第1页 / 共479页
第2页 / 共479页
第3页 / 共479页
第4页 / 共479页
第5页 / 共479页
第6页 / 共479页
第7页 / 共479页
第8页 / 共479页
encase4.2教程,计算机取证软件.pdf
EnCase Forensic Version 4.20, Revision C
3
Table of Contents
Table of Contents..............................................................................................................3
Legal Notice.....................................................................................................................15
EnCase® License Agreement.........................................................................................15
Copyright.....................................................................................................................15
Definitions ...................................................................................................................15
License and Certain Restrictions..............................................................................15
Non-Exclusive License...............................................................................................16
Support ........................................................................................................................17
Standard Support ...................................................................................................17
Premium License Support Program, Annual Payment Option..........................17
Premium License Support Program, Three-Year Payment Option ...................18
EnScript® Macros WARNING ....................................................................................18
Disclaimer of Warranties............................................................................................18
Limitation of Liability and Damages .........................................................................19
Export Restrictions.....................................................................................................19
U.S. Government End Users:.....................................................................................20
General Provisions .....................................................................................................20
Preface .............................................................................................................................23
Manual Organization ..............................................................................................23
Minimum Recommended Requirements..............................................................24
Help Resources ......................................................................................................24
Technical Support ..................................................................................................25
EnCase Message Boards.......................................................................................25
About Guidance Software ..............................................................................................27
EnCase Forensic ....................................................................................................27
EnCase Enterprise..................................................................................................27
Guidance Software's Professional Development and Training .............................28
Law Enforcement Courses....................................................................................28
Computer Forensics and Incident Response Courses ......................................28
Expert Courses.......................................................................................................29
Guidance Software's Professional Services Group................................................29
Additional Corporate Services ..................................................................................29
May not be copied or reproduced without the written permission of Guidance Software, Inc.
Copyright © 2004 Guidance Software, Inc,
4
Table of Contents
Chapter 1: What’s New in EnCase Version 4 ...............................................................33
Enhanced User Interface............................................................................................33
Outlook .PST Files ......................................................................................................35
Outlook Express .DBX Files ......................................................................................35
Time Zone Support .....................................................................................................35
Unicode Support.........................................................................................................35
Advanced Search Algorithm......................................................................................36
Dynamic Disk Support ...............................................................................................37
NT 4.0 Disk Configuration Support...........................................................................38
NTFS and Unix File Permissions and Ownership ...................................................38
NTFS Compression.....................................................................................................39
Threaded Crash Protection........................................................................................39
Enhanced OLE File Support ......................................................................................40
Filters and Queries .....................................................................................................40
Enhanced EnScript Interface.....................................................................................41
Enhanced Linux / Unix File System Handling..........................................................42
Additional File System Support ................................................................................43
Enhanced Windows Registry Mounting ...................................................................43
EnCase Modules and Extensions .............................................................................43
EnCase EDS Module...................................................................................................44
EnCase VFS Module ...................................................................................................44
EnCase PDE Module...................................................................................................45
EnCase NAS Extension..............................................................................................46
SafeBack 2.x Support.................................................................................................46
Security Key ................................................................................................................46
The Parallel Port Security key...............................................................................47
The USB Security key ............................................................................................47
Chapter 2: Installing EnCase .........................................................................................49
The EnCase Installation CD and Autorun ................................................................49
The CD Installation Menu and Contents...................................................................49
Security Key Drivers Installation...............................................................................50
Installing EnCase Version 4.......................................................................................53
Software Updates........................................................................................................55
Configuration Questions............................................................................................56
Security Key Questions .............................................................................................57
Chapter 3: Creating the EnCase Boot Disk ..................................................................61
Windows Acquisition Issues.................................................................................61
Creating the EnCase Boot Disk ............................................................................62
Steps to Create the EnCase Barebones Boot Disk.............................................62
Booting a Computer with the EnCase Boot Disk ....................................................66
EnCase Network Boot Disk........................................................................................67
May not be copied or reproduced without the written permission of Guidance Software, Inc.
