desktop imaging using encase - jurinnov - eric vanderburg

Desktop Imaging Using EnCase

October 2009

Timothy Opsitnick, EsqSenior PartnerEric A. VanderburgManager, Information Systems and Security

© 2009 Property of JurInnov Ltd. All Rights Reserved


Overview• What is a Forensic Acquisition• Why is it done• I’ve Never Done it before! How am I supposed to

do it?

•Please interrupt us if you have a questions

2


What is Computer Forensics?Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data.

Forensic Acquisition is the foundation on which the Forensic examination is set. Without the proper foundation, anything else an examiner does is open to question.

3


What is Forensic Acquisition?Forensic Acquisition is a specific process to capture every single piece of digital data available on storage media.

It is a bit by bit copy. Every single digital 1 and 0 are capturedIt is not a mirror image nor a clone, although some people think these terms are interchangeable.

4


An actual clone drive

5


WHY?Why not just use windows to copy the

files?Special software is used to capture not only

active files (files that are available to the operating system), but deleted files, system configuration data and their associated metadata. Data is preserved unchanged. Special files called image files are created and can be used to clone a hard drive or used directly in an examination. They are easily verifiable, portable and often are standardized between different brands of forensic software. No windows limitations.

6


Logical vs Physical

• Forensic Harvesting - Logical v Physical– Logical

•Data that is visible via the O.S.

– Physical•Logical + File Slack + Unallocated

Space + system areas (MBR, Partition table, FAT)

7


Forensic Tools

8

• Foresnsic Acquistition software include:• EnCase• FTK• WinHex• Ilook• Specially modified Linux software


Acquisition (HOW?)

Cables from Rear of Computer

9


Initial Setup

Connect Destination Hard Drive

10


Initial Setup

Data and Power Cable from Computer

11


Initial Setup

Rear of Hard Drive

12


Initialize and Format

13



14



15



16



17


DO NOT select dynamic disk!

18

NO



19



20



21



22



23



24



25



26



27


Create Folder Structure

28

Step 3


29

Connect Source Drive


30



31



32



33

Power On Write Blocker


EnCase-Start New Case

34


New case dialogue box

35


Add Device

36


Select Local Drive

37


Check the Box for your drive

38


Your Drive will be Added

39


Right Click on your drive

40


Select

41


NO Compression!!

42


Acquisition Will Start

43


When completed-Need Log

44


Verify your destination

45


Log will be saved here!

46


Need to Insure a Match• Presentation Suspect Images• Description: Physical Disk, 39102336 Sectors, 18.6GB • Physical Size: 512• Starting Extent: 1S0• Name: Presentation Suspect Images• Actual Date: 03/24/09 03:17:21PM• Target Date: 03/24/09 03:17:21PM• File Path: E:\Presentation image.E01• Case Number: Presentation Drive• Evidence Number: Presentation Suspect Images• Examiner Name: Stephen W. St.Pierre• Drive Type: Fixed• File Integrity: Completely Verified, 0 Errors

• Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1 • Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1• GUID: 04d345276275524c8a111824be6eb170 • EnCase Version: 5.05j• System Version: Windows 2003 Server• Total Size: 20,020,396,032 bytes (18.6GB)• Total Sectors: 39,102,336

47


What else?

• Photograph• Maintaining Chain of Custody (Data

Storage Location)• Logging• Utilize Sanitized Drives• BIOS/CMOS Time

48


For assistance or additional information

• Phone: 216-664-1100• Web: www.jurinnov.com• Email: [email protected]

[email protected]

JurInnov Ltd.The Idea Center

1375 Euclid Avenue, Suite 400Cleveland, Ohio 44115

49

mailto:[email protected]

mailto:[email protected]

50


desktop imaging using encase - jurinnov - eric vanderburg

Technology