Academic Program

INFT 3031
PRACTICAL 01

ENCASE FUNDAMENTALS
CREATING A CASE
ADDING EVIDENCE TO A CASE
NAVIGATING ENCASE FORENSIC

Academic Program

PRACTICAL 1.1

CREATING A CASE

Case Management
One of the most powerful features of EnCase soware (EnCase) is its
ability to organise dierent types of media together, so that they can be
searched as a unit rather than individually.

This process saves me and allows the examiner to concentrate on examining the
evidence.

Before starng an invesgaon and acquiring media, consider how to

access the case once it has been created.
It may be necessary for more than one invesgator to view the
informaon simultaneously.

In such a case, the evidence les should be placed on a central le server, and
copies of the case le should be placed on each invesgators computer (since case
les cannot be accessed by more than one person at a me).
3

Case Management
The Encase Forensic methodology strongly recommends that the
examiner use a second hard drive or at least a second paron on
the boot hard drive for the acquision and examinaon of digital
evidence.
It is preferable to wipe an enre hard drive or paron rather than
individual folders to ensure all of the temporary, suspect-related
data is destroyed.
This will aid in deecng any claims of cross-contaminaon by the
opposing counsel if the forensic hard drive is used in other cases.
4

Case Management
One method of organisaon is to create a
folder for each case and to place the
associated case le and evidence les in that
folder.
Reports and evidence copies can then be
placed in the same folder or in subfolders.

Creang a Temp folder in that folder allows the

segregaon and control of the temporary les that
are created in the course of the invesgaon.
The Export folder provides a general desnaon
folder to place data copied from the evidence le.
The Index folder will be used and explained in a
later session.
An Evidence folder will be used to hold all forensic
images of devices we acquire during our
examinaon.

Creating the folder structure

Case Management
Before we create a new case in
Encase, we will create a folder
structure (as outlined on the
previous slide) for our case.
Create a Cases folder on your
Desktop and a Barrow subfolder
for our case.
Within the Barrow subfolder,
create the four new folders:

Evidence
Export
Index
Temp

Creating the folder structure

Case Management
Start EnCase and select File
New or
click on the New icon on the toolbar.
The Case Opons dialog box will appear.
Enter Barrow as the Name and your
inials as the Examiner Name.
Select the Export, Temp and Index
folders you created for the new case.

By default, paths to the Export, Temp and

Index folders within the default EnCase
installaon folder, C:\Program Files\EnCase
6, are displayed.
The invesgator should change these paths
to those specic to the case to segregate
case data.

Creating a new case

Click Finish.

Case Management
Next, select File
Save or
click on the Save icon on
the toolbar.
Navigate to the root of the
Barrow folder in your
Cases folder and enter a
name for the case le (e.g.
CBarrow.case).
Click on Save to save the
new case le.

Saving a case

Academic Program

PRACTICAL 1.2

ADDING EVIDENCE TO A CASE

Adding Evidence to a Case

1. Copy the CBARROW.E01
and CBARROW.E02 les
from
\\ieedata\INFT-3031\EnCase
to the Evidence subfolder
within the Barrow case
folder.

Addional evidence les may

be added to a case at any me.

2. If closed, open our previously

saved CBarrow.case le in
EnCase.
Copying the image files

10

Adding Evidence to a Case

3. Select File then Add Device
or select the Add Device
buon on the buon bar.
4. Select the Evidence Files
folder, right-click and
select New to create a
path to the locaon where
the evidence les are
contained.
Create a new path to evidence file location

11

Adding Evidence to a Case

Select folder containing evidence files

5. Browse and locate the

relevant case folder that
contains the evidence les.

12

Adding Evidence to a Case

6. Locate and blue-check the
desired evidence le(s) and
click Next>.

In this case blue check

CBARROW.

Selecting the evidence file

13

Adding Evidence to a Case

7. Conrm that the correct
evidence le was selected
and click Next>.

Confirm that the correct evidence file was selected

14

Adding Evidence to a Case

8. Click Finish on the subsequent conrmaon screen, and the
evidence le will be added to the case.
9. It is not necessary to add les E02, E03, E04, etc., as they are
added automacally by EnCase.
10. EnCase will add the evidence le to the case; le vericaon will
begin automacally.
11. Aer adding the evidence le, click File
Save or click the Save
buon on the toolbar.
12. If there were more evidence les in the case, the preceding steps
would be repeated for each evidence le.
15

Academic Program

PRACTICAL 1.3

NAVIGATING ENCASE FORENSIC

Navigang EnCase Forensic

The Four Panes of EnCase

17

Navigang EnCase Forensic

Conguring EnCase

18

 Seven tabs are available:

Global, Debug, NAS, Colors,
Fonts, EnScript, and Storage
Paths. When a case is open,
an eighth tab (Case Opons)
appears that allows creaon/
modicaon of default values
for the case informaon.
The following slides discuss a
subset of these tabs, which
are of most interest to this
course.

