Tuesday, March 29, 2011

Basic Computer Forensic Analysis Techniques in EnCase

I was recently asked to provide a list of forensic analysis techniques. After looking through some of my documents, I realized I didn't really have an up-to-date worksheet that listed most of the common analysis techniques, even though we all have them memorized.

My goal is to create a flow chart to guide a new examiner to perform the commonly used techniques that we typically use in *every* case, and then also provide *case* specific techniques depending on the type of analysis or investigation. The following list is not meant to be all inclusive of every technique that we use, but instead it is designed to be a starting point and as a reminder of things to think about depending on the type of your case. Currently, I am focusing on the analysis of Windows based machines in EnCase. Please feel free to comment and add your own ideas in the comment section for others to benefit:

General Forensic techniques

  • Load Image into EnCase, verify Image
  • Check physical size of drive and compare to physical label
  • Identify & compare logical partition size(s) to physical drive size to identify any deleted partitions or unused disk space.
  • Recover folders
  •  Conduct hash analysis, indentify “known” and/or “notable” files. "Known" files can be excluded from remaining analysis techniques to reduce time and increase efficiency.
  •  Conduct file signature analysis, review renamed files.
  • Retrieve time zone settings for each disk and apply correct time zone, if applicable.

 Case specific techniques

  • Mount compound files
  • Conduct keyword search
  •  Recover client based email
  • Recover web based email
  • Recover Internet history (logical and unallocated)
  • Determine OS version, service pack, hotfixes & OS install date
  • Retrieve user account information (names, SIDs, logon dates)
  • Retrieve user specific registry artifacts (recent docs, userassist, etc.)
  • Retrieve attached USB history
  • Process LNK files to identify removable devices
  • Review installed applications
  • Review Office related files (doc, docx, xls, xlsx, ppt, mdf) & PDF files
  • Review multimedia & graphic image files
  • Identify encrypted files (entropy)
  • Data carve in unallocated (docs, multimedia, images, zips, base64)
  • Review Recycle Bin & recover deleted INFO2 records in unallocated
  • Review System Volume Information/old registry hives
  • Review Windows event logs
  • Mount image virtually and perform virus scan
  • Recover Windows logon password(s) (rainbow tables)
  • Recover username/passwords in protected storage areas

Windows Vista/7 specific

  • Review Volume Shadow Service


Anonymous Tuesday, 29 March, 2011  

How to do user account information

Bridgey the Geek Tuesday, 29 March, 2011  

I notice that 'Recover Folders' is one of your 'General Forensic techniques'.

I wonder what your thoughts are on the possibility of missing things in unallocated clusters due to recovered folders rearranging sectors/clusters and a file which was contiguous before Recover Folders is now not and so won't be carved out?

Marek Tuesday, 29 March, 2011  

I'd add "index case" as the second step, so directly after mounting compound files.
Are you going to publish the flow charts when they're ready?

Lance Mueller Tuesday, 29 March, 2011  

@ForensicGeekInTheCorner -

It's really up to you and how you want to process Unallocated. If you carve unallocated, you would find whatever signature your looking for.

If you recover folders and then process all the data inside, you would find the same header and possibly have a name and associate metadata.

In the case where a filename was recovered in the recovered folders process, but it ended up in the middle of a continuous file, then the examiner would have to be cognizant of that and manually look at the signature and the data that follows to determine if it in fact belongs to that file or some previous or later file.

@Marek - Yes, I will be posting the final chart

Anonymous Friday, 01 April, 2011  

Add to General Forensic techniques after verification:

“Determine time zone setting and subsequently set your forensic tool with the appropriate setting.”


fschifilliti Friday, 01 April, 2011  

As General part personally I always take place a short analysis on the registry to determine user's informations and installation date of the operating system. In the Specific part I carry out a deeply analysis of the registers of interest for the case.


Computer Forensics Expert Sunday, 03 April, 2011  

Considerably, the article is actually the freshest on this notable topic. I agree with your conclusions and will thirstily look forward to your next updates.I will immediately grab your rss feed to stay abreast of any updates.

Anonymous Wednesday, 06 April, 2011  

Depending a bit on the case, it seems useful to check that the file system is reasonably sound, at at least document any problems that tools such as 'chkdsk' may find.

With EnCase and VDE/PDE and Windows file systems it's easy and fast enough.

macster Tuesday, 17 May, 2011  

good job, would love to see more in-depth on email analysis with encase

computer services Thursday, 26 May, 2011  

very interesting post! was definitely a good read and something to learn from!

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles