1/20/2012

1

ENCASE CYBERENCASE CYBER--SECURITY FORENSICSSECURITY FORENSICS

Email Investigation Email Investigation &&

Recovering Digital Photograph EvidenceRecovering Digital Photograph Evidence

CIS 4385 Final Project CIS 4385 Final Project

Dr. ChiDr. Chi

Forensic Investigator:

Michael Simmons

Florida A&M University

December 03, 2011

Overview

This case involves recovering Email and Digital Photograph evidence on an employee named Michael Simmons, who may possibility be involved in providing confidential information to his company’s business competitor concerning a new kayak. Michael Simmons is sending altered graphic files attached in his company’s email. He is considered to be an Insider Threat.

EnCase v7 Forensic Tool will be used to attempt to locate and recover Michael Simmons emails and graphic file to be used as evidence again Mrs. Michael Simmons for violating company policy of confidentially Michael Simmons for violating company policy of confidentially.

Brief introduction of Overview of What A Forensic Examiner Can Do With EnCase:

• Investigate inappropriate web surfing.• Search the contents of files for inappropriate images, photos and movies.• Identify traces of abusive behavior in emails and stored documents.• Protect highly sensitive information such as tests, grades and confidential student/teacher data (social

security numbers, addresses, etc.).• Enforce computer use policies.• Respond to network breaches and identify compromised systems.• Identify rootkit and rogue process propagation.• Universities can ensure their compliance with HIPAA.• Determine whether a computer system contains evidence and is within the scope of our investigation• Restore entire disk volumes back to their original state

D b i k d h f th ti i b f h t• Do a basic keyword search of the entire case using any number of search terms• Do advanced searches using the powerful UNIX GREP syntax• Acquire data in a forensically sound manner using software with an unparalleled

record in courts worldwide.• Investigate and analyze data from multiple platforms – Windows, Linux, AIX, OS X,

Solaris, and more – using a single tool.• Find information despite efforts to hide, cloak, or delete.• Easily manage large volumes of computer evidence, viewing all relevant files, including

deleted files, file slack, and unallocated space.• Transfer evidence files directly to law enforcement or legal representatives as

necessary.• Review options that allow non investigators, such as attorneys, to review evidence

with ease.• Restoring A Drive• Use reporting options for quick report preparation

The following acquiring devices and evidence functions are available:

Logical Evidence Files

Raw Image Files

Single Files

Acquire a Local Drive

Windows-based Acquisitions with Tableau and FastBloc Write Blockers

Acquiring in Windows using FastBloc SE

Acquiring in Windows without a Tableau or FastBloc Write Blocker

Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)

Windows-based Acquisitions with Tableau and FastBloc Write Blockers

Acquiring a Disk Running in Direct ATA Mode

Acquiring Disk Configurations

Windows NT Software Disk Configurations

EnCase Evidence Files

Acquiring Other Types of Supported Evidence Files

The Add Evidence menu also contains these selections and, a selection to access the Evidence Processor.

The following evidence processing functions are available:

Folder recovery

Hash analysis

Compound file expansion

Email search

Internet artifact search

Keyword search

Index creation Index creation

EnScript Module execution:

Parsing system information

Instant messaging

File carving

Other EnScript modules

Additionally, the following operations are always run with the Evidence Processor:

o File signature analysis

o Protected file analysis

1/20/2012

2

Types of Acquisitions

EnCase can acquire evidence to four basic formats:

Current EnCase evidence files (Ex01): The new EnCase evidence file format takes all the strengths of the legacy EnCase evidence file and moves it forward to a new generation with the addition of bzip compression to reduce the size of your evidence files, the option to encrypt your evidence with AES256 and encryption keypairs or passwords, and theoption to choose MD5 hashing, SHA-1 hashing, or both.

Current Logical evidence files (Lx01): adding the same new features with the exceptionof encryption to the legacy Logical evidence files.

Legacy EnCase evidence files (E01): that you can use to provide a copy of evidence to anExaminer running an older version of EnCase.

Legacy Logical evidence files (L01): also used to provide a copy of evidence to anexaminer running an older version of EnCase.

Smartphone acquisitions in EnCase will generate either Legacy EnCase evidence files (E01) or Legacy Logical evidence files (L01) based upon the device and whether EnCase is performing a physical acquisition or a logical acquisition.

Sources of Acquisitions Sources for acquisitions within EnCase include: Previewed memory or local devices such as hard drives, memory cards,

or flash drives, creating legacy EnCase evidence files (E01) or the current EnCase evidence files (Ex01).

Evidence files supported by EnCase, including legacy EnCase evidencefiles (E01), legacy logical evidence files(L01), current EnCase evidencefiles(Ex01), current logical evidence files (Lx01), DD images, SafeBackimages, VMware files (.vmdk), or Virtual PC files (.vhd). You can usethem to create legacy EnCase evidence files and legacy logical evidence files, or you can reacquire them to the new EnCase Ex01 or Lx01 format,adding encryption, new hashing options, and improved compression.

Single files dragged and dropped onto the EnCase user interface. Theseinclude ISO files, thus creating L01 or Lx01 logical evidence files.

