EnCase Forensic Imager v7.06 User's Guide

GUIDANCE SOFTWARE | USERS GUIDE | ENCASE FORENSIC IMAGER
EnCase
Forensic Imager

VERSION 7.06
USERS GUIDE

Copyright 1997-2013 Guidance Software, Inc. All rights reserved.
EnCase, EnScript, FastBloc, Guidance Software and EnCE are registered trademarks or trademarks owned by Guidance Software
in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be
claimed as the property of their respective owners. Products and corporate names appearing in this work may or may not be
registered trademarks or copyrights of their respective companies, and are used only for identification or explanation into the
owners' benefit, without intent to infringe. Any use and duplication of this work is subject to the terms of the license agreement
between you and Guidance Software, Inc. Except as stated in the license agreement or as otherwise permitted under Sections 107 or
108 of the 1976 United States Copyright Act, no part of this work may be reproduced, stored in a retrieval system or transmitted in
any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise. Product manuals and
documentation are specific to the software versions for which they are written. For previous or outdated versions of this work, please
contact Guidance Software, Inc. at http://www.guidancesoftware.com. Information contained in this work is furnished for
informational use only, and is subject to change at any time without notice.

Contents
EnCase Forensic Imager User's Guide 3
Overview ............................................................................................................................................................ 5
Launching EnCase Forensic Imager .................................................................................................................... 5
Types of Acquisitions ......................................................................................................................................... 5
Sources of Acquisitions ...................................................................................................................................... 6
Types of Evidence Files ...................................................................................................................................... 6
EnCase Evidence Files ................................................................................................................................... 6
Logical Evidence Files ................................................................................................................................... 6
Raw Image Files ............................................................................................................................................ 7
Single Files .................................................................................................................................................... 7
Acquiring a Local Drive ....................................................................................................................................... 7
Acquiring Non-local Drives ........................................................................................................................... 7
Creating Encrypted Evidence Files ..................................................................................................................... 8
Creating an Encrypted Logical Evidence File ................................................................................................ 8
Creating an Encrypted Evidence File .......................................................................................................... 16
Acquiring Other Types of Supported Evidence Files ........................................................................................ 22
Verifying Evidence Files.................................................................................................................................... 22
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) .......................................... 23
Using a Write Blocker ....................................................................................................................................... 24
Windows-based Acquisitions with Tableau and FastBloc Write blockers .................................................. 24
Acquiring in Windows without a Tableau or FastBloc Write Blocker ......................................................... 25
Acquiring a Disk Running in Direct ATA Mode ................................................................................................. 25
Acquiring Disk Configurations .......................................................................................................................... 26
Software RAID ............................................................................................................................................ 26
RAID-10 ....................................................................................................................................................... 26
Hardware Disk Configuration ..................................................................................................................... 27
Windows NT Software Disk Configurations ................................................................................................ 27
Support for EXT4 Linux Software RAID Arrays ............................................................................................ 28
Dynamic Disk .............................................................................................................................................. 28
Disk Configuration Set Acquired as One Drive ........................................................................................... 28
Disk Configurations Acquired as Separate Drives....................................................................................... 29
Acquiring a DriveSpace Volume ....................................................................................................................... 30
Canceling an Acquisition .................................................................................................................................. 31
CD-DVD Inspector File Support ........................................................................................................................ 31
Reacquiring Evidence ....................................................................................................................................... 31
Reacquiring Evidence Files ......................................................................................................................... 31
Retaining the GUID During Evidence Reacquisition ................................................................................... 32
Adding Raw Image Files ................................................................................................................................... 32
Restoring a Drive .............................................................................................................................................. 33
Index 35

In This Chapter
Overview
Launching EnCase Forensic Imager
Types of Acquisitions
Sources of Acquisitions
Types of Evidence Files
Acquiring a Local Drive
Creating Encrypted Evidence Files
Acquiring Other Types of Supported Evidence Files
Verifying Evidence Files
Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)
Using a Write Blocker
Acquiring a Disk Running in Direct ATA Mode
Acquiring Disk Configurations
Acquiring a DriveSpace Volume
Canceling an Acquisition
EnCase Forensic Imager
User's Guide

4 EnCase Forensic Imager User's Guide

CD-DVD Inspector File Support
Reacquiring Evidence
Adding Raw Image Files
Restoring a Drive

Overview
With EnCase Forensic Imager, you can acquire, reacquire, and translate evidence files into EnCase
evidence files that include CRC block checks, hash values, compression, and encryption. EnCase
Forensic Imager can read and write to current or legacy EnCase evidence files and EnCase Forensic
Imager logical evidence files.
With the LinEn utility, you can perform disk-to-disk acquisitions, and when you couple LinEn with
EnCase Forensic Imager, you can perform network crossover acquisitions.
This User's Guide provides detailed information about all types of EnCase Forensic Imager
acquisitions.
Note: EnCase Forensic Imager is not designed to be run on a suspect system, as it makes changes to the file system,
including writing to temporary files.

