Copyrighted Material
Total Page:16
File Type:pdf, Size:1020Kb
Index Note to the Reader: Throughout this index boldfaced page numbers indicate primary discus- sions of a topic. Italicized page numbers indicate illustrations. Add Keyword List dialog box, 363–364, 364 A Add Local Device dialog box, 156–157, 158 , About the Examiner report, 672 166, 166 Accelerated Graphics Port (AGP) standard Add Note Bookmark dialog box, 386–387, 387 expansion slots, 9 Add Partition dialog box, 577, 578 video cards, 10 Add Partition feature in NTFS, 76 access control lists (ACLs), 26 Add Partition menu, 583–585, 584 – 585 access times in link files, 507 – 509 , 508 Add To Hash Library dialog box, 458, 459 Acquire option in LinEn, 174, 174 Advanced Encryption Standard (AES) acquiring digital evidence, 120 – 121 encryption, 178 boot disks Advanced tab in FastBloc, 161, 161 , 163 booting from, 124 – 127 advanced topics, 572 – 573 creating, 121 – 124 , 121 – 124 Base64 encoding, 619 – 622 , 620 – 621 drive-to-drive DOS acquisition, 128 email, 614 – 619 , 614 – 617 steps, 128 – 132 , 129 – 130 EnCase Decryption Suