WIXLIB

1/20/2012OverviewENCASE CYBERCYBER-SECURITY FORENSICSThis case involves recovering Email and Digital Photograph evidence on anemployee named Michael Simmons, who may possibility be involved inproviding confidential information to his company’s business competitorconcerning a new kayak. Michael Simmons is sending altered graphic filesattached in his company’s email. He is considered to be an Insider Threat.Email Investigation&Recovering Digital Photograph EvidenceCIS 4385 Final ProjectEnCase v7 Forensic Tool will be used to attempt to locate and recoverMichael Simmons emails and graphic file to be used as evidence again Mrs.Michael Simmons for violating company policy of confidentially.confidentiallyDr. ChiForensic Investigator:Michael SimmonsFlorida A&M UniversityDecember 03, 2011Brief introduction of Overview of What A Forensic ExaminerCan Do With EnCase:Investigate inappropriate web surfing.Search the contents of files for inappropriate images, photos and movies.Identify traces of abusive behavior in emails and stored documents.Protect highly sensitive information such as tests, grades and confidential student/teacher data (socialsecurity numbers, addresses, etc.). Enforce computer use policies. Respond to network breaches and identify compromised systems. Identify rootkit and rogue process propagation. Universities can ensure their compliance with HIPAA. Determine whether a computer system contains evidence and is within the scope of our investigation Restore entire disk volumes back to their original state DoD a basicb i kkeywordd searchh off ththe entireti case usingi any numberb off searchh tterms Do advanced searches using the powerful UNIX GREP syntax Acquire data in a forensically sound manner using software with an unparalleledrecord in courts worldwide. Investigate and analyze data from multiple platforms – Windows, Linux, AIX, OS X,Solaris, and more – using a single tool. Find information despite efforts to hide, cloak, or delete. Easily manage large volumes of computer evidence, viewing all relevant files, includingdeleted files, file slack, and unallocated space. Transfer evidence files directly to law enforcement or legal representatives asnecessary. Review options that allow non investigators, such as attorneys, to review evidencewith ease. Restoring A Drive Use reporting options for quick report preparation The following acquiring devices and evidence functions are available: Logical Evidence Files Raw Image Files Single Files Acquire a Local Drive Windows-based Acquisitions with Tableau and FastBloc Write Blockers Acquiring in Windows using FastBloc SE Acquiring in Windows without a Tableau or FastBloc Write Blocker Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA) Windows-based Acquisitions with Tableau and FastBloc Write Blockers Acquiring a Disk Running in Direct ATA Mode Acquiring Disk Configurations Windows NT Software Disk Configurations EnCase Evidence Files Acquiring Other Types of Supported Evidence FilesThe following evidence processing functions are available: Folder recovery Hash analysis Compound file expansion Email search Internet artifact search Keyword search Index creation EnScript Module execution: Parsing system information Instant messaging File carving Other EnScript modules Additionally, the following operations are always run with the Evidence Processor:o File signature analysisThe Add Evidence menu also contains these selections and, a selection to access theEvidence Processor.o Protected file analysis1

1/20/2012Sources of AcquisitionsTypes of AcquisitionsSources for acquisitions within EnCase include:EnCase can acquire evidence to four basic formats: Current EnCase evidence files (Ex01): The new EnCase evidence file format takes all thestrengths of the legacy EnCase evidence file and moves it forward to a new generationwith the addition of bzip compression to reduce the size of your evidence files, the optionto encrypt your evidence with AES256 and encryption keypairs or passwords, and theoption to choose MD5 hashing, SHA-1 hashing, or both. Current Logical evidence files (Lx01): adding the same new features with the exceptionof encryption to the legacy Logical evidence files. Legacy EnCase evidence files (E01): that you can use to provide a copy of evidence to anExaminer running an older version of EnCase. Legacy Logical evidence files (L01): also used to provide a copy of evidence to anexaminer running an older version of EnCase. Smartphone acquisitions in EnCase will generate either Legacy EnCase evidence files(E01) or Legacy Logical evidence files (L01) based upon the device and whether EnCase isperforming a physical acquisition or a logical acquisition. Previewed memory or local devices such as hard drives, memory cards,or flash drives, creating legacy EnCase evidence files (E01) or the currentEnCase evidence files (Ex01). Evidence files supported by EnCase, including legacy EnCase evidencefiles (E01), legacy logical evidence files(L01), current EnCase evidencefiles(Ex01), current logical evidence files (Lx01), DD images, SafeBackimages, VMware files (.vmdk), or Virtual PC files (.vhd). You can usethem to create legacy EnCase evidence files and legacy logical evidencefiles, or you can reacquire them to the new EnCase Ex01 or Lx01 format,adding encryption, new hashing options, and improved compression. Single files dragged and dropped onto the EnCase user interface. Theseinclude ISO files, thus creating L01 or Lx01 logical evidence files. Smartphones, using the Acquire Smartphone dialog box. Network crossover using LinEn and EnCase to create EnCase evidence files or logical evidence files.This strategy is useful when need exists to preview a device without disassemblingthe host computer, such as with many laptops, machines running RAIDs, ormachines running devices for which an examiner may not have a supporting controller.Sources for acquisitions outside EnCase include: LinEn, for disk-to-disk acquisitions without the need for a hardware write blockerto create EnCase evidence files.WinEn, for capturing physical memory on a live Windows computer to anEnCase evidence file.Tableau TD1 Forensic Duplicator, to create an EnCase evidence image of a device.The EnCase Interface for Browsing and ViewingEvidenceThe EnCase layout has three sections: Table pane Tree pane View paneThe Tree-Table shows the Table pane on the left, the Table pane on the right,and the View pane on the bottom. This is the traditional EnCase entries view.On the Hex tab, you can view files as straight hexadecimal.On the picture tab, you can view images .2