Launching EnCase Forensic Imager
To launch the application, double click the EnCase Forensic Imager.exe file.
Running the EnCase Forensic Imager executable auto extracts the tool to your Windows Temp
directory.

Types of Acquisitions
EnCase Forensic Imager can acquire evidence in four basic formats:
Current EnCase evidence files (.Ex01): .Ex01 format improves upon the .E01 format with LZ
compression, AES256 encryption with keypairs or passwords, and options for MD5 hashing,
SHA-1 hashing, or both.
Current Logical evidence files (.Lx01): .Lx01 format improves upon the .L01 format with LZ
compression and options for MD5 hashing, SHA-1 hashing, or both. Encryption is not
available for legacy logical evidence (.L01) files.
Legacy EnCase evidence files (.E01): . E01 format makes current acquisitions accessible to
legacy versions of EnCase Forensic Imager.
Legacy Logical evidence files (.L01): .L01 format makes current logical acquisitions accessible
to legacy versions of EnCase.


Sources of Acquisitions
Sources for acquisitions within EnCase Forensic Imager include:
Previewed memory or local devices such as hard drives, memory cards, or flash drives.
Evidence files supported by EnCase Forensic Imager, including legacy EnCase evidence files
(.E01), legacy logical evidence files (.L01), current EnCase evidence files (.Ex01), current logical
evidence files (.Lx01), DD images, VMware files (.vmdk), or Virtual PC files (.vhd). You can
use these to create legacy EnCase evidence files and legacy logical evidence files, or you can
reacquire them as EnCase Forensic Imager .Ex01 or .Lx01 format, adding encryption, new
hashing options, and improved compression.
Single files selected to create a Logical Evidence File from an existing evidence file or an
acquired device.
Network crossover using LinEn and EnCase Forensic Imager to create .E01 files or .L01 files.
This strategy is useful when you want to preview a device without disassembling the host
computer. This is usually the case for a laptop, a machine running a RAID, or a machine
running a device with no available supporting controller.
Types of Evidence Files
EnCase Evidence Files
Legacy EnCase evidence files (.E01) are a byte-for-byte representation of a physical device or logical
volume. Current EnCase evidence files (.Ex01) can be encrypted; however, .Ex01 files are not
backward compatible with legacy versions of EnCase.
EnCase evidence files provide forensic level metadata, the device level hash value, and the content of
an acquired device.
Dragging and dropping an .E01 or .Ex01 file anywhere on the EnCase Forensic Imager interface adds it
to the currently opened case.

Logical Evidence Files
Logical evidence files (.L01) are created from previews, existing evidence files, or Smartphone
acquisitions. These are typically created after an analysis locates some files of interest, and for forensic
reasons, they are kept in a forensic container.
Current logical evidence files (.Lx01) provide encryption and hashing options, but they are not
backward compatible with legacy versions of EnCase.
When an .L01 or .Lx01 file is verified, the stored hash value is compared to the entry's current hash
value.
If the hash of the current content does not match the stored hash value, the hash is followed by
an asterisk (*).
If no content for the entry was stored upon file creation, but a hash was stored, the hash is not
compared to the empty file hash.
If no hash value was stored for the entry upon file creation, no comparison is done, and a new
hash value is not populated.


Raw Image Files
Raw image files are a dump of the device or volume. There are no hash comparisons or CRC checks.
Therefore, raw image files are not as forensically sound as EnCase evidence files. Although the files
are not in EnCase evidence file format, EnCase Forensic Imager supports a number of popular formats.
Before you can acquire raw image files, they must be added to a case. Raw image files are converted to
EnCase Forensic Imager evidence files during the acquisition process, adding CRC checks and hash
values if selected.

Single Files
You can export single files from a previewed/mounted device.

