www.dbebooks.com - Free Books & magazines Wiley Publishing, Inc. EnCase ® Computer Forensics The Official EnCE ® : EnCase ® Certified Examiner Study Guide Second Edition Steve Bunting 81454ffirs.fm Page iii Thursday, October 25, 2007 8:46 AM 81454ffirs.fm Page ii Thursday, October 25, 2007 8:46 AM EnCase ® Computer Forensics The Official EnCE ® : EnCase ® Certified Examiner Study Guide Second Edition 81454ffirs.fm Page i Thursday, October 25, 2007 8:46 AM 81454ffirs.fm Page ii Thursday, October 25, 2007 8:46 AM Wiley Publishing, Inc. EnCase ® Computer Forensics The Official EnCE ® : EnCase ® Certified Examiner Study Guide Second Edition Steve Bunting 81454ffirs.fm Page iii Thursday, October 25, 2007 8:46 AM Acquisitions Editor: Jeff Kellum Development Editor: Stef Jones Technical Editor: Dave Arnett Production Editor: Angela Smith Copy Editor: Kim Wimpsett Production Manager: Tim Tate Vice President and Executive Group Publisher: Richard Swadley Vice President and Executive Publisher: Joseph B. Wikert Vice President and Publisher: Neil Edde Media Associate Project Manager: Laura Atkinson Media Assistant Producer: Josh Frank Media Quality Assurance: Angie Denny Book Designer: Judy Fung Compositor: Craig Woods, Happenstance Type-O-Rama Proofreader: Jennifer Larsen, Word One Indexer: Jack Lewis Anniversary Logo Design: Richard Pacifico Cover Designer: Ryan Sneed Cover Image: Getty Images Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-18145-4 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572- 4355, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Web- sites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Microsoft and Visual Basic are registered trademarks of Microsoft Corporation in the United States and/or other coun- tries. All other trademarks are the property of their respective owners. EnCase® is a registered trademark of Guidance Software, Inc. in the United States and other jurisdictions. Copyright ©1998-2006 Guidance Software, Inc. All Rights Reserved. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 81454ffirs.fm Page iv Thursday, October 25, 2007 8:46 AM Dear Reader Thank you for choosing EnCase Computer Forensics—The Official EnCE: EnCase Certified Examiner Study Guide, Second Edition . This book is part of a family of pre- mium quality Sybex books, all written by outstanding authors who combine practical experience with a gift for teaching. Sybex was founded in 1976. More than thirty years later, we’re still committed to producing consistently exceptional books. With each of our titles we’re working hard to set a new stan- dard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available. I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at nedde@wiley.com , or if you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com . Customer feedback is critical to our efforts at Sybex. Best regards, Neil Edde Vice President and Publisher Sybex, an Imprint of Wiley 81454ffirs.fm Page v Thursday, October 25, 2007 8:46 AM To Donna, my loving wife and partner for life, for your unwavering love, encouragement, and support. —Steve 81454ffirs.fm Page vi Thursday, October 25, 2007 8:46 AM Acknowledgments Any work of this magnitude requires the hard work of many dedicated people, all doing what they enjoy and what they do best. In addition, many others have contributed indirectly, and without their efforts and support, this book would not have come to fruition. That said, many are people deserving of my gratitude, and my intent here is to acknowledge them all. I would like to first thank Maureen Adams, former Wiley Acquisitions Editor, who brought me on board with this project with the first edition and tutored me on the fine nuances of the publishing process. I would also like to thank Jeff Kellum, another Wiley Acquisitions Editor, for his work on the second edition. Jeff guided me through the second edition, keeping me on schedule and helping in many ways. I would also like to thank Stef Jones, Developmental Editor. Stef allowed me to concentrate on content while she handled the rest. In addition to many varied skills that you’d normally find with an editor, Stef has a strong understanding of topic material, which helped in so many ways. In addition, with several hundred screen shots in this book to mold and shape, I know there is a graphics department at Wiley deserving of my thanks. To those folks, I say thank you. A special thanks goes to Jon Bair of Guidance Software, Inc. In addition to being a friend and mentor of many years, Jon was the technical editor for the first edition. An equally special thanks goes to Dave Arnett, also of Guidance Software. Dave is a master instructor for Guid- ance Software and was the technical editor for the second edition of this book. They both worked diligently, making sure the technical aspects of both editions are as accurate and as complete as possible. Sitting behind the scenes on this project at Guidance Software was Bill Siebert. In addition to being a friend and colleague, Bill is the director of customer relations for Guidance Soft- ware. Bill was, with both editions, the facilitator, fixer, go-between, and, at all times, a guiding hand. Thanks, Bill! Many thanks go to William Wei, who made many contributions to the first edition end of chapter tests, as well as some of the Real World Scenarios. Some of those contributions have been carried forth into this