Options

Navigang EnCase Forensic

Conguring EnCase

19

Auto Save
Use Recycle bin for cases
Show True / Show False
Enable Picture Viewer
Enable ART and PNG image
display
Invalid Picture Timeout
Enable Pictures in Doc view
Date/Time formats
Flag Lost Files
Debug

Global Options

Navigang EnCase Forensic

Conguring EnCase

20

 Take this opportunity to

select DD/MM/YY as the
date format to reect the
Australian standard.
Having standards for dates
and mes is very important
for forensics.
Perhaps the default format
should be YYYY-MM-DD?

Global Options

Navigang EnCase Forensic

Conguring EnCase

21

 EnScript
These are small programs
that can automate the
examinaon process.
This opon species the
locaon of the EnScript
libraries folder which
contains programming
modules used by mulple
EnScript programs.

EnScripts Options

Navigang EnCase Forensic

Conguring EnCase

22

 Storage Paths
This opon allows an
examiner to congure the
locaon of .INI les used by
EnCase to establish global
sengs. By default these
les are stored in
C:\Program Files\EnCase6\Config.

Storage path options

Navigang EnCase Forensic

Conguring EnCase

23

Navigang EnCase Forensic

Basic Layout

Table Pane
Tree Pane

View Pane
Filter Pane

24

 Right-clicking on an object
in the Tree Pane will bring
up a context menu with
many selecons including
the choice to expand or
contract everything from
the selected posion.
Everything in the case will
be aected by right-clicking
on the Entries folder.

Folder Structure

Navigang EnCase Forensic

Tree Pane / Cases View

25

Navigang EnCase Forensic

Tree Pane / Cases View

Highlighng a folder
The Set Include Opon
The Blue-check

Highlighting a Folder

There are three methods used

within EnCase to focus on
specic les or folders.

26

Navigang EnCase Forensic

Tree Pane / Cases View

Highlighng a folder
The Set Include Opon
The Blue-check

Set including a Folder Structure

There are three methods used

within EnCase to focus on
specic les or folders.

27

Navigang EnCase Forensic

Tree Pane / Cases View

Highlighng a folder
The Set Include Opon
The Blue-check

The Dixon box between the

Table and View Panes
indicates how many entries
have been selected.

Blue checking a Folder Structure

There are three methods used

within EnCase to focus on
specic les or folders.

28

 Within the Tree Pane there

are many views that can be
accessed for dierent
purposes. All of these views
may be accessed through the
tabs available above the Tree

Pane or through the View
Cases menu. Any tab not
displayed above the Tree Pane
will be displayed by selecng

them through the View
Cases menu.

View Cases menu

Navigang EnCase Forensic

Tree Pane / Cases View

29

Navigang EnCase Forensic

Table Pane
By default the Table Pane is in the Table view.
Within this view are the subfolders and les that are contained within
the folder(s) that are highlighted or set included in the Tree Pane.
Highlighng or set including a folder aects the display in the Table
Pane.

30

Navigang EnCase Forensic

Organising Columns
Table columns may be rearranged in any order as in Microso Excel. Click
and drag the column heading, and drop it into its new locaon.
Columns may be sorted by up to ve layers deep. To sort by a column,
double-click on the column heading. To instute a sub-sort, hold down
Shi and double-click on the column heading.
Columns may be locked on the le side of the Table view, so that when
the examiner scrolls to the right side of the Table view, the inial columns
are sll visible.
To lock a column, right-click on the column heading, select Columns and select Set Lock.
The lock is instuted on the posion of the column. If other columns are moved into
that posion, they are locked.
To release the lock, right-click on the column, select Columns and then Unlock.
31

Navigang EnCase Forensic

Other Table Pane Views
Report

Generates a quick report for
indicated les in the Table
pane.

Used most oen with
graphics.
Table Pane Report View
32

 Gallery

Displays images in a
thumbnail view.

These images are displayed
(by default) based on their
extension.

Table Pane Gallery View

Navigang EnCase Forensic

Other Table Pane Views

33

 Timeline View

Shows paerns of dierent
types of dates and mes.
You can zoom in (Higher
Resoluon) to a second-by-
second meline and zoom
out (Lower Resoluon) to a
year-by-year meline.

Table Pane Timeline View

Navigang EnCase Forensic

Other Table Pane Views

34

 Disk View

Allows viewing of les and
folders in terms of where
the data appeared on the
media. Placement of
clusters and/or sectors and
fragmentaon of les may
be observed.

Table Pane Disk View

Navigang EnCase Forensic

Other Table Pane Views

35

View Pane Picture View

Navigang EnCase Forensic

View Pane

36

View Pane Hex View

Navigang EnCase Forensic

View Pane

37

View Pane Text View

Navigang EnCase Forensic

View Pane

38

View Pane Text Styles ISO Latin @ FTP

Navigang EnCase Forensic

View Pane

39

View Pane Text Styles ISO Latin @ 60

Navigang EnCase Forensic

View Pane

40

Ongoing Assessment Week 1

1. Aer adding an evidence le to a case, le vericaon is
undertaken. What is le vericaon, and why is it important?
2. Why is the date display format important in forensic
invesgaons, and why would YYYY-MM-DD be a suitable
format?
3. What is the most ecient method to focus on (select) all
items within an image (evidence) le for display within a
single gallery view?
41

Bibliography

Guidance Soware 2008, EnCase Forensic Academic

Program Students Guide, v6.10pvs, Pasadena, CA

42