Acquiring a Local Drive
Before you begin, verify that the local drive to be acquired was added to the case.
1. To protect the local machine from changing the contents of the drive while its content is being
acquired, use a write blocker. See Using a Write Blocker on page 24.
2. Verify that the device being acquired shows in the Tree pane or the Table pane as write
protected.

Acquiring Non-local Drives
The LinEn utility acquires non-local drives by performing a network crossover acquisition. When you
use the LinEn utility to acquire a disk through a disk-to-disk acquisition, you must add the resulting
EnCase evidence file to the case using the Add Device wizard.


Creating Encrypted Evidence Files
Creating an Encrypted Logical Evidence File
To create an encrypted logical evidence file:
1. In the Evidence tab, select one or more entries in the left pane. Right click, then click Acquire >
Create Logical Evidence File from the dropdown menu.

Note: The folder highlighted when you click Create Logical Evidence File is treated as the root
folder for including entries in the logical evidence file. Only blue checked child entries inside that folder
are included. To include files from more than one folder, you must highlight a folder that is a common
parent. For instance, in the example above, if you wanted to include files from both the System Volume
Information and $Recycle Bin folders, you would need to highlight either C, v7_Sample_Evidence, or
Entries.

2. The Create Logical Evidence File dialog displays. It opens to the Location tab by default.

3. In the Location tab:
a. Enter the evidence file name.
b. Enter the evidence number.
c. Enter the case number.
d. Enter the examiner name.
e. Add notes, if desired.
f. Check the Add to existing evidence file checkbox if you want to add this file to an existing
logical evidence file. You must specify the output path to an existing logical evidence file
that is not locked.
g. Specify the output path for the logical evidence file.


4. In the Logical tab:

Source is the root level folder or device containing blue checked items to include in the logical
evidence file.
Files contains the number of files and the total size of the file or files to include in the logical
evidence file.
Target folder within Evidence File is an optional user-specified folder that is created inside
the logical evidence file. Any selected files in the source location are placed inside this folder.
This is useful for organizing multiple additions to a single logical evidence file.
Include contents of files checkbox: If checked, file content data displays in the View pane
when you open the logical evidence file.
File in use checkbox: If checked, the hash is computed when the file is read from evidence.
This is valuable when previewing live data that may have changed since initially calculating
the hash value.
Include original extents checkbox: If checked, original extent information is added to the
logical evidence file. Physical Location, Physical sector, and File Extents columns in the logical
evidence file will match the original entries.
Include contents of folder objects checkbox: If checked, folder content data displays in the
View pane when you open the logical evidence file.
Lock file when completed checkbox: If checked, the logical evidence file is locked after
creation.

5. In the Format tab:

a. For the Evidence File Format, select Current (Lx01). This is the default.
b. From the Entry Hash dropdown menu, select a hashing algorithm:
None
MD5 (default)
c. Specify Compression as Enabled (default) or Disabled.
d. Specify the File Segment Size (MB) (minimum: 30MB, maximum 8,796,093,018,112MB,
default: 2048MB).
6. Click the Encryption button to open the Encryption Details dialog.
Note: By default, Encase Forensic Imager saves encryption keys to the My Documents folder of the
current user profile. To save the encryption keys to a different location, right click in the Encryption
Details dialog, then click Change Root Path from the dropdown menu.


7. Click the key icon in the upper pane to open the New Encryption Key dialog.

8. Click Next to generate a new encryption key.

9. After the key is generated, the Password dialog displays.

10. Enter a name for the encryption key, then enter a password and enter the password again to
confirm it. The Password Quality bar indicates if the password you entered is acceptable.
11. When you have entered an acceptable password, confirm the password, then click Finish.
12. EnCase Forensic Imager prompts you to save the public key file you just created.


13. Back in the Encryption Details dialog, click Update to display a checkbox for the key you just
created.

14. Click the checkbox for the new key, then click OK.


Using an Existing Public Key
If you want to use an existing public key, copy the .PublicKey file to the My Documents folder of the
current user profile, then click Update.


Creating an Encrypted Evidence File
To create an encrypted evidence file:
1. In the Evidence tab, select one or more entries in the left pane. Right click, then click Acquire >
Acquire from the dropdown menu.