Copyright © 2004 Guidance Software, Inc,
Table of Contents
5
FAQs about EnCase Boot Disk .................................................................................67
Chapter 4:EnCase for DOS.............................................................................................69
Launching EnCase for DOS ..................................................................................69
EnCase for DOS Functions........................................................................................69
Locking / Unlocking (L)..........................................................................................70
Acquiring.................................................................................................................70
Hashing ...................................................................................................................70
Server ......................................................................................................................74
Mode ........................................................................................................................76
Quit ..........................................................................................................................77
Chapter 5: Previewing Versus Acquiring .....................................................................79
Limitations of Previewing......................................................................................79
Advantages of Previewing.....................................................................................80
Live Device and FastBloc Indicators....................................................................80
Preview Questions......................................................................................................81
Acquisition Questions................................................................................................81
Chapter 6 : Parallel Port Acquisistion...........................................................................83
After acquisition is complete ................................................................................89
Chapter 7: Network Cable Acquisition..........................................................................91
Creating the EnCase Network Boot Disk (ENBD)....................................................91
Performing the Crossover Network Cable Acquisition ..........................................94
Windows 98.............................................................................................................95
Windows 2000/XP...................................................................................................96
Chapter 8: Drive-to-Drive Acquisition...........................................................................99
Drive Geometry Problems..........................................................................................99
Benefits and Drawbacks ..........................................................................................100
Steps to Follow .........................................................................................................100
Acquiring Macintosh devices..................................................................................108
Acquiring Unix and Linux ........................................................................................108
After the Acquisition Is Complete...........................................................................108
Chapter 9: FastBloc Acquisitions ...............................................................................111
FastBloc Acquisition Process.............................................................................111
Acquiring in Windows Without FastBloc...........................................................120
Acquiring in Windows with a non-FastBloc Write-Blocker..............................120
After Acquisition Is Complete.............................................................................120
Chapter 10: Acquiring Disk Configurations ...............................................................121
Software RAID...........................................................................................................122
Windows NT: EnCase Version 4 software Disk Configurations......................122
Dynamic Disk........................................................................................................123
May not be copied or reproduced without the written permission of Guidance Software, Inc
Copyright © 2004 Guidance Software, Inc,
6
Table of Contents
Hardware Disk Configuration ..................................................................................124
Disk Configuration Set Acquired as One Drive.................................................124
Disk Configurations Acquired as Separate Drives ...........................................124
Validating Parity on a RAID-5..............................................................................126
SCSI Drives and DOS ...............................................................................................127
Chapter 11: Acquiring Palm PDAs ..............................................................................129
Palms Supported..................................................................................................129
Directions ..............................................................................................................129
Getting Out of Console Mode..............................................................................137
One Final Note on Palms .....................................................................................137
Chapter 12: Acquiring Removable Media...................................................................139
Zip / Jaz Disks ...........................................................................................................139
Floppy Disks..............................................................................................................141
Write-Protecting a Floppy Disk ...........................................................................141
Superdisks (LS-120) .................................................................................................141
CD-ROM, CD-R, CD-RW............................................................................................141
Flash media ...............................................................................................................142
Equipment needed to preview/acquire flash media..........................................142
How to acquire flash media.................................................................................143
Examining flash media.........................................................................................143
Acquiring Multiple Pieces of Media ........................................................................144
Chapter 13: First Steps.................................................................................................149
Time Zone Settings...................................................................................................149
Recover Folders on FAT Volumes ..........................................................................151
Behind the Scenes with Recover Folders..........................................................152
Recovering NTFS Folders........................................................................................154
Lost Files in UFS and EXT2/3 Partitions ............................................................156
Signature Analysis....................................................................................................157
File Signatures......................................................................................................157
Adding a New Signature ......................................................................................158
Starting a Signature Analysis .............................................................................160
Viewing the Results..............................................................................................160
Hash Analysis ...........................................................................................................162
File Hashing ..........................................................................................................162
Creating a Hash Set..................................................................................................162
Importing Hash Sets.................................................................................................164
HashKeeper...........................................................................................................164
NSRL Hash Sets ...................................................................................................167
To import hash sets from the NSRL Reference Data Set CD:..........................167
Rebuilding the Hash Library....................................................................................170
Benefits of a Hash Analysis.....................................................................................170
May not be copied or reproduced without the written permission of Guidance Software, Inc.
