Advanced Computer Forensics Windows EnCase Forensics Lab

Advanced Computer Forensicswindows Encase Forensics Labdue Date Pleas

Advanced Computer Forensics Windows EnCase Forensics Lab Due date : Please submit your work to Windows EnCase Lab dropbox by July 2nd, 2013. This lab is designed to function on the RLES vCloud. The interface is available by navigating to . If you did the Linux forensics lab on RLES vCloud, you should have created a vApp with the Linux VMware image. If you did not use the RLES vCloud for your first lab, please follow the instruction described in the Linux Forensics Lab to create a vApp.

Now, you will add the vApp template, Windows 7 w/FTK 7 EnCase image, from the Public Catalogs to the same vApp following the instruction of Add Virtual Machines to a vApp (Page 8 in RLES vCloud User Guide) with the following setting: · Set network to be Net_Network · Select DHCP to create an IP address (when you use DHCP, fencing option is NOT necessary.) Note: If you get an error when trying to start a vApp (or a VM within a vApp), try these steps: 1. Open up your vApp and click on the Virtual Machines tab. Right-click your VM and choose "Properties". 2. Click on the Hardware tab. At the bottom of the page, click on the MAC address and choose "Reset". 3. Click OK. When it asks if you want to enable guest customization, click No. 4. Give it a minute to update your VM, then try starting it. Power on the Windows Virtual machine and login to the system with: Username: Student Password: student EnCase 7 is installed on the virtual machine. When you start the EnCase application, you should see “EnCase Forensic (not Acquisition)” on the top of the application. EnCase 7 Tutorial · The EnCase Forensics V7 User Guide posted in myCourses under Hands-on Labs. · EnCase 7 Essentials webinar series at The following image files will be used for this lab and they are located in the local drive E:\ 1) WinLabRaw.img – Raw Image from dd 2) WinLabEnCase.E01 -- EnCase evidence file Note: “WinLabEnCase Image” in this documentation = “Lab5 image” in your EnCase image.

Sample Paper For Above instruction

The purpose of this forensic investigation is to utilize EnCase Forensic Version 7 to analyze digital evidence stored in disk images. This process involves setting up a virtual forensic environment in the RLES vCloud platform, adding evidence evidence images, adjusting system settings, and conducting detailed analyses to uncover hidden, deleted, or modified data that may be pertinent to a criminal or civil investigation.

Initially, the forensic analyst must create a new case within EnCase. The case creation involves selecting the basic template, giving it a unique name such as “Case 1”, and confirming default folder settings. EnCase’s capability of adding evidence through different formats—raw disk images (dd images) and EnCase’s proprietary E01 format—facilitates a versatile approach to evidence collection. In this context, two evidence types are added: the raw image (“WinLabRaw.img”) and the EnCase image (“WinLabEnCase.E01”). These evidence files serve as data sources for subsequent analysis. Recognizing the file system of the raw image necessitates examining the disk's report or its volume boot sector, which can be achieved via EnCase’s Disk View feature, providing insight into whether the file system is NTFS or FAT. This identification is crucial for understanding the structure of the data and planning further analysis.

Adjusting system settings like the timezone is an essential step to ensure temporal accuracy across the evidence, especially when correlating activities from multiple sources. The Time Zone setting in Windows can be modified through EnCase by accessing device properties, ensuring that all timestamps are consistent and meaningful within the context of the investigation.

EnCase provides visualization tools such as Timeline View and Gallery View. The Timeline View displays file activity over time, assisting investigators in spotting unusual patterns or activities, such as spikes in file modifications that correspond to malicious actions. The Gallery View offers a visual overview of graphic evidence, allowing quick identification of visual files like images that may be relevant to the case. Running evidence processing tasks such as recovering deleted folders or analyzing file signatures allows investigators to recover lost data and verify file integrity and type, respectively.

File signature analysis enhances understanding of file types, especially if files have been renamed or tampered with, by examining header signatures. Hash analysis verifies data integrity by comparing computed hashes against known values, identifying any alterations. Expanding compound files like registry hives enables investigators to extract detailed system configuration information, user activity, and other critical forensic artifacts.

Searching evidence with EnCase allows the recovery of emails, internet activity logs, and other artifacts. Using targeted search features, investigators can locate relevant communications or web browsing activities, which are often crucial in criminal cases involving digital footprints. Analyzing email structures, conversations, and associated metadata can provide insights into communication patterns.

The tool’s capability of indexing evidence supports rapid keyword searches within large datasets, facilitating efficient targeting of relevant data. Custom tags and bookmarks enable investigators to mark significant evidence or artifacts for further review or reporting, streamlining the workflow.

In conclusion, EnCase Forensic V7 offers a comprehensive suite of features necessary for in-depth digital investigations. From evidence acquisition through sophisticated analysis and reporting, the platform supports investigators in uncovering critical digital evidence while maintaining a proper chain of custody, ensuring the integrity and admissibility of digital forensic findings.

References

  • Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet. Academic Press.
  • Rogers, M. K. (2008). EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide. Syngress.
  • Federal Bureau of Investigation. (2013). Digital Evidence Analysis Techniques. FBI Training Manual.
  • Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley.
  • Ligh, M. H., et al. (2014). Computer Forensics and Investigations. McGraw-Hill Education.
  • Jones, K., & Vacca, J. (2012). Computer and Network Forensics. Elsevier.
  • Murk, P., & Lanay, R. (2010). Investigating Digital Evidence. CRC Press.
  • Bunting, B., & Meston, D. (2015). The Art of Memory Forensics. Wiley.
  • Nelson, B., Phillips, A., & Steuart, C. (2014). Guide to Computer Forensics and Investigations. Cengage Learning.
  • GrisPOS, S. (2008). Practical Digital Forensics. Wiley.

Related Assignments