Basic Computer Forensic Analysis Techniques in EnCase
I was recently asked to provide a list of forensic analysis techniques. After looking through some of my documents, I realized I didn't really have an up-to-date worksheet that listed most of the common analysis techniques, even though we all have them memorized.
My goal is to create a flow chart to guide a new examiner to perform the commonly used techniques that we typically use in *every* case, and then also provide *case* specific techniques depending on the type of analysis or investigation. The following list is not meant to be all inclusive of every technique that we use, but instead it is designed to be a starting point and as a reminder of things to think about depending on the type of your case. Currently, I am focusing on the analysis of Windows based machines in EnCase. Please feel free to comment and add your own ideas in the comment section for others to benefit:
Case specific techniques
My goal is to create a flow chart to guide a new examiner to perform the commonly used techniques that we typically use in *every* case, and then also provide *case* specific techniques depending on the type of analysis or investigation. The following list is not meant to be all inclusive of every technique that we use, but instead it is designed to be a starting point and as a reminder of things to think about depending on the type of your case. Currently, I am focusing on the analysis of Windows based machines in EnCase. Please feel free to comment and add your own ideas in the comment section for others to benefit:
General Forensic techniques
- Load Image into EnCase, verify Image
- Check physical size of drive and compare to physical label
- Identify & compare logical partition size(s) to physical drive size to identify any deleted partitions or unused disk space.
- Recover folders
- Conduct hash analysis, indentify “known” and/or “notable” files. "Known" files can be excluded from remaining analysis techniques to reduce time and increase efficiency.
- Conduct file signature analysis, review renamed files.
- Retrieve time zone settings for each disk and apply correct time zone, if applicable.
- Mount compound files
- Conduct keyword search
- Recover client based email
- Recover web based email
- Recover Internet history (logical and unallocated)
- Determine OS version, service pack, hotfixes & OS install date
- Retrieve user account information (names, SIDs, logon dates)
- Retrieve user specific registry artifacts (recent docs, userassist, etc.)
- Retrieve attached USB history
- Process LNK files to identify removable devices
- Review installed applications
- Review Office related files (doc, docx, xls, xlsx, ppt, mdf) & PDF files
- Review multimedia & graphic image files
- Identify encrypted files (entropy)
- Data carve in unallocated (docs, multimedia, images, zips, base64)
- Review Recycle Bin & recover deleted INFO2 records in unallocated
- Review System Volume Information/old registry hives
- Review Windows event logs
- Mount image virtually and perform virus scan
- Recover Windows logon password(s) (rainbow tables)
- Recover username/passwords in protected storage areas
Windows Vista/7 specific
- Review Volume Shadow Service