Study and install Pro-discover and Encase free version

 

Pro-discover

Pro-discover is a software in a digital forensics that helps investigators to acquire the evidence from computer device. Pro-discover is mostly used in digital forensics and incident response. By using Pro-discover tool, we can create a image of any disk drive or storage drive to analyse, discover the data for investigation.

Some key features of Pro-discover includes:

  • Preview and Image Disks
  • Investigate all filesystems
  • Analyse email artifacts and web
  • Report generation (hash value or automatic)
  • View Internet History

You need to install first Pro-Discover basic software which is available freely. After that opening it, we will see the following launch dialog for creating a new project. Mention the project number and project file name on it and click open button.

ProDiscoverLaunchDialog

Standard format of Project Number is like '001-HDD-1-27-07-2022' and Project File Name is 'SampleDemo-001-HDD-1-27-07-2022'.

Then click on the Capture and Add Image which is in the left hand side panel. One window will open asking for select source drive which you want to capture, here I am going to capture my pen-drive name as Akash. Then select destination folder which you want to store the image file.

Now enter the 'Technician Name', 'Image Number' and 'Description' of it.

Capture&AddImage

If you want compressed image then click on Compression as 'Yes' and for password click on 'Password...'. 

Then click on 'OK'.

Then wait for sometime until capturing process gets completed. Time will vary according to your Disk or Drive size.

ImageCapturingProcess

You can see that the progress bar showing how much drive captured and you can also stop that process by clicking Red Stop Hand button.

After process get finished you will see the small dialog box that show 'Image capture complete. Please check log file for any errors.

Now click 'OK' and then close the Pro-discover and save it to exit.

Then reopen the Pro-discover and open our project and click on the Image you capture which is left panel in the home page of pro-discover tool under the 'Content View'.

Contents of Captured Image

You can see that Pro-discover showing the content of captured image. It will be helpful for forensics investigators to find evidences. You can also explore deleted files here.

You can also generate the report of this image by clicking on the 'Report' tab which is under the 'View' menu.

Pro-discoverImageReport

You can see that evidence report is generated. 

So, we learnt how pro-discover work in forensics techniques to generates reports.

Encase Forensic

Encase is useful for exploring, decrypting, acquiring and freezing forensic data from various devices which ensure integrity of evidence.

It is mainly useful for:

  • Thorough evidence collection: Collect evidence from various sources and go deep into every source to acquire and freeze relevant data for forensics.
  • Customizable workflows: Revamp investigation performance with optimized investigator workflows with predefined or customized conditions and filters to quickly locate evidence.
  • Comprehensive reporting: Provide detailed evidence which is useful for judges to take decisions.

EnCase Forensic is designed to be used by:

  • Those responsible for collecting evidence
  • Forensic examiners and analysts
  • Forensic examiners who develop and use EnScript code to automate repetitive or complex tasks

With EnCase Forensic these types of investigators can:

  • Acquire data in a forensically sound manner using software with an unparalleled record in courts worldwide
  • Investigate and analyze data from multiple platforms - Windows, Linux, AIX, OS X, Solaris, and more - using a single tool
  • Find information despite efforts to hide, cloak, or delete
  • Easily manage large volumes of computer evidence, viewing all relevant files, including deleted files, file slack, and unallocated space
  • Create exact duplicates of original data, verified by hash and Cyclic Redundancy Check (CRC) values
  • Transfer evidence files directly to law enforcement or legal representatives
  • Review options that allow non-investigators, such as attorneys, to review evidence with ease
  • Use reporting options for quick report preparation

To get started with a triage case, the pathway suggests three steps:

  • Create a case
  • Add evidence
  • Apply a hash library to your case

Steps

  1. On the home page in the Pathways group, click Preview/Triage.
  2. The Preview / Triage page displays. You can follow the steps for the case you have open, or you can start a new case by clicking
  3. Create a New Case.
  4. Once you create a case, the next step is to add evidence to it. Back on the Preview/Triage page, click Add Evidence to Your Case. The Add Evidence dialog displays.
  5. Click the appropriate link and follow the instructions to perform any of the available add evidence actions.
  6. On the Preview/Triage page, click Apply Hash Library to Your Case.
  7. The Apply Hash Library to Case dialog displays.
Preview Window

Start Window

Using a Case Template to Create a Case

After installing and configuring EnCase, you can create a new case with an EnCase supplied case template. Following are instructions for creating a new case with a case template. After you create a case, most of the EnCase features and their navigation paths become available.

You begin creating a case under the FILE category of the Home tab.

To create a new case:

  1. Click New Case beneath the CASE FILE category on the Home tab.
  2. The Case Options dialog displays. Use this dialog to select a case template and name the case.
  3. In the figure below, the #1 Basic template is selected.
  4. Enter a case Name, then click OK.

Case Template

Add Evidence

Taking Backup:

The dashboard shows a list of all available case backups and sorts them by the following types:

  • Custom: This is a user created backup where you can provide a custom name and comments. Custom backups are retained until explicitly deleted.
  • Scheduled: A scheduled backup is created when you open a new case or schedule a backup manually using the Create Scheduled option.
  • Daily: Every scheduled backup that is closest to that day’s local midnight time is copied and stored as a daily backup.
  • Weekly: Every daily backup that is closest to that week’s Sunday local midnight time is copied and stored as a weekly backup.