Note: If a physical device is added (a device that contains one or more volumes, such as device 2,3,4,
etc), EnCase can either acquire the entire physical device, or a single volume contained within that
device. It depends on what you highlight in the tree pane.
Highlighting Entries and acquiring acquires the entire physical device.
Highlighting the device number (for example, 1, 2, 3, 4) or the evidence name (for
example, Hunter XP or V7_Sample_Evidence) acquires the entire physical device.
Highlighting the volume (C, D, E, F, etc.) acquires that volume.
Highlighting any folder or entry inside a volume acquires only the volume that contains
the highlighted entry.
If a volume (not a physical device) is added (for example, C, D, E, F, but not 1, 2, 3, 4), then the volume
is acquired regardless of what you highlight.

2. The Acquire Device dialog displays. It opens to the Location tab by default.

3. In the Location tab:
a. Enter the evidence file name.
b. Enter the evidence number.
c. Enter the case number.
d. Enter the examiner name.
e. Add notes, if desired.
f. Restart Acquisition restarts a canceled or disconnected acquisition. If the acquisition was
interrupted, but not canceled, that acquisition cannot be restarted.
g. Accept the designated Output Path, or browse to another location.
h. Enter an optional Alternate Path if desired.
4. In the Format tab:

a. For the Evidence File Format, select Current (Ex01). This is the default.


b. Specify Compression as Enabled (default) or Disabled.
c. From the Verification Hash dropdown menu, select a hashing algorithm:
MD5 (default)
SHA-1
MD5 and SHA-1
d. Specify the File Segment Size (MB) (minimum: 30MB, maximum 8,796,093,018,112MB,
default: 2048MB).
5. Click the Encryption button to open the Encryption Details dialog.
Note: By default, Encase Forensic Imager saves encryption keys to the My Documents folder of the
current user profile. To save the encryption keys to a different location, right click in the Encryption
Details dialog, then click Change Root Path from the dropdown menu.
6. Click the key icon in the upper pane to open the New Encryption Key dialog.

7. Click Next to generate a new encryption key.

8. After the key is generated, the Password dialog displays.

9. Enter a name for the encryption key, then enter a password and enter the password again to
confirm it. The Password Quality bar indicates if the password you entered is acceptable.
10. When you have entered an acceptable password, confirm the password, then click Finish.


11. EnCase Forensic Imager prompts you to save the public key file you just created.

12. Back in the Encryption Details dialog, click Update to display a checkbox for the key you just
created.

13. Click the checkbox for the new key, then click OK.


Using an Existing Public Key
If you want to use an existing public key, copy the .PublicKey file to the My Documents folder of the
current user profile, then click Update.


In addition to the native EnCase Forensic Imager file formats, .Ex01, .E01, .Lx01, and .L01, EnCase
Forensic Imager supports SafeBack files (.001), VMware files (.vmdk), and Virtual PC files (.vhd)
directly. To add any of these types of evidence files:
1. Select Add Evidence File from the Add Evidence view of the Home tab, or click the Add
Evidence dropdown menu while in the Evidence tab and select Add Evidence File.
2. The Add Evidence File Dialog displays. Use the dropdown menu at the bottom right corner of
the dialog to change to the appropriate file extension for your evidence or choose the All
Evidence Files option.
3. Navigate to the location of your evidence and select the first file of the evidence set as you
would for EnCase evidence files, then click Open.

Verifying Evidence Files
Verify Evidence Files checks CRC values of selected files. It is a way to ensure that evidence is not
tampered with. Verified CRC information is written out to a log file. From the Evidence tab, you can
check the CRC Errors tab in the bottom pane and bookmark any sectors that contain errors.
To perform an Evidence File verification:
1. Acquire the evidence files.
2. Add the evidence files to your case.
3. Click Tools Verify Evidence Files.
4. The Verify Evidence Files file dialog opens.

5. Select one or more evidence files, then click Open. During verification, a progress bar displays
in the bottom right corner of the window.

Acquiring Device Configuration Overlays (DCO) and Host
Protected Areas (HPA)
EnCase Forensic Imager can detect and image DCO and/or HPA areas on any ATA-6 or higher-level
disk drive. These areas are detected using LinEn or a Tableau write blocker.
This applies to EnCase Forensic Imager applications using:
Tableau
LinEn when the Linux distribution used supports Direct ATA mode
The application now shows if a DCO area exists in addition to the HPA area on a target drive.
HPA is a special area located at the end of a disk. It is usually configured so the casual observer cannot
see it, and so it can be accessed only by reconfiguring the disk. HPA and DCO are extremely similar:
the difference is the SET_MAX_ADDRESS bit setting that allows recovery of a removed HPA at
reboot. When supported, EnCase Forensic Imager applications see both areas if they coexist on a hard
drive.
It is important to note that if you choose to remove a DCO, it will make a permanent change to the
drive controller of the device.