1/20/2012The EnCase Interface for Reporting EvidenceThe final phase of a forensic examination is reporting the findings, which should bewell organized and presented in a format that the target audience understands.EnCase adds several enhancements to its reporting capabilities, including:To add new reports or sections to the template:1. Highlight the row above the new element you want to add. Right click and selectNew from the dropdown menu. Reporting templates you can use as is or modify to suit your needs. Capability to control a report's format, layout, and style. Ability to add notes and tags to a report.Reports in EnCase consist of three parts: Bookmark folders where reference to specific items and notes are stored. Report templates that hold formatting, layout, and style information. A reporttemplate links to bookmark folders to populate content into a report. Case Information items, where you can define case-specific variables to be usedthroughout the report.2. The New Report Template dialog opens.3. Enter a Name.4 Select4.S l t a TypeT(Section(S ti or RReport).t)5. If you want to customize Format styles, check the appropriate boxes, or leave theboxes clear to use the default styles.6. Click OK. The new template component displays below the row youhighlighted.A report component is designated as either a Report or Section, as shown in the Typecolumn.Viewing a ReportTo view a report:1. In the Report Templates tab, click View Report from the tab toolbar. Thedropdown menu lists all reports that have the Show Tab option set.2. Select the report you want to see. The report displays in the viewer.3

1/20/2012Copied Michael Simmons PST File to a thumb drive is drive letter L:\ is beingadded to evidenceAcquired image of PST file is now located ‐ C:\Working\LocalEvidence. The original evidence will now be preserved on the thumb drive.Analysis Starts4

1/20/2012Under keyword search I am searching for pattern(s) type FIF. This also includes “Search entry slack” and “Undelete entries before searching”.I reviewed the file Recover1.txt header, and found the header to be incorrect for a JPEG image. The correct header would have an offset 0x FF D8 FF E0and offset 6 of 4A (The first four bytes and the sixth byte. All of the other bytes appeared to be correct.)Results of keyword search ‘”Money” recovered 21 message files. And a possible timeframe like when themessage files were created, last accessed , last written and deleted .I rebuilt the recover1.txt with correct jpeg header , renamed the file recoveredme.jpg and double clicked and opened with Windows Picture and Fax ViewerThe processing time of my 2 GB email .pst file (michael.simmons.pst)required two days to process on my older slower Dell Laptop computer. Ithen switch to my new workstation computer and completed the task in 4hours. I now see that with more data on computer more forensic datawill becomes available, made me come to realize that the resource costinvolved in incident handling situation is fairly significant. In addition,staffing an incident handling team with the proper skills required toeffectively carry out incident handling will be quite challenging.challenging5

1/20/2012The recovered emails and a graphic file are extremely incriminatingevidence that will be used again Michael Simmons for violating thecompany policy of confidentially agreement. Criminal changes may alsobe filed.ReferencesU.S. Department of pdfEnCase Essentials Training Manual (hyperlink)EnCase was tested using Retina Network Security Scanner, which is an NIST validated FDCC scannerhttp://nvd.nist.gov/fdcc/download fdcc.cfmAs part of this course, I have Learn critical investigation techniques. Andwith today's ever-changing technologies and environments, it is inevitablethat every organization will deal with cybercrime including fraud, insiderthreat, industrial espionage, and phishing. And now many Universities andGovernment agencies are now having to cross train their IT Professionalor hiring digital forensic professionals to become Computer ForensicInvestigator is now a necessary requirement.Guideline for Digital ForensicsU.S. Department of JusticeOffice of Justice ProgramsNational Institute of JusticeForensic Examination of Digital Evidence: A Guide for Law EnforcementENCASE FORENSIC V7 ESSENTIALS TRAINING ONDEMANDFBI Cyber ome.htmDigital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors ensic Examination of Digital Evidence: A Guide for Law Enforcement http://www.ojp.usdoj.gov/nij/pubssum/199408.htm6

EnCase can acquire evidence to four basic formats: Current EnCase evidence files (Ex01): The new EnCase evidence file format takes all the strengths of the legacy EnCase evidence file and moves it forward to a new generation with