Posted by Paul Bobby on November 4, 2008

This follow-on to my previous article on Case Notes describes my approach to the technical analysis of a case. There’s a lot to cover, so I will split it in to two parts. The first part covers the typical Case Startup procedures I follow, the second part will address investigation-specific procedures/considerations.

Account for the Entire Media Set

Just because you have an 80Gbyte hard drive with only a 30Gbyte partition on it does not mean that information of evidentiary value is not present in the remaining 50gigs. There may be partitions there, or other OS artifacts.

Recover Folders

FAT partitions, and to a lesser extent, NTFS/Ext3, will benefit from a Recover Folders sweep.

Timezone Verification

Before creating reports and other notes based on timestamps, verify the timezone of the evidence before you. If you have several pieces of evidence, it is often beneficial to change the case to UTC +0 to avoid confusing yourself.

Signature Analysis

Until signature analysis is performed, EnCase can only identify the type of file based on its file extension. For example, EnCase will not display a JPG image in Gallery view if the file extension is .doc. After signature analysis is run, the image displays properly because EnCase now knows what the file is supposed to be.

Hash Analysis

Performing a hash analysis allows the investigator to greatly reduce the file count that must be investigated. Therefore kick off a Search and calculate the hashes of all files.

Encase has the ability to acquire evidence and to perform a keyword search, hash calculation and signature analysis all in one operation. Furthermore, this can be done without a dongle too. Not bad.


