How to use tools li...
 
Notifications
Clear all

How to use tools like EnCase etc...a little help?

8 Posts
3 Users
0 Likes
641 Views
(@andrewsco)
Posts: 13
Active Member
Topic starter
 

Hi.

I am new to this stuff, and just want to figure out exactly how to use tools such as EnCase. Ok, say I wish to examine the hardrive of computer B on My computer (we will call A), is this the correct procedure to take?

Ok so would I connect the two PC's via a parallel port lap link cable, then in the encase menu (booted on my computer A) go to 'New' and create a new case. Then would I go to add device and select parallel port?

I guess what I am trying to do is copy the hard drive from computer B to be previewed/analysed on computer A. I have the documentation, but it is really long and a little confusing.

Am I on the right lines? Once I have the info on my computer, I hope to search for files that are/were on the hard drive using key word searches etc.

Thanks for any help
Sco

 
Posted : 08/04/2005 4:13 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

It's a little more than can be easily explained here but I'll get you started. You need to have an Encase boot disk. You can make this from within Encase (under the tools menu). Boot the suspect computer with that disk to dos. Run en.exe and select parallel acquisition. Place the suspect computer in server mode. The parallel acquisition is going to be very slow (possibly days), if you need to use it select best compression as it will actually be faster. You are correct on you're procedure on the window's side.

A far better option in dos is to install a storage drive on the suspect computer itself. It needs to have a fat32 partition and name it something unique like "storage". Dos will not recognize an ntfs partition and you wont be able to save anything to it. Boot to the boot disk and use the lock command (L) to lock your suspect drive. That is why you make a unique name for the storage drive, so you can tell the difference here. More than once examiners have acquired the storage drive and put it on the suspect drive, very bad! Use the menu to acquire. This will be faster, but still not as fast as using a write blocking device and acquiring in Windows.

 
Posted : 08/04/2005 5:39 pm
(@andrewsco)
Posts: 13
Active Member
Topic starter
 

U mentioned a write blocking device…are these easy to get hold of? I am only a student so couldn't afford much. I dont suppose you could pick these up off ebay or somewhere?

Are they just the same as a drive duplicator, or is that a different thing?

A second question, cant you just use encase on the actual computer you wish to examine? For example if u didn't need to worry about following procedures, could you just use it on your current hard drive, or is that not possible?

Thanks
Andy

 
Posted : 08/04/2005 9:11 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

Do you have an Encase license?

 
Posted : 09/04/2005 1:59 am
 Andy
(@andy)
Posts: 357
Reputable Member
 

Andrew - the basic EnCase FE (Forensic Edition) sold to non-law enforcement costs $2,495.00.

res ipsa loquitur

Andy

 
Posted : 09/04/2005 8:38 am
 Andy
(@andy)
Posts: 357
Reputable Member
 

P.S. - Greg

More than once examiners have acquired the storage drive and put it on the suspect drive, very bad!

I laughed out loud when I read that bit…..I've been there, done that, and got the tee-shirt to prove it 🙂

Andy

 
Posted : 09/04/2005 3:36 pm
(@andrewsco)
Posts: 13
Active Member
Topic starter
 

No I dont have a licence at the moment 😀 To be honest I may never, but I am hopefully able to use another persons computer (who works within the law enforcement area) who has it available, and is licensed.

A student cant afford that much money! lol 😀

Andy

 
Posted : 10/04/2005 12:04 am
(@gmarshall139)
Posts: 378
Reputable Member
 

P.S. - Greg

More than once examiners have acquired the storage drive and put it on the suspect drive, very bad!

I laughed out loud when I read that bit…..I've been there, done that, and got the tee-shirt to prove it 🙂

Andy

Yes Andy, I'll have to admit the experience too. Looks like I may go back to the en acquisitions. Not for dos but for Linux (Linen they're calling it). One fellow is claiming 500+ gig RAIDs acquired in 6-8 hours over the crossover cable. I'm just waiting for the OPP to put out another excellent boot disk and that may be my method of choice.

 
Posted : 10/04/2005 2:57 am
Share: