Archive for December, 2009

EnCase Workflow Guidelines

December 13, 2009 4 comments

In several Guidance classes, I’ve heard fellow students ask “Can you suggest a standard workflow for using EnCase?” The exact workflow will vary from case to case, but I’ve put together one possible workflow with some help from other contributors to the Forensic Focus forum. Please bear in mind that this is a guideline, a suggestion, just one possible way to work through a case using EnCase. You should clearly understand what each of these steps entails and adjust the workflow to suit your style, your written processes, and the case you are working on.

  1. Create case – Ensure that you have all relevant information – custodians, clients, case name, etc.
  2. Change storage paths as appropriate. I set everything to go to a volume or folder dedicated to the case.
  3. Save All.
  4. Add evidence – E01, LEFs, loose files, etc. Each time you add evidence, you should consider rerunning several of the following steps.
  5. Confirm disk geometry, sector count, partitions. You’re checking to see if everything is accounted for. There may be hidden partitions, for example.
  6. Run Partition Finder if indicated
  7. Run Recover Deleted Folders
  8. Search case – hash and signature analysis. You will probably repeat this each time you add new evidence.
  9. Run File Mounter – recursive, not persistent, create LEF, add LEF to case.
  10. Run Case Processor -> File Finder. Export results, add back in as LEF.
  11. Search case – hash and signature analysis.
  12. Search for encrypted or protected files. Address as appropriate.
  13. Extract registry hives. This can happen at any point really and they’ll be fed to RegRipper.
  14. Index case.

Depending on the case:

  1. Analyze LNK files and INFO2 records
  2. Extract browser history and carve browser history from unallocated
  3. Parse the event logs into a CSV format.

Other tasks performed outside of EnCase:

  1. Mount image and scan for viruses. Use several different products and never assume that they’re 100% accurate.
  2. Mount image and run triage tool(s) against it
  3. Run image in LiveView or VFC to see system as user experienced it
  4. Run RegRipper and RipXP against registry hives
  5. Run MFT Ripper against an extracted MFT
  6. etc, etc, etc
Categories: Computer forensics