Hi.
I am new to this stuff, and just want to figure out exactly how to use tools such as EnCase. Ok, say I wish to examine the hardrive of computer B on My computer (we will call A), is this the correct procedure to take?
Ok so would I connect the two PC's via a parallel port lap link cable, then in the encase menu (booted on my computer A) go to 'New' and create a new case. Then would I go to add device and select parallel port?
I guess what I am trying to do is copy the hard drive from computer B to be previewed/analysed on computer A. I have the documentation, but it is really long and a little confusing.
Am I on the right lines? Once I have the info on my computer, I hope to search for files that are/were on the hard drive using key word searches etc.
Thanks for any help
Sco
It's a little more than can be easily explained here but I'll get you started. You need to have an Encase boot disk. You can make this from within Encase (under the tools menu). Boot the suspect computer with that disk to dos. Run en.exe and select parallel acquisition. Place the suspect computer in server mode. The parallel acquisition is going to be very slow (possibly days), if you need to use it select best compression as it will actually be faster. You are correct on you're procedure on the window's side.
A far better option in dos is to install a storage drive on the suspect computer itself. It needs to have a fat32 partition and name it something unique like "storage". Dos will not recognize an ntfs partition and you wont be able to save anything to it. Boot to the boot disk and use the lock command (L) to lock your suspect drive. That is why you make a unique name for the storage drive, so you can tell the difference here. More than once examiners have acquired the storage drive and put it on the suspect drive, very bad! Use the menu to acquire. This will be faster, but still not as fast as using a write blocking device and acquiring in Windows.
U mentioned a write blocking device…are these easy to get hold of? I am only a student so couldn't afford much. I dont suppose you could pick these up off ebay or somewhere?
Are they just the same as a drive duplicator, or is that a different thing?
A second question, cant you just use encase on the actual computer you wish to examine? For example if u didn't need to worry about following procedures, could you just use it on your current hard drive, or is that not possible?
Thanks
Andy
Do you have an Encase license?
Andrew - the basic EnCase FE (Forensic Edition) sold to non-law enforcement costs $2,495.00.
res ipsa loquitur
Andy
P.S. - Greg
More than once examiners have acquired the storage drive and put it on the suspect drive, very bad!
I laughed out loud when I read that bit…..I've been there, done that, and got the tee-shirt to prove it 🙂
Andy
No I dont have a licence at the moment 😀 To be honest I may never, but I am hopefully able to use another persons computer (who works within the law enforcement area) who has it available, and is licensed.
A student cant afford that much money! lol 😀
Andy
P.S. - Greg
More than once examiners have acquired the storage drive and put it on the suspect drive, very bad!
I laughed out loud when I read that bit…..I've been there, done that, and got the tee-shirt to prove it 🙂
Andy
Yes Andy, I'll have to admit the experience too. Looks like I may go back to the en acquisitions. Not for dos but for Linux (Linen they're calling it). One fellow is claiming 500+ gig RAIDs acquired in 6-8 hours over the crossover cable. I'm just waiting for the OPP to put out another excellent boot disk and that may be my method of choice.