Using a Write Blocker
Write blockers prevent inadvertent or intentional writes to an evidence disk. Their use is described in
these sections:
Windows-based Acquisitions with Tableau and FastBloc Write Blockers on page 24
Acquiring in Windows without a Tableau or FastBloc Write Blocker on page 24
Windows-based Acquisitions with Tableau and FastBloc Write blockers
The following write blockers are supported in EnCase Forensic Imager:
Tableau T35es
Tableau T35es-RW
Tableau T4
Tableau T6es
Tableau T8-R2
Tableau T9
FastBloc FE
FastBloc 2 FE v1
FastBloc 2 FE v2
FastBloc LE
FastBloc 2 LE
FastBloc 3 FE
Computer investigations require a fast, reliable means to acquire digital evidence. These are hardware
write blocking devices that enable the safe acquisition of subject media in Windows to an EnCase
evidence file.
The hardware versions of these write blockers are not standalone products. When attached to a
computer and a subject hard drive, a write blocker provides investigators with the ability to quickly
and safely preview or acquire data in a Windows environment. The units are lightweight, self-
contained, and portable for easy field acquisitions, with on-site verification immediately following the
acquisition.
Support for Tableau write blocker devices enables EnCase Forensic Imager to:
Identify a device connected through the Tableau device as write blocked.
Access the Host Protected Area (HPA) and access, via removing, the Device Configuration
Overlay (DCO) area of a drive using the Tableau device.
Note: EnCase Forensic Imager does not support access of DCO areas via EnScript. By default, HPA is
automatically disabled on the device.

Acquiring in Windows without a Tableau or FastBloc Write Blocker
Never acquire hard drives in Windows without a write blocker because Windows writes to any local
hard drive visible to it. Windows will, for example, put a Recycle Bin file on every hard drive that it
detects and will also change Last Accessed date and time stamps for those drives.
Media that Windows cannot write to are safe to acquire from within Windows, such as CD-ROMs,
write protected floppy diskettes, and write protected USB thumb drives.

Acquiring a Disk Running in Direct ATA Mode
If the Linux distribution supports the ATA mode, you will see a Mode option. You must set the mode
before acquiring the disk. An ATA disk can be acquired via the drive-to-drive method. The ATA mode
is useful for cases when the evidence drive has a Host Protected Area (HPA) or Drive Control Overlay
(DCO). Only Direct ATA Mode can review and acquire these areas.
Ensure LinEn is configured as described in LinEn Setup Under SUSE, and autofs is disabled (cleared).
Linux is running in Direct ATA Mode.
1. If the FAT32 storage partition to be acquired has not been mounted, mount it.
2. Navigate to the folder where LinEn resides and type ./linen in the console.
3. The LinEn main screen displays.
4. Select Mode, then select Direct ATA Mode. You can now acquire the disk running in ATA
mode.
5. Continue the drive-to-drive acquisition with Step 3 of Performing a Drive-to-Drive
Acquisition Using LinEn.


Acquiring Disk Configurations
Guidance Software uses the term disk configuration instead of RAID. A software disk configuration is
controlled by the operating system software (or LVM software), whereas a controller card controls a
hardware disk configuration. In a software disk configuration, information pertinent to the layout of
the partitions across the disks is located in the registry or at the end of the disk, depending on the
operating system; in a hardware disk configuration, it is stored in the BIOS of the controller card. With
each of these methods, you can create six disk configuration types:
Spanned
Mirrored
Striped
RAID-5
RAID-10
Basic

Software RAID
EnCaseForensic Imager applications support these software RAIDs:
Windows NT: see Windows NT Software Disk Configurations
Windows 2000: see Dynamic Disk
Windows XP: see Dynamic Disk
Windows 2003 Servers: see Dynamic Disk
Windows Vista: see Dynamic Disk
Windows Server 2008: see Dynamic Disk
Windows Server 2008R2: see Dynamic Disk
Windows 7: see Dynamic Disk
RAID-10
RAID-10 arrays require at least four drives, implemented as a striped array of RAID-1 arrays.

