 2009 Property of JurInnov Ltd. All Rights Reserved

30

Connect Source Drive

© 2009 Property of JurInnov Ltd. All Rights Reserved

31

Connect Source Drive

© 2009 Property of JurInnov Ltd. All Rights Reserved

32

Connect Source Drive

© 2009 Property of JurInnov Ltd. All Rights Reserved

33

Power On Write Blocker

© 2009 Property of JurInnov Ltd. All Rights Reserved

EnCase-Start New Case

34

© 2009 Property of JurInnov Ltd. All Rights Reserved

New case dialogue box

35

© 2009 Property of JurInnov Ltd. All Rights Reserved

Add Device

36

© 2009 Property of JurInnov Ltd. All Rights Reserved

Select Local Drive

37

© 2009 Property of JurInnov Ltd. All Rights Reserved

Check the Box for your drive

38

© 2009 Property of JurInnov Ltd. All Rights Reserved

Your Drive will be Added

39

© 2009 Property of JurInnov Ltd. All Rights Reserved

Right Click on your drive

40

© 2009 Property of JurInnov Ltd. All Rights Reserved

Select

41

© 2009 Property of JurInnov Ltd. All Rights Reserved

NO Compression!!

42

© 2009 Property of JurInnov Ltd. All Rights Reserved

Acquisition Will Start

43

© 2009 Property of JurInnov Ltd. All Rights Reserved

When completed-Need Log

44

© 2009 Property of JurInnov Ltd. All Rights Reserved

Verify your destination

45

© 2009 Property of JurInnov Ltd. All Rights Reserved

Log will be saved here!

46

© 2009 Property of JurInnov Ltd. All Rights Reserved

Need to Insure a Match• Presentation Suspect Images• Description: Physical Disk, 39102336 Sectors, 18.6GB • Physical Size: 512• Starting Extent: 1S0• Name: Presentation Suspect Images• Actual Date: 03/24/09 03:17:21PM• Target Date: 03/24/09 03:17:21PM• File Path: E:\Presentation image.E01• Case Number: Presentation Drive• Evidence Number: Presentation Suspect Images• Examiner Name: Stephen W. St.Pierre• Drive Type: Fixed• File Integrity: Completely Verified, 0 Errors

• Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1 • Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1• GUID: 04d345276275524c8a111824be6eb170 • EnCase Version: 5.05j• System Version: Windows 2003 Server• Total Size: 20,020,396,032 bytes (18.6GB)• Total Sectors: 39,102,336

47

© 2009 Property of JurInnov Ltd. All Rights Reserved

What else?

• Photograph• Maintaining Chain of Custody (Data

Storage Location)• Logging• Utilize Sanitized Drives• BIOS/CMOS Time

48

© 2009 Property of JurInnov Ltd. All Rights Reserved

For assistance or additional information

• Phone: 216-664-1100• Web: www.jurinnov.com• Email: Eric.Vanderburg@jurinnov.com

Timothy.Opsitnick@jurinnov.com

JurInnov Ltd.The Idea Center

1375 Euclid Avenue, Suite 400Cleveland, Ohio 44115

49

50

© 2009 Property of JurInnov Ltd. All Rights Reserved