Forensic Analysis with Encase - Homework For You · Forensic Analysis with EnCase 22 12) Document...

Forensic Analysis with EnCase 1

Forensic Analysis with Encase


Introduction

Students’ Role: Digital Forensics Examiner for the Cyber Action Team (CAT).

Request for Digital Forensic Analysis

Suspect: Mantooth, Wes

Seizure Date: 17 March 2018

Case Number: 20180317-Mantooth

Requesting Organization: Fox Molder, Cyber Crime Division

Mr. Mantooth’s computer was seized under search warrant pursuant to case number 20180318_Mantooth. This is a

request to process the seized hard drive to look for evidence that may advance the investigation of this case.

We are specifically interested in having you perform the following:

1) Write a Case Narrative Digital Forensics Examiner Report

2) Document and describe your Investigative process and any errors or difficulties you encountered

3) Document the Mantooth image hash values

4) Document and describe User Accounts with last login and Security ID and any associated registry comments.

5) Document any network, removable or local drives (Device name and serial number) that may have been connected

to the Mantooth computer and note how many files may have been viewed from each connected device you identify.

6) Document describe the contents, if any, of the recycle bin

7) Document the link files. Try to find these files and determine what type of information may be useful to your

investigation. Also document and describe what a link file is and the significance of locating a link file in this case .

8) Document the company manufacturer brand of the HDD seized from Mantooth’s computer.

9) Document the processor model and family of the processor seized from Mantooth’s computer.

10) Document the most visited Internet domain and how many times it was visited.

11) List and describe at least 3 user Internet searches that may be consistent with possible evidence of criminal activity.

12) Document and describe the number of login failures and the date.

13) Document the DHCP address associated with the Mantooth computer.

14) Document and describe the computer OS version and Product ID, the existing time zone settings and note whether

Mantooth’s computer is set on daylight savings time.

15) Document and describe whether there is encryption software installed on the Mantooth computer.

16) Document and describe the notable names you identify and include for each name, a representative number of the

files, if any, you locate that were downloaded through email.

17) Document and describe the number of “.jpg “files you locate on the Mantooth evidence image file.

18) Document and describe at least two email messages that may be consistent with possible evidence of criminal

activity


Evidence Items Provided: Mantooth.E01 (evidence image file)

Tag #01: Digital Image of Suspect Drive File Name: Mantooths_HDD.E01

MD5 Hash Value 31217210a1a69f272079a3bde3d9d8fc

SHA1 Hash Value: 12e4ac047e328ca2bd63a4d65df25b3ecba55769

General Instructions: Log into the UMUC Virtual Lab and perform the following steps utilizing Encase. Make sure to

document your findings and provide the appropriate screen shots/bookmarks as part of your Lab 1 Digital Forensics

Examiners Report. Your report should be submitted to the assignment section as one document in .pdf format and

named with the following convention “Lab1-YourFirstInitial-LastName”. Make sure your report has an overview with

labeled captions such as Investigation Referral, Steps Taken, Notable Files, Findings and Conclusion, etc. and each

investigation step should be documented, described and supported with one or more artifacts such as file names and

screenshots necessary to demonstrate your work..

Deliverables & Lab I Questions to be answered:

General Instructions: Preview the lab deliverables and the grading rubric before starting your Lab 1 work. Then, log into

UMUC Virtual Lab and follow the step by step instructions and illustrations. Make sure you include a copy of the Request

for Digital Forensic Analysis in your final report as this is your authorization to perform the investigation. The Lab 1

deliverables are noted in the Request for Digital Forensic Analysis and they are also listed near the end of the following

technical instructions.


Technical Instructions:

Launch Encase from the “Lab Resources” folder of your Lab VM

Once EnCase starts up, create a new case named “Date_Mantooth”. (Date should be today’s date in yyyymmdd format)


Choose the Basic Template and enter Case Number, Examiner Name, and Description in the Case Information area. In

the Name and location area enter the case name in the Name field. Use the defaults on the Base case folder, Primary

evidence cache, and Backup location – then click OK.

Practice Note: In a formal case investigation environment you would store backups on a separate drive. In our Lab 1, we

will default to the same drive so click “Yes” if you get a warning about storing the case and backup on the same drive.


Same action with the Backup location and Primary evidence cache - so click Yes if you get a warning about storing the

backup and primary evidence cache on the same drive.

Since you are creating new folders simply click “Yes”.

You are now ready to add evidence to the case, so click Add Evidence in the middle of the screen.


We are adding evidence that is already created in a .E01 image file format, so choose Add Evidence File.


Browse to Mantooth.E01 image file in the Desktop folder for the Lab 1 as illustrated below.

Desktop>Computer>Local Disk D:>Lab Resources>Lab Images> Mantooth.E01

You will also find a “Mantooth.E01.txt” file that contains the FTK Imager image report information for the Mantooth

image. Within the “Mantooth.EO1.txt file you will find the MD5 and SHA-1 hashes to note for your examination. These

hashes should match your hash values when you access the image in EnCase. If they don’t, make a note in your case

report.


Example of the FTK Imager Mantooth.EO1.txt file information


If you receive an Error message about the Header being more than 12 characters just click OK. This does not impact case

processing.

Typically, you may find the “Tree-Table “view below easier to work in. Click the menu selection highlighted below to use

Tree-Table view.


