EnCase Computer Forensics

Slides:



Advertisements
Similar presentations
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation. All.
Advertisements

1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
 Temperature sensors are the devices which are used to measure the temperature of an object.  These sensors sense the temperature and generate output.
Working with SharePoint Document Libraries. What are document libraries? Document libraries are collections of files that you can share with team members.
Adult Learning Academy
ICP Kit 2011 HHC Data Entry Module The World Bank ICP Kit Training African Development Bank.
Chemical Safety BT 202 Biotechnology Techniques II.
Brush up on Math BCTC Nursing Student Resource Center Renee Felts, RN.
Creating a Web Site to Gather Data and Conduct Research.
Combination Electrical Circuits This workforce solution was funded by a grant awarded by the U.S. Department of Labor's Employment and Training Administration.
Teacher’s Assessment Assistant Worksheet Builder Starting the Program
Health Technology Business & Industry Leadership Team Name:______________________________ Company:___________________________ Healthcare: check 1. Patient.
Unit 6 Review Flashcards Unit 6 Review Flashcards ALA: Pre-Algebra Unit 6 Integers.
Subtracting Integers ALA: Pre-Algebra Unit 6 Integers.
XP New Perspectives on Microsoft Access 2002 Tutorial 1 1 Microsoft Access 2002 Tutorial 1 – Introduction To Microsoft Access 2002.
Developing a One-Stop Resource Center JoEllen Space, Director Online Programs Community College System of NH.
Unit 4 Review Flashcards Unit 4 Review Flashcards ALA: Pre-Algebra Unit 4 Ratios and Proportions.
Greater Than > Less Than Review Greater Than > Less Than Review ALA: Pre-Algebra Unit 1 Whole Numbers.
Using Evaluation and Data To Support Continuous Improvement: Recognizing Key Turning Points COSGROVE & ASSOCIATES BRAGG & ASSOCIATES.
XP New Perspectives on Microsoft Office FrontPage 2003 Tutorial 7 1 Microsoft Office FrontPage 2003 Tutorial 8 – Integrating a Database with a FrontPage.
Exponent Flashcards ALA: Pre-Algebra Unit 6 Integers.
Work Readiness Program Introduction. Objectives List reasons a person is considered a “Good Employee” List reasons a person is considered a “Good Employee”
This work is licensed under a Creative Commons 3.0 License
Unit 1 Review Flashcards Unit 1 Review Flashcards ALA: Pre-Algebra Unit 1 Whole Numbers.
Summer Working Connections Linux+ Virtual Labs Julie Hietschold Friday, July 17, 2015.
Balancing Act What Reading Teachers Want Writing Teachers to Know and What Writing Teachers Want Reading Teachers to Know.
SkillsCommons.org You have a friend in the everything business Catherine Zoerb Fall 2015 This workforce product was funded by a grant awarded by the U.S.
Introduction to Medical Terminology. Knowledge how medical terms are built Lots of memorization of the various medical word components Once know the components.
Pumps. PUMP FAMILY TREE CENTRIFUGAL PUMP ADVANTAGES This type of pump is cheaper and requires less maintenance They will operate with a constant head.
1 of 6 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Summer Working Connections Linux+ Virtual Labs Julie Hietschold Wednesday, July 15, 2015.
MoHealthWINs is a Transformative Process which can help Missouri lead the nation in educational attainment THE VISION.
Summer Working Connections Linux+ Virtual Labs Julie Hietschold Thursday, July 16, 2015.
Amy Kong Mathematics Faculty. Using Google Hangouts to Enhance Online Teaching.
Pumps. DIAPHRAGM PUMPS DIAPHRAGM PUMP DIAGRAM(cont’d)
Unit 7 Review Flashcards Unit 7 Review Flashcards ALA: Pre-Algebra Unit 7 Algebra.
SURP 2014 – SUMMER UNDERGRADUATE RESEARCH PROGRAM Connecticut Health & Life Sciences Career Initiative is 100% funded by a $12.1 million USDOL Trade Adjustment.
1.Switch on the computer and wait for loading. 2.Select the Windows 7 OS at the end of the list. 3.Click on the link ‘Administrator’ 4.Enter the administrator.
Summer Working Connections Linux+ Virtual Labs Julie Hietschold Monday, July 13, 2015.
This material is licensed under the Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit
Right Angle Trigonometry MoManufacturingWINs Precision Machining Technology ME 100 – Measurement, Materials & Safety.
MoManufacturingWINs Precision Machining Technology ME 100 – Measurement, Materials & Safety.
5/8 numerator denominator Mixed number Improper Fraction MoManWINs Precision Machining Technology ME Measurement, Materials & Safety This workforce.
Presentation on Conversions between English and Metric Systems
Petroleum Instrumentation NGT 160
Contact Jessica Stumpff at for questions
IHUM Statewide Marketing Update
SEARCHING, VIEWING AND BOOKMARKING
Helping Agriculture One Flight at a Time
AAS Business Analytics: Wake Tech CC
Wake Technical CC Located in Raleigh, NC
Advanced Computer Forensics
This work is licensed under a Creative Commons Attribution 4
Advanced Computer Forensics
P&ID SYMBOLS.
Chapter 3 First Response.
Chapter 10 Nitrogen Rejection Unit
Horizontal Three-Phase Separator
Chapter 5 EnCase Concepts.
“Information Technology” Certificate
Microsoft Excel 2007 – Level 2
PLACEHOLDER FOR YOUR LOGO
PLACEHOLDER FOR YOUR LOGO
Access Test Questions Test Date: 05/05/16.
Approving Time in Kronos Manager/Supervisor Reference Guide
Measuring Devices Technology Readiness Training
Presentation transcript:

EnCase Computer Forensics File Signature Analysis and Hash Analysis

File Signature Analysis - 1 Compares Headers to Extensions against a database of information. Results Match – header is known and extension matches - if the header does not match any other known extension Alias – header has a match, but the extension is not correct Takes info of the header to determine the file’s origin Bad Signature– has a known extension, but the header does not match the header of the extension or any other known header Unknown – can’t find a header match or extension match Windows Application Binding Stored Ntuser.dat - \Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts OpenWithList OpenWithProgids

File Signature Analysis - 2 Hiding Information Changing Extensions Makes a file seem as though it is corrupt Application called to open it does not know how to open a file with such a header. System 32 folder .dll files? Linux Does NOT use extensions it uses header information to bind to an application MAC Uses a combination for HFS+ (current) HFS Creates a 32bit value – file type code Creates a 32bit value – creator code

File Signature Analysis - 3 MAC 7 Rules of Precedence for binding User Defined – overrides all Creator Code File Extension Last 4 more complex check it out at apple.com

File Signature Analysis - 4 Creating a New File Signature Stored FileTypes.ini View File Types Table/Database of extensions, categories, names, headers, footers, viewers and other metadata Any item can be viewed from either the fields or report pane Adding a record/file type New – follow tabs and enter info. Deleting Right click - delete

File Signature Analysis - 5 Editing a File Signature P. 440-442 Multiple extensions associated with a particular header Use the ; and no spaces to separate the extensions Conducting a File Signature Analysis Run over all files Run within the Evidence Processor Looks at ever file on the device and compares its header to verify a match Complete 8.1

File Signature Analysis - 6 Filter Filter -> Entries -> by signature You can use this method to view the signature analysis by EnCase Signature Entry Must view in the Results tab

Hash Analysis - 1 MD5 and SHA-1 Hash Sets and Hash Libraries Odds of two dissimilar files having the same hash 340 billion billion billion billion If 2 files have the same hash value you can safely say they are in fact the same file bit for bit Hash is completed on the data and not any metadata or file names and extensions Hash Sets and Hash Libraries Collection of hash values of common files grouped together Know Programs Hacking Tools Contraband Files

Hash Analysis - 2 Creating Hash Sets Downloaded and imported from external sources NSLR Police Dept. Files Created by the User Must create a folder to hold the hashes EnCase7 Program Files Hash Libraries 2 Subfolders Hash Library #1 and NSLR Managing Hash Sets Tools ->Manage Hash Library Open ->Hash Library and select NSLR

Hash Analysis - 3 Managing Hash Sets Open NSLR Set View the contents and structure Creating a New Hash Set New Hash Library -> browse to the folder Once you hit OK the folder is populated with the Hash Library structure Have files that have hashes Blue check files ->Open Entries menu ->Hash\Sig Selected Green back button to Evidence Table – double click evidence item and view the entries again Select the files ->Entries menu ->Add to Hash Library ->Choose the library and metadata associated with it Can select create a new hash set – right click anywhere in the existing hash set table and choose New Hash Set – give it a name and a category then OK Can import legacy hash sets as well

Hash Analysis - 4 Hash Analysis Query a Hash Set Copy file hash -> from within the Hash Manager -> Launch the query and paste in the hash – this will run a query just for that one file Queries only the open database Hash Analysis Home Screen – Must apply them to your case Hash Libraries Select up to two Hash Libraries to apply to your case Change Hash Library to select the path Enable with a blue check Select what sets within the libraries or right click within the table and select all items

Hash Analysis - 5 Hash Analysis Must have already hashed your files in the case Opting not to search in the files content areas of files that were found in hash libraries SAVES TIME!!! With hashing completed and sets add to the case You can view the results of your hash analysis File will show with a positive value in the Hash Set column if found. Filtering Based on Hash Sets Filter ->Find Entries by Hash Category Filter -> Known files so you don’t focus on them

DOL Disclaimer and CCBY This workforce product was funded by a grant awarded by the U.S. Department of Labor’s Employment and Training Administration. The product was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites, and including, but not limited to accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Except where otherwise noted, this work by Central Maine Community College is licensed under the Creative Commons Attribution 4.0 International License.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.