Smartphones, using the Acquire Smartphone dialog box.

Network crossover using LinEn and EnCase to create EnCase evidence files or logical evidence files. This strategy is useful when need exists to preview a device without disassemblingthe host computer, such as with many laptops, machines running RAIDs, or machines running devices for which an examiner may not have a supporting controller.

Sources for acquisitions outside EnCase include: LinEn, for disk-to-disk acquisitions without the need for a hardware write blocker to create EnCase evidence files. WinEn, for capturing physical memory on a live Windows computer to an EnCase evidence file. Tableau TD1 Forensic Duplicator, to create an EnCase evidence image of a device.

The EnCase Interface for Browsing and Viewing Evidence

The EnCase layout has three sections:

Table pane Tree pane View pane View pane

The Tree-Table shows the Table pane on the left, the Table pane on the right, and the View pane on the bottom. This is the traditional EnCase entries view.

On the Hex tab, you can view files as straight hexadecimal. On the picture tab, you can view images .

1/20/2012

3

The EnCase Interface for Reporting Evidence

The final phase of a forensic examination is reporting the findings, which should be well organized and presented in a format that the target audience understands. EnCase adds several enhancements to its reporting capabilities, including:

Reporting templates you can use as is or modify to suit your needs. Capability to control a report's format, layout, and style. Ability to add notes and tags to a report.

Reports in EnCase consist of three parts:

Bookmark folders where reference to specific items and notes are stored.

Report templates that hold formatting, layout, and style information. A report template links to bookmark folders to populate content into a report.

Case Information items, where you can define case-specific variables to be used throughout the report.

To add new reports or sections to the template: 1. Highlight the row above the new element you want to add. Right click and select New from the dropdown menu.

2. The New Report Template dialog opens.

3. Enter a Name. 4 S l t T (S ti R t) 4. Select a Type (Section or Report). 5. If you want to customize Format styles, check the appropriate boxes, or leave the boxes clear to use the default styles. 6. Click OK. The new template component displays below the row you highlighted.

A report component is designated as either a Report or Section, as shown in the Type column.

Viewing a Report To view a report:

1. In the Report Templates tab, click View Report from the tab toolbar. The dropdown menu lists all reports that have the Show Tab option set.

2. Select the report you want to see. The report displays in the viewer.

1/20/2012

4

Copied Michael Simmons PST File to a thumb drive is drive letter L:\ is being added to evidence

Acquired image of  PST  file is now located ‐> C:\Working\LocalEvidence. The original evidence will now be preserved on the thumb drive. Analysis Starts

1/20/2012

5

Under keyword search I am searching for pattern(s) type FIF. This also includes “Search entry slack” and “Undelete entries before searching”.

Results of keyword search  ‘”Money” recovered  21 message files.   And a possible timeframe  like when themessage files were created, last accessed , last written and deleted .

I reviewed the file Recover1.txt  header, and found the header to be incorrect for a JPEG image. The correct header  would have an offset 0x FF D8 FF E0 and offset 6 of 4A (The first four bytes and the sixth byte. All of the other bytes appeared to be correct.)

I rebuilt the recover1.txt  with correct jpeg header , renamed  the file recoveredme.jpg  and double clicked and opened with Windows Picture and Fax Viewer

The processing time of my 2 GB email .pst file (michael.simmons.pst) required two days to process on my older slower Dell Laptop computer. I then switch to my new workstation computer and completed the task in 4 hours. I now see that with more data on computer more forensic data will becomes available, made me come to realize that the resource cost involved in incident handling situation is fairly significant. In addition, staffing an incident handling team with the proper skills required to effectively carry out incident handling will be quite challengingeffectively carry out incident handling will be quite challenging.

1/20/2012

6

The recovered emails and a graphic file are extremely incriminating

evidence that will be used again Michael Simmons for violating the company policy of confidentially agreement. Criminal changes may also be filed.

As part of this course, I have Learn critical investigation techniques. And with today's ever-changing technologies and environments, it is inevitable that every organization will deal with cybercrime including fraud, insider threat, industrial espionage, and phishing. And now many Universities and Government agencies are now having to cross train their IT Professional or hiring digital forensic professionals to become Computer Forensic Investigator is now a necessary requirement.

ReferencesU.S. Department of Justice https://www.ncjrs.gov/pdffiles1/nij/199408.pdf

EnCase Essentials Training Manual (hyperlink)

EnCase was tested using Retina Network Security Scanner, which is an NIST validated FDCC scanner http://nvd.nist.gov/fdcc/download_fdcc.cfm

Guideline for Digital Forensics

U.S. Department of JusticeOffice of Justice ProgramsNational Institute of Justice

Forensic Examination of Digital Evidence: A Guide for Law Enforcement

ENCASE® FORENSIC V7 ESSENTIALS TRAINING ONDEMAND

FBI Cyber Investigation http://www.fbi.gov/cyberinvest/cyberhome.htmDigital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors http://www.ojp.usdoj.gov/nij/pubs-

sum/211314.htmForensic Examination of Digital Evidence: A Guide for Law Enforcement http://www.ojp.usdoj.gov/nij/pubs-

sum/199408.htm