Hardware Disk Configuration
Hardware disk configurations can be acquired:
As one drive
As separate drives
Windows NT Software Disk Configurations
In a Windows NT file system, you can use the operating system to create different types of disk
configurations across multiple drives. The possible disk configurations are:
Spanned
Mirrored
Striped
RAID 5
Basic
The information detailing the types of partitions and the specific layout across multiple disks is
contained in the registry of the operating system. EnCase Forensic Imager applications can read this
registry information and resolve the configuration based on the key. The application can then virtually
mount the software disk configuration within the EnCase Forensic Imager case.
There are two ways to obtain the registry key:
Acquiring the drive
Backing up the drive
Acquire the drive containing the operating system. It is likely that this drive is part of the disk
configuration set, but in the event it is notsuch as the disk configuration being used for storage
purposes onlyacquire the OS drive and add it to the case along with the disk configuration set
drives.
To make a backup disk on the subject machine, use Windows Disk Manager and select Backup from
the Partition option.
This creates a backup disk of the disk configuration information, placing the backup on a CD or DVD.
You can then copy the file into your EnCase Forensic Imager application using the Single Files option,
or you can acquire the CD or DVD and add it to the case. The case must have the disk configuration
set drives added to it as well. This process works only if you are working with a restored clone of a
subject computer. It is also possible a registry backup disk is at the location.
In the EnCase Forensic Imager Evidence tab, select the device containing the registry or the backup
disk and all devices which are members of the RAID. Click the Open button to go to the Entry view of
the Evidence tab. Select the disk containing the registry, click the dropdown menu on the upper right
menu of the Evidence tab. Select Device, then select Scan Disk Configuration. At this point, the
application attempts to build the virtual devices using information from the registry key.


Support for EXT4 Linux Software RAID Arrays
EnCase Forensic Imager provides the ability to parse EXT4 Linux Software RAID arrays (for Ubuntu
version 9.1 and version 10.04), using the Scan for LVM option in the Device dropdown menu.
These configurations are supported:
RAID 1 (mirror)
RAID 10
Note: EnCase Forensic Imager does not support partial reconstruction of RAIDs. After parsing, all
RAID devices must have full descriptors or the process will fail.

Dynamic Disk
Dynamic Disk is a disk configuration available in Windows 2000, Windows XP, Windows 2003 Server,
Windows Vista, Windows 2008 Server, Windows 7, and Windows 2008 Server R2. The information
pertinent to building the configuration resides at the end of the disk rather than in a registry key.
Therefore, each physical disk in this configuration contains the information necessary to reconstruct
the original setup. EnCase Forensic Imager applications read the Dynamic Disk partition structure and
resolve the configurations based on the information extracted.
To rebuild a Dynamic Disk configuration, add the physical devices involved in the set to the case. In
the Evidence tab, select the devices involved in the Dynamic Disk and click the Open button on the
menu bar to change to the Entries view of the Evidence tab. Select the devices then click the dropdown
menu at the top right of the Evidence tab. Select Device and choose Scan Disk Configuration.
If the resulting disk configurations seem incorrect, you can manually edit them by returning to the
highest Evidence view of the Evidence tab. Select the Disk Configuration option, click the dropdown
menu from the top right corner of the Evidence tab, and select Edit Disk Configuration.

Disk Configuration Set Acquired as One Drive
Unlike software disk configurations, those controlled by hardware contain necessary configuration
information in the cards BIOS. Because the disk configuration is controlled by hardware, EnCase
Forensic Imager cannot automatically reconstruct the configurations from the physical disks.
However, since the pertinent information to rebuild the set is contained within the controller, the
computer (with the controller card) actually sees a hardware disk configuration as one (virtual) drive,
regardless of whether the set consists of two or more drives. Therefore, if the investigator acquires the
set in its native environment, the disk configuration can be acquired as one drive, which is the easiest
option. The best method for performing such an acquisition is to conduct a crossover network cable
acquisition.
Note: The LinEn boot disk for the subject computer needs to have Linux drivers for that particular RAID controller card.
To acquire the set:
1. Keep the disk configuration intact in its native environment.
2. Boot the subject computer with a Live Linux Boot Disk containing the LinEn utility and
configured with the drivers for the RAID controller card.
3. Launch the LinEn utility.