Types of Evidence Files:

EnCase Forensic supports the following evidence file types:

  • EnCase evidence files (.E01 or .Ex01)
  • Logical evidence files (.L01 or .Lx01)
  • Raw Image files
  • Single files

Add Image

Verifying Evidence Files

Verify Evidence Files checks CRC values of selected files. It is a way to ensure that evidence is not tampered with. Verified CRC information is written out to a log file. From the Evidence tab, you can check the CRC Errors tab in the bottom pane and bookmark any sectors that contain errors.

To perform an Evidence File verification:

  1. Acquire the evidence files.
  2. Add the evidence files to your case.
  3. Click Tools > Verify Evidence Files.
  4. The Verify Evidence Files dialog displays.
  5. Select one or more evidence files, then click Open. During verification, a progress bar displays in the lower right corner of the window.

Evidence Processing

Processing of Evidence

Hash Analysis

Finding Email:

Select this setting to extract individual messages and attachments from email archives. Find Email supports the following email types:

  • PST (Microsoft Outlook)
  • NSF (Lotus Notes)
  • DBX (Microsoft Outlook Express)
  • EDB (Microsoft Exchange)
  • EMLX (Macintosh OS X)
  • AOL
  • MBOX

Note: EnCase blocks MBOX files from displaying in the Doc tab. This setting prepares email archives for the use of email threading and related EnCase email functionality during case analysis.

To select which email archive types to search:

  • Click Find Email.
  • Click the email archive file types whose messages you want to examine, and click OK. After processing completes, EnCase can analyze the messages and component files extracted from the email archives, according to the other Evidence Processor settings you selected.

Handling Email Attachments:

When EnCase finds an attachment to an email message, it displays an attachment paper clip icon on top of the message icon. However, when email systems append a plain text version of the email together with the HTML/rich text version (this text is called an “alternate body”), EnCase displays a standard email icon. This occurs only when the alternate body is the only attachment to the email message.

Finding Internet Artifacts

Choose this Evidence Processor setting to find Internet-related artifacts, such as browser histories and cached web pages. The only setting that you can configure for Find Interne Artifacts is whether to search within unallocated space.

Currently, six browsers and two types of Internet history are supported. They are:

  1. Internet Explorer: History and cache
  2. Macintosh Internet Explorer: History and cache
  3. Safari: History and cache
  4. Firefox: History and cache
  5. Opera: History and cache
  6. Google Chrome: 
  • History: A list of websites recently visited. This typically consists of websites, usage, and time related data.
  • Cookies: A list of recent authentication and session data for sites with persistent usage. This typically consists of website, expiration times, and site specific cookie data.
  • Cache: A list of recently cached files.
  • Downloads: A list of recently downloaded files. This typically consists of websites, file names, location, size, and date.
  • Keyword Search: A list of recent keyword searches. This typically consists of search terms and the search result page.
  • Login Data: A list of login data. This typically consists of websites, username, password, and SSL information.
  • Top Sites: A list of top websites. This typically consists of website information, rank, thumbnails, and redirect information.

Note: EnCase does not provide the ability to recover Google Chrome Internet artifacts from unallocated clusters.

Note: The difference between a regular search and a search of unallocated is that keywords are added internally and marked with a special tag indicating that it is for Internet history searching only.

Firefox Artifacts

As an enhancement to the Search for Internet history function, EnCase parses Firefox artifacts stored in a SQLite database and displays them in the Artifacts tab.

The types of Firefox 3 artifacts parsed are:

  1. Cookies
  2. Downloads
  3. History
  4. Bookmarks
  5. Form data

Generating reports

Report generation

To add new Reports or Sections to the template:

  • Highlight the row above the new element you want to add. Right click and select New from the dropdown menu.
  • The New Report Template dialog opens.
  • Enter a Name.
  • Select a Type (Section or Report).
  • If you want to customize Format styles, check the appropriate boxes, or leave the boxes clear to use the default styles.
  • Click OK. The new template component displays below the row you highlighted.

Encase can also be used to retrieve data from Mobile Devices and laptops and various hard drive disk.

Comments

Post a Comment

Popular posts from this blog

Basics Forensics Imaging with dd, dcfldd, and dc3dd

Image
  Linux Data acquiring commands DD (Data Dump) dd is use in Linux or Unix operating systems for cloning or converting the files. dd can create bit-by-bit copy of physical drive to generate the image. This image can be used by most of the forensics purposes. Some practical examples on dd command: To backup the entire hard disk:  To backup a complete copy of a hard disc to a different hard disc connected to the identical system, execute the dd command as shown.      # dd if=/dev/sda of=/dev/sdb      'if ' referred as input file, and of referred as output fie. We must be mentioned input and output file carefully. To copy, drive to drive using dd command as shown below, sync option allows you to replicate everything using synchronized input/output.     # dd if=/dev/sda of=/dev/sdb conv=noerror, sync To backup a Partition: You can use the device name of a partition in the input data file, and into the output data either you will be able ...
Read more

Understanding and Demonstrating working of Jumplists

Image
  To understand and demonstrate working of jumplists from data forensic perspective by using jumplists view tool. Jump Lists basically created for providing the quick access to the recently opened documents for respective application. Which is first introduced in the Windows 7. For data forensic perspective, By using Jumplists forensic investigator can analyse the suspect's activity like tracking recently opened application, when the file or application opened or closed, etc. Jumplists provide the Most Recently Used and Most Frequently Used list for respective application which is helpful for data forensic. There are two sets created for storing jumplists in windows: AutomaticDestinations This is automatically generated by Operating System when any file or application opened. The files stored in it, has  .automaticDesinations-ms  extension. To access this file we need to go through the following path. C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinat...
Read more