Selecting a raw image file to import into EnCase in Software

Paint PDF417 in Software Selecting a raw image file to import into EnCase

Selecting a raw image file to import into EnCase
Print PDF 417 In None
Using Barcode creation for Software Control to generate, create PDF 417 image in Software applications.
Recognizing PDF417 In None
Using Barcode reader for Software Control to read, scan read, scan image in Software applications.
Incident Response & Computer Forensics
Make PDF-417 2d Barcode In Visual C#
Using Barcode encoder for Visual Studio .NET Control to generate, create PDF-417 2d barcode image in .NET framework applications.
Draw PDF-417 2d Barcode In Visual Studio .NET
Using Barcode generation for ASP.NET Control to generate, create PDF417 image in ASP.NET applications.
Figure 11-7
PDF417 Encoder In Visual Studio .NET
Using Barcode encoder for Visual Studio .NET Control to generate, create PDF417 image in Visual Studio .NET applications.
PDF 417 Generation In Visual Basic .NET
Using Barcode generation for VS .NET Control to generate, create PDF-417 2d barcode image in .NET framework applications.
Selecting the appropriate dd image files
Barcode Generation In None
Using Barcode drawer for Software Control to generate, create bar code image in Software applications.
GTIN - 12 Drawer In None
Using Barcode drawer for Software Control to generate, create UPC A image in Software applications.
Figure 11-8
Code-128 Generation In None
Using Barcode generator for Software Control to generate, create USS Code 128 image in Software applications.
Paint GTIN - 13 In None
Using Barcode encoder for Software Control to generate, create UPC - 13 image in Software applications.
The EnCase analysis environment
Barcode Maker In None
Using Barcode drawer for Software Control to generate, create barcode image in Software applications.
Data Matrix Encoder In None
Using Barcode creation for Software Control to generate, create Data Matrix ECC200 image in Software applications.
11:
Uniform Symbology Specification Codabar Creation In None
Using Barcode generator for Software Control to generate, create Ames code image in Software applications.
Decoding Barcode In None
Using Barcode reader for Software Control to read, scan read, scan image in Software applications.
Data Analysis Techniques
ANSI/AIM Code 39 Maker In None
Using Barcode printer for Office Excel Control to generate, create Code 39 Full ASCII image in Excel applications.
Code 128 Code Set C Scanner In .NET Framework
Using Barcode scanner for .NET Control to read, scan read, scan image in .NET applications.
When you choose to add a raw image, EnCase displays the Add Raw Image dialog box, as shown in Figure 11-7 Here, you must select all dd image files that compose the raw image in the proper order, and you must select Disk for the Image Type choice Once your dd files are added to the case successfully, EnCase presents the contents of the raw image files with a powerful Windows Explorer-type interface, as shown in Figure 11-8 At this point, you can use EnCase s suite of tools to perform nearly all the preparation required to analyze the data in an efficient and effective manner
Code 128 Code Set C Creator In Java
Using Barcode encoder for Java Control to generate, create Code128 image in Java applications.
Scan EAN13 In Visual C#.NET
Using Barcode scanner for .NET Control to read, scan read, scan image in .NET framework applications.
Reviewing Forensic Duplicates in the Forensic Toolkit
Barcode Drawer In VS .NET
Using Barcode creation for ASP.NET Control to generate, create barcode image in ASP.NET applications.
European Article Number 13 Encoder In Java
Using Barcode maker for BIRT reports Control to generate, create EAN13 image in Eclipse BIRT applications.
The Forensic Toolkit by AccessData is another powerful application to have in your tool kit The interface and evidence import processes are a bit more complicated than EnCase, however it can outperform EnCase when dealing with e-mail store files and complex string searches To begin a session, select the Start a new case option from the dialog box that appears when you start the application Figure 11-9 shows the case generation screen
Figure 11-9
The FTK Case generation menu
Incident Response & Computer Forensics
Figure 11-10
The FTK Refine Case options
Throughout the next several prompts that appear, you will choose how you would like to view the data from the evidence The best way to start is to select nearly every option, and not exclude any data, in order to get an idea of what the application is capable of If you are not careful, you may inadvertently exclude a number of files from your examination Figure 11-10 shows the case refining options that are available for execution while the forensic image is importing FTK will take a considerable amount of time to import a forensic duplicate During this process, it is indexing files for future string searches, identifying file types by comparing their hashes against known values, and expanding compound file types FTK s ability to handle compound files, such as Microsoft OLE, Outlook, and Exchange files, is currently unparalleled Figure 11-11 shows the FTK interface with evidence loaded, sorted, and ready for analysis
11:
Data Analysis Techniques
Figure 11-11
The FTK analysis environment
CONVERTING A QUALIFIED FORENSIC DUPLICATE TO A FORENSIC DUPLICATE
What happens when you have collected a qualified forensic duplicate and something goes wrong You are not completely out of luck The Forensic Toolkit (FTK) will convert the qualified forensic duplicate created by EnCase or SafeBack into a true bit-for-bit duplicate of the original The FTK software package comes with an explorer program that allows an investigator to quickly load and examine duplicate images This is especially helpful when you do not have the time to load the full version of FTK, create a new case file, and build string search indices Figure 11-12 shows the AccessData Forensic Toolkit Explorer We have loaded an EnCase evidence file with the File->Open Image command and right-clicked on the EnCase evidence item that we want to export Select the Export Disk Image item
Incident Response & Computer Forensics
Figure 11-12
Selecting an evidence file for export
The next screen (Figure 11-13) that requests user input asks for the location of the new image Enable the option that will create an MD5 of the image When we created a forensic duplicate image with dd, we split the file into chunks You have the same option here If the destination partition is large enough, we will usually keep the image in a single contiguous file This process is quite fast An 18GB EnCase image can be converted to a true forensic duplicate in approximately 12 minutes (Figure 11-14)
11:
Data Analysis Techniques
Figure 11-13
Selecting image segment size
Figure 11-14
Exporting an EnCase evidence file
Incident Response & Computer Forensics
RECOVERING DELETED FILES ON WINDOWS SYSTEMS
There are many occasions when you will want to scour through unallocated space on a restored forensic image in order to undelete or recover as many files or file fragments as possible You would certainly want to recover any evidence that had been deleted by malicious users or simply erased by those who wish to cover up their misdeeds In this section, we examine the different ways to obtain files that, for all intents and purposes, suspects would believe no longer exist These deleted files are often the ones that make or break your investigation, thus your techniques of data recovery must be exceptional! As you probably know, deleted files are not truly deleted, they are merely marked for deletion For example, when a file or directory is deleted from a FAT filesystem, the first letter of its filename is set to the sigma character ( ), or, in hex, 0xE5 This means that these files will remain intact until new data has overwritten the physical area where these deleted files are located on the hard drive Special tools can find these intact deleted files and recover them for review Remember: the sooner you attempt to recover a file, the better your chances of success After a file has been marked for deletion, each hard drive I/O could overwrite the data you want to recover Several operating systems maintain a recycle bin / trash bin for files that are deleted within a certain operating environment For example, if you delete files from the file manager in Solaris, you might be able to get the files back from dt/Trash In Windows, the Recycle Bin is on the desktop We discuss these conditions in s 12 and 13
Copyright © OnBarcode.com . All rights reserved.