Note: The BIOS interprets the disk configuration as one drive, so EnCase Forensic Imager applications
will as well. The investigator sees the disk configuration as one drive.
4. Acquire the disk configuration as you normally acquire a single hard drive, depending on the
means of acquisition. Crossover network cable or drive-to-drive acquisition is straightforward,
as long as the set is acquired as one drive.
If the physical drives were acquired separately, or could not be acquired in the native environment,
EnCase Forensic Imager can edit the hardware set manually.

Disk Configurations Acquired as Separate Drives
Sometimes acquiring the hardware disk configuration as one drive is not possible, or the method of
assembling a software disk configuration seems incorrect. Editing a disk configuration requires this
information:
Stripe size
Start sector
Length per physical disk
Whether the striping is right handed
You can collect this data from the BIOS of the controller card for a hardware set, or from the registry
for software sets.
When a RAID-5 consists of three or more disks and one disk is missing or bad, the application can still
rebuild the virtual disk using parity information from the other disks in the configuration, which is
detected automatically during the reconstruction of hardware disk configurations using the Scan Disk
Configuration command.
To acquire a disk configuration set as one disk:
1. Add the evidence files to one case.
2. On the Evidence tab, click the down arrow in the far right corner to display a dropdown
menu, then click Create Disk Configuration.

3. The Disk Configuration dialog displays. Enter a name for your disk configuration. Click the
appropriate disk configuration.
4. Right click the empty space under Component Devices and click New.


5. Enter the start sector and size of the selected disk configuration, select the drive image which
belongs as the first element of the RAID, then click OK.
6. Repeat steps 4 and 5 for each additional element drive of the RAID in order.
7. Back at the main Disk Configuration screen, set the Stripe Size, select whether this is a Physical
Disk Image, and whether it uses Right-Handed Striping.
8. Once you are sure that the settings and order of the drives is correct, click OK. EnCase
Forensic Imager will generate a new item in your Evidence tab containing the RAID rebuilt to
your specifications. This new Disk Configuration can be acquired to an EnCase evidence file
and processed in the Evidence Processor just like a physical drive.

Acquiring a DriveSpace Volume
DriveSpace volumes are only recognized as such after they are acquired and mounted into a case. On
the storage computer, mount the DriveSpace file as a volume, then acquire it again to see the directory
structure and files.
To acquire a DriveSpace volume:
1. A FAT16 partition must exist on the forensic PC where you will Copy/Unerase the DriveSpace
volume. A FAT16 partition can be created only with a FAT16 OS (such as Windows 95).
2. Run FDISK to create a partition, then exit, reboot, and format the FAT16 partition using
format.exe.
3. Image the DriveSpace volume.
4. Add the evidence file to a new case and search for a file named DBLSPACE.000 or
DRVSPACE.000.
5. Right click the file and copy/unerase it to the FAT16 partition on the storage computer.
6. In Windows 98, click Start All Programs Accessories System Tools DriveSpace.
7. Launch DriveSpace.
8. Select the FAT16 partition containing the compressed .000 file.
9. Select Advance Mount DRVSPACE.000, then click OK, noting the drive letter assigned to it.
The Compressed Volume File (.000) from the previous drive is now seen as folders and files in
a new logical volume.
10. Acquire this new volume.
11. Create the evidence file and add to your case. You can now view the compressed drive.

Canceling an Acquisition
You can cancel an acquisition while it is running. After canceling, you can restart the acquisition.
To cancel an acquisition while it is running:
1. At the bottom right corner of the main window, double click the Thread Status line. The
Thread Status dialog displays.

2. Click Yes. The acquisition is canceled. You can restart it at a later time.

CD-DVD Inspector File Support
EnCase Forensic Imager applications support viewing files created using CD/DVD Inspector, a third-
party product. Treat these files as single files when adding them, as zip files, or as composite files
when using the file viewer. Drag single files into the application.

Reacquiring Evidence
When you have a raw evidence file generated outside an EnCase application, reacquiring it results in
the creation of an EnCase evidence file containing the content of the raw evidence file and providing
the opportunity to hash the evidence, add case metadata, and CRC block checks.
You may also want to reacquire an existing EnCase evidence file to change the compression settings or
the file segment size.

Reacquiring Evidence Files
Start by adding the evidence file(s) to your case as previously described. You can reacquire evidence
either from the Evidence tab or through the Evidence processor. To acquire in the Evidence tab:
1. Select the items you want to reacquire.
2. Click the Open button to change to the Entries view of the Evidence tab.
3. Highlight the item you want to reacquire, click Acquire on the top menu, and select Acquire
from the dropdown menu.
4. Complete the Acquire Device dialog as you would for previewed evidence.
5. You can repeat steps 3 and 4 for each device or volume you want to reacquire.


