±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35650
New Yesterday: 0 Visitors: 155

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

How to use tools like EnCase etc...a little help?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

andrewsco
Member
 

How to use tools like EnCase etc...a little help?

Post Posted: Apr 08, 05 16:13

Hi.

I am new to this stuff, and just want to figure out exactly how to use tools such as EnCase. Ok, say I wish to examine the hardrive of computer B on My computer (we will call A), is this the correct procedure to take?

Ok so would I connect the two PC's via a parallel port lap link cable, then in the encase menu (booted on my computer A) go to 'New' and create a new case. Then would I go to add device and select parallel port?

I guess what I am trying to do is copy the hard drive from computer B to be previewed/analysed on computer A. I have the documentation, but it is really long and a little confusing.

Am I on the right lines? Once I have the info on my computer, I hope to search for files that are/were on the hard drive using key word searches etc.

Thanks for any help
Sco
_________________
Visit www.computer-tutorials.org 
 
  

gmarshall139
Senior Member
 

Re: How to use tools like EnCase etc...a little help?

Post Posted: Apr 08, 05 17:39

It's a little more than can be easily explained here but I'll get you started. You need to have an Encase boot disk. You can make this from within Encase (under the tools menu). Boot the suspect computer with that disk to dos. Run en.exe and select parallel acquisition. Place the suspect computer in server mode. The parallel acquisition is going to be very slow (possibly days), if you need to use it select best compression as it will actually be faster. You are correct on you're procedure on the window's side.

A far better option in dos is to install a storage drive on the suspect computer itself. It needs to have a fat32 partition and name it something unique like "storage". Dos will not recognize an ntfs partition and you wont be able to save anything to it. Boot to the boot disk and use the lock command (L) to lock your suspect drive. That is why you make a unique name for the storage drive, so you can tell the difference here. More than once examiners have acquired the storage drive and put it on the suspect drive, very bad! Use the menu to acquire. This will be faster, but still not as fast as using a write blocking device and acquiring in Windows.
_________________
Greg Marshall, EnCE 
 
  

andrewsco
Member
 

Re: How to use tools like EnCase etc...a little help?

Post Posted: Apr 08, 05 21:11

U mentioned a write blocking device...are these easy to get hold of? I am only a student so couldn't afford much. I dont suppose you could pick these up off ebay or somewhere?

Are they just the same as a drive duplicator, or is that a different thing?

A second question, cant you just use encase on the actual computer you wish to examine? For example if u didn't need to worry about following procedures, could you just use it on your current hard drive, or is that not possible?

Thanks
Andy
_________________
Visit www.computer-tutorials.org 
 
  

gmarshall139
Senior Member
 

Re: How to use tools like EnCase etc...a little help?

Post Posted: Apr 09, 05 01:59

Do you have an Encase license?
_________________
Greg Marshall, EnCE 
 
  

Andy
Senior Member
 

Re: How to use tools like EnCase etc...a little help?

Post Posted: Apr 09, 05 08:38

Andrew - the basic EnCase FE (Forensic Edition) sold to non-law enforcement costs $2,495.00.

res ipsa loquitur

Andy  
 
  

Andy
Senior Member
 

Re: How to use tools like EnCase etc...a little help?

Post Posted: Apr 09, 05 15:36

P.S. - Greg
More than once examiners have acquired the storage drive and put it on the suspect drive, very bad!

I laughed out loud when I read that bit.....I've been there, done that, and got the tee-shirt to prove it Smile

Andy  
 
  

andrewsco
Member
 

Re: How to use tools like EnCase etc...a little help?

Post Posted: Apr 10, 05 00:04

No I dont have a licence at the moment Very Happy To be honest I may never, but I am hopefully able to use another persons computer (who works within the law enforcement area) who has it available, and is licensed.

A student cant afford that much money! lol Very Happy

Andy
_________________
Visit www.computer-tutorials.org 
 

Page 1 of 2
Page 1, 2  Next