212934 LAB 6 - Encase (Acquiring Image) PDF

Preview

Summary

lab question...

Description

LAB 6 – EnCase Forensic Part 1-Creating a Case and getting an Image File This lab discusses specific procedures to acquire a thumb drive by using EnCase. Note: Make sure you have a USB thumb drive ready to capture the image of the drive. 1. Create a folder name “Case (your name)” on Desktop or D drive. 2. Run EnCase Forensic (EnCase) as administrator and create a new case.

3. In the option popped up windows, name the case “Norm”. Select the Base case folder to the folder created in Step 1. Check the checkbox of “Use base case folder for primary evidence cache” as well. Then click OK.

The Norm Case should be automatically saved to the \Cases\Norm folder. Verify this.

4. Go to Tools  FastBloc SE… . In the FastBloc SE pop-up windows, select Write Blocked from the option. Write Blocked is the default mode and caches the attempts to write to the drive. Write Protected does not cache the attempts to write to the drive.

Notes: The FastBloc SE module is a collection of drive controller tools designed to control reads and writes to a drive attached to a computer through USB, FireWire, or SCSI in order to enable the safe acquisition of subject media from Windows to an EnCase evidence file.

5. Insert your thumb drive into the USB port. Notice that the Write Blocked column has a black dot or tick to show that it is write blocked. It indicates that the media is connected and the status of the device. Click Close.

6. Add evidence by clicking “Add evidence”  “Add Local Device” at the Home page or Select “Add Evidence” from drop-down menu, then select “Add Local Device…”.

7. Check the “Detect Tableau Hardware” option and click Next.

8. All local devices will be displayed as shown. Notice that the write-blocked drive is highlighted in green. Check the thumb drive’s physical drive and click Finish.

9. The Viewing (Evidence) screen should be displayed as below. To see objects and file structure of the device, double click the name column (“1” in this case).

Double click

10. Highlight (A small green triangle) the device to see the root directory objects. Notice that the folder or file with the red circle shows the deleted file or folder.

11. To acquire the image of the thumb drive, right click on the name of the device, select Acquire  Acquire…

12. In the pop-up window “Acquire Device”, change the following information: Location tab: Name: Yourname Thumb Drive Evidence Number: 001 Case Number: 999999 Examiner Name: Yourname Note: Found on Desk Output Path: Folder that you created in Step 1. Format tab: Evidence File Format: Current (Ex01) Compression: Disabled Verification Hash: MD5 and SHA1 File Segment Size (MB): 2048 Advanced tab: Error Granularity: Exhaustive

13. At the bottom right corner indicates the time needed for acquiring the image. Wait for EnCase to acquire the image.

14. When the acquisition completes, FastBloc SE can be disable. To disable, Select Tools  FastBloc SE… Then click “Clear All” and click “Yes” to remove write-blocking. Now you can remove the thumb drive from the computer.

15. The hash MD5 and SHA1 are generated. It is important to visually verify the acquisition and verification hashes match. Go back by selecting Viewing (Entry)  Evidence. You are now viewing the evidence file.

16. Both values can be seen within the Report or Fields views of the object representing the evidence file. Both acquisition and verification hashes value must match.

17. Save your case by selecting Case (Norm)  Save...