Retaining the GUID During Evidence Reacquisition
EnCase Forensic Imager now provides an option that retains the GUID when evidence is reacquired.
To retain the GUID, select the Keep GUID checkbox that displays in the Advanced tab of the Acquire
Device dialog. To open the Acquire Device dialog, select the device for acquisition.

Adding Raw Image Files
Reacquiring raw evidence files like DD images or CD-ROM .iso files embeds the device contents
within an EnCase evidence file adding case metadata, CRC block checks and, optionally, the hash
value of that image.
To acquire a raw evidence file:
1. In the Add Evidence dropdown menu, click Add Raw Image.

2. The Add Raw Image dialog opens.

3. Drag and drop the raw images to be acquired. The raw images to be added are listed in the
Component Files list. For DD images or other raw images consisting of more than one
segment, the segments must all be added in their exact order from first to last.
4. Click the Generate true GUID checkbox for EnCase Forensic Imager to generate a unique
GUID if a match is found.
5. Accept the defaults in the Add Raw Image dialog or change them as desired, then click OK.
6. A Disk Image object displays in the Evidence tab.
7. You can reacquire this image as you would any other supported evidence or previewed
device.

Restoring a Drive
The following steps describe how to restore a drive. Note that before you begin, you first need to add
evidence to the case.
1. From the EnCase Forensic Imager top toolbar, select the Evidence option from the View
dropdown.
2. In the Table view, click the evidence file with the device you would like to restore.
3. From the Device dropdown on the Evidence tab menu, select Restore. The Restore dialog
displays.


4. Click Next to collect local hard drives.
5. From the list of Local Devices, click the drive you want to restore.
6. Click Next. The Drives dialog displays.
7. Select options for wiping and verification.
8. Click Finish.
9. A dialog displays asking you to verify the local drive selection. Verify that you are restoring
to the correct drive by typing Yes, then click OK.
The bar in the lower right corner of the screen tracks the progress of the restore.

A
Acquiring a Disk Running in Direct ATA Mode 25
Acquiring a DriveSpace Volume 30
Acquiring a Local Drive 7
Acquiring Device Configuration Overlays (DCO) and
Host Protected Areas (HPA) 23
Acquiring Disk Configurations 26
Acquiring in Windows without a Tableau or
FastBloc Write Blocker 25
Acquiring Non-local Drives 7
22
Adding Raw Image Files 32
C
Canceling an Acquisition 31
CD-DVD Inspector File Support 31
Creating an Encrypted Evidence File 16
Creating an Encrypted Logical Evidence File 8
Creating Encrypted Evidence Files 8
D
Disk Configuration Set Acquired as One Drive 28
Disk Configurations Acquired as Separate Drives
29
Dynamic Disk 28
E
EnCase Evidence Files 6
H
Hardware Disk Configuration 27
L
Launching EnCase Forensic Imager 5
Logical Evidence Files 6
O
Overview 5
R
RAID-10 26
Raw Image Files 7
Reacquiring Evidence 31
Reacquiring Evidence Files 31
Restoring a Drive 33
Retaining the GUID During Evidence Reacquisition
32
S
Single Files 7
Software RAID 26
Sources of Acquisitions 6
Support for EXT4 Linux Software RAID Arrays 28
T
Types of Acquisitions 5
Types of Evidence Files 6
U
Using a Write Blocker 24
V
Verifying Evidence Files 22
W
Windows NT Software Disk Configurations 27
Windows-based Acquisitions with Tableau and
FastBloc Write blockers 24

Index

EnCase Forensic Imager v7.06 User's Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EnCase Forensic Imager v7.06 User's Guide

Uploaded by

Copyright:

Available Formats

GUIDANCE SOFTWARE | USERS GUIDE | ENCASE FORENSIC IMAGER

You might also like

EnCase Forensic Imager v7.06 User&#39;s Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EnCase Forensic Imager v7.06 User&#39;s Guide

Uploaded by

Copyright:

Available Formats

GUIDANCE SOFTWARE | USERS GUIDE | ENCASE FORENSIC IMAGER

You might also like

EnCase Forensic Imager v7.06 User's Guide

EnCase Forensic Imager v7.06 User's Guide