edition. Thank you, Will! The study of computer forensics can’t exist within a vacuum. To that extent, any individual examiner is a reflection and product of their instructors, mentors, and colleagues. Through them you learn, share ideas, troubleshoot, conduct research, grow, and develop. Over my career, I’ve had the fortune of interacting with many computer forensics professionals and have learned much through those relationships. In no particular order, I would like to thank the following people for sharing their knowledge over the years: Keith Lockhart, Ben Lewis, Chris Stippich, Grant Wade, Ed Van Every, Raemarie Schmidt, Mark Johnson, Bob Weiter- shausen, John Colbert, Bruce Pixley, Lance Mueller, Howie Williamson, Lisa Highsmith, Dan Purcell, Ben Cotton, Patrick Paige, John D’Andrea, Mike Feldman, Mike Nelson, Steve Mahoney, Joel Horne, Mark Stringer, Dustin Hurlbut, Fred Cotton, Ross Mayfield, Bill Spernow, Arnie “A. J.” Jackson, Ed Novreske, Steve Anson, Warren Kruse, Bob Moses, Kevin Perna, Dan Willey, Scott Garland, and Steve Whalen. Every effort has been made to present all material accurately and completely. To achieve this I verified as much information as possible with multiple sources. In a few instances, published 81454ffirs.fm Page vii Thursday, October 25, 2007 8:46 AM [...]... computer forensics The EnCE certification meets or exceeds the needs of the computer forensics industry This book was also designed for computer forensics students working either in a structured educational setting or in a self -study program The chapters include exercises and evidence files that work with the version of EnCase that ships with the DVD, making it an ideal learning tool for either setting The. .. of the original To verify the EnCase evidence file containing the image, you should do which of the following? A Use a hex editor to compare a sample of sectors in the EnCase evidence file with that of the original B Load the EnCase evidence files into EnCase for Windows, and after the verification is more than halfway completed, cancel the verification and spot-check the results for errors C Load the. .. of EnCase that is provided on the DVD is not a fully functional version of the software and works only with the evidence files provided on the DVD The limited use version of EnCase provided on this DVD functions differently when acquiring evidence and you will note that the Acquire button on the toolbar is disabled To acquire the evidence files on the DVD, drag them from the DVD and drop them into the. .. Load the EnCase evidence files into EnCase for DOS, and verify the hash of those files D Load the EnCase evidence files into EnCase for Windows, allow the verification process to finish, and then check the results for complete verification 10 You are a computer forensic examiner and need to verify the integrity of an EnCase evidence file To completely verify the file’s integrity, which of the following... About the Author ix About the Author Steve Bunting is a captain with the University of Delaware Police Department, where he is responsible for computer forensics, video forensics, and investigations involving computers He has more than 30 years’ experience in law enforcement, and his background in computer forensics is extensive He is a Certified Computer Forensics Technician (CCFT) and an EnCase Certified. .. Forensic and EnCase Enterprise customers As part of its support, Guidance Software provides the EnCase Legal Journal The EnCase Legal Journal was updated in April 2007 with the most up-to-date case law, and it is provided on the DVD in a PDF file Updates to the EnCase Legal Journal are available for download from the Legal Resources section of the Guidance Software website: www.guidancesoftware.com The EnCE... important as the destination What Is the EnCE Certification? Guidance Software, Inc., developed the EnCE in late 2001 to meet the needs of its customer base, who requested a solid certification program covering both the use of the EnCase software and computer forensics concepts in general Since its inception, the EnCE certification has become one of the most recognized and coveted certifications in the computer. .. confirm the complete integrity of the EnCase evidence file See Chapter 5 for more information 11 B In the EnCase environment, the Table pane contains a list of all objects (files) within a folder selected in the Tree pane This pane has columns for the metadata of each file, including the name See Chapter 6 for more information 12 C In the EnCase environment, the View pane allows you to view the contents... the forensic image of the hard drive is FAT (File Allocation Table) What information about the document file can be found in the FAT on the media? (Choose all that apply.) A Name of the file B Date and time stamps of the file C Starting cluster of the file D Fragmentation of the file E Ownership of the file 4 You are a computer forensic examiner investigating media on a seized computer You recovered... containing potential evidence EnCase reports the file system on the forensic image of the hard drive is NTFS (New Technology File System) What information about the document file can be found in the NTFS master file table on the media? (Choose all that apply.) A Name of the file B Date and time stamps of the file C Starting cluster of the file D Fragmentation of the file E Ownership of the file 81454flast.fm