Copyright © 2004 Guidance Software, Inc,
Table of Contents
7
Starting a Hash Analysis .....................................................................................171
Analyzing the Hash Results ................................................................................172
EnScripts ...................................................................................................................172
Initialize Case (v4) ................................................................................................173
FAT Info Record Finder (v4) and NTFS Info2 Record Finder (v4) ...................173
File Finder (v4)......................................................................................................173
IE History Parser with Keyword Search (v4) .....................................................173
Link File Parser (v4) .............................................................................................173
Find Unique EMail Address List (v4)..................................................................173
Chapter 14: Navigating EnCase...................................................................................175
Creating a New Case ................................................................................................175
Name......................................................................................................................176
Examiner’s Name..................................................................................................176
Default Export Folder...........................................................................................176
Temporary Folder.................................................................................................176
Case Management ....................................................................................................177
Concurrent Case Management ...........................................................................177
The Options Dialog...................................................................................................178
Global ....................................................................................................................178
Colors ....................................................................................................................180
Fonts......................................................................................................................181
EnScript.................................................................................................................182
Storage Paths .......................................................................................................183
Adding Evidence Files to a Case ............................................................................184
Sessions Option .......................................................................................................187
Error Messages.........................................................................................................189
Verifying the Evidence .............................................................................................190
Adding Raw Image Files ..........................................................................................191
SafeBack and VMware Images ................................................................................193
Interface.....................................................................................................................196
EnCase Views............................................................................................................197
The “All Files” Button ..........................................................................................197
Cases .....................................................................................................................197
Bookmarks ................................................................................................................198
Devices ......................................................................................................................199
File Types ..................................................................................................................200
File Signatures ..........................................................................................................201
File Viewers ...............................................................................................................201
Keywords...................................................................................................................202
Search Hits ................................................................................................................202
Security IDs ...............................................................................................................203
Text Styles.................................................................................................................206
May not be copied or reproduced without the written permission of Guidance Software, Inc
Copyright © 2004 Guidance Software, Inc,
8
Table of Contents
Scripts........................................................................................................................207
Hash Sets...................................................................................................................208
EnScript Types..........................................................................................................209
Table View .................................................................................................................210
Cases Table View Columns Explained ...................................................................211
Name......................................................................................................................211
Filter.......................................................................................................................211
In Report................................................................................................................211
File Ext...................................................................................................................212
File Type ................................................................................................................212
File Category.........................................................................................................212
Signature ...............................................................................................................212
Description............................................................................................................213
Is Deleted...............................................................................................................213
Last Accessed ......................................................................................................213
File Created...........................................................................................................213
Last Written...........................................................................................................213
Entry Modified.......................................................................................................213
File Deleted ...........................................................................................................214
Logical Size...........................................................................................................214
Physical Size.........................................................................................................214
Starting Extent......................................................................................................214
File Extents ...........................................................................................................214
Permissions ..........................................................................................................215
Evidence File.........................................................................................................218
File Identifier .........................................................................................................218
Hash Value ............................................................................................................218
Hash Set ................................................................................................................218
Hash Category ......................................................................................................218
Full Path ................................................................................................................218
Short Name ...........................................................................................................219
Unique Name.........................................................................................................219
Original Path .........................................................................................................219
Organizing Columns.................................................................................................219
Rearranging Columns..........................................................................................219
Hiding and Showing Columns ............................................................................220
Sorting Files in Columns .........................................................................................220
EnCase Icon Descriptions .......................................................................................221
Gallery View...............................................................................................................226
America Online .ART files........................................................................................228
Timeline View ............................................................................................................228
Report View ...............................................................................................................230
EnScript View............................................................................................................231
May not be copied or reproduced without the written permission of Guidance Software, Inc.
Copyright © 2004 Guidance Software, Inc,
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