You are now ready to begin processing the Mantooth.EO1 image file in Encase. Click on “Process Evidence” and choose

just the “Process”… option.


Within case “Process” Options there are a few things to remember. Some of the options have a red exclamation point

to their left. These options can only be chosen the first time you process case evidence. Therefore, you typically choose

them every time on the first process procedure(s) for your case. All of the other options you can select on a subsequent

attempt at processing evidence. On a large image sometimes you may decide to choose only a few options the first time

so that you can see some results sooner or perhaps you may not be sure what options you need because it is unclear for

your initial instructions or search authorization what investigative direction is best to take.

In this case, Mantooth. EO1 is a small image, so we are going to select all of our needed options on the first attempt at

evidence processing. Note all of the blue checked areas below, which indicate that those options have been chosen for

processing in our case.

The processing options include everything except Prioritization and Search for keywords. It is a little hard to see in the

interface, but the Modules option is actually a drop down menu. Click to the left of Modules to expand it. Select -

System Info Parser, Windows Event Log Parser, and Windows Artifact Parser. It is worth noting that each of the blue

options is actually a hyperlink where you can specify more detail for each option.


If you click “System Info Parser” you will see the following window appear. We will choose all of the standard artifacts

but nothing from the advanced artifacts tab.


Click OK and begin the case processor. You may need to maximize the case processor window to see the OK button.


Any time an operation is running within EnCase you will see the progress in the lower right micro help area of the

window.


Note that the Acquisition and Verification MD5 hashes should match in the lower portion of the evidence screen (you

may need to scroll). One of the menu items in EnCase is Verification. You may want to do this to Verify the hashes.

Any time you do something substantial in the case make sure to perform a save. By default EnCase saves every 30

minutes which is not frequent enough in the scheme of things. A good practice is to manually save every 5 minutes.

EnCase is not intuitive in showing evidence processing results. You must navigate to see the results that interet you. The

View menu is used to toggle the display of other tabs. We are interested in the Artifacts tab.


The processing options you choose at the outset of the case determine what shows up in the Artifacts tab. We will see

items like email and Internet artifacts.


There is another area that is rich in evidence case information. Click on the home icon. You will likely return to the Add

Evidence window.


From the Add Evidence window click the back arrow to

go to the base home screen.

From the base home screen select Case Analyzer.


Then click on Case.

After things compile, you will be at the “Case tab” in Case Analyzer. Navigating through the various folders under the

Reports folder is where you will find many evidence artifacts. Using this area and the Artifact tab we just navigated from

prior to running the Case Analyzer is where you will find most of the evidence artifacts needed to complete this digital

forensics case examination.


Your Lab 1 objectives are to develop a Lab1 Digital Forensics Examiners Report that addresses and answers the following

case investigation items:

1) Write a Case Narrative Digital Forensics Examiner Report

2) Document and describe your Investigative process and any errors or difficulties you encountered

3) Document the Mantooth image hash values

4) Document and describe User Accounts with last login and Security ID and any associated registry comments.

5) Document any network, removable or local drives (Device name and serial number) that may have been connected

to the Mantooth computer and note how many files may have been viewed from each connected device you identify.

6) Document describe the contents, if any, of the recycle bin

7) Document the link files. Try to find these files and determine what type of information may be useful to your

investigation. Also document and describe what a link file is and the significance of locating a link file in this case .

8) Document the company manufacturer brand of the HDD seized from Mantooth’s computer.

9) Document the processor model and family of the processor seized from Mantooth’s computer.

10) Document the most visited Internet domain and how many times it was visited.

11) List and describe at least 3 user Internet searches that may be consistent with possible evidence of criminal activity.


12) Document and describe the number of login failures and the date.

13) Document the DHCP address associated with the Mantooth computer.

14) Document and describe the computer OS version and Product ID, the existing time zone settings and note whether

Mantooth’s computer is set on daylight savings time.

15) Document and describe whether there is encryption software installed on the Mantooth computer.

16) Document and describe the notable names you identify and include for each name, a representative number of the

files, if any, you locate that were downloaded through email.

17) Document and describe the number of “.jpg “files you locate on the Mantooth evidence image file.

18) Document and describe at least two email messages that may be consistent with possible evidence of criminal

activity

You may notice that there is a “Report” function in Case Analyzer. The artifacts that you find that answer many of the

Lab 1 investigation questions can be “selected” and “added to a report” to help you with this Lab 1 Exercise. This will

give you a much more professional report appearance than taking a series of screen shots. Take a few minutes to see

how the report feature works and consider using it as part of your overall report. If you have significant difficulty with

the Encase Report method, and everything you want doesn’t show up in the Encase Report, you can try adding/pasting

those screen shot items into your Encase report; or stick with using the screen shot method for your entire report for

consistency.


The Case Analyzer report can be saved as a pdf.

As a refresher, Email can be found in the Artifacts tab. One other hint – use the Evidence tab to find how many .jpg files

are contained in the Mantooth.EO1 evidence image file.

Once you have completed your investigation, close EnCase and exit.

Date post:	14-May-2020
Category:	Documents
Upload:	others
View:	49 times
Download:	1 times

Forensic Analysis with Encase - Homework For You · Forensic Analysis with EnCase 22 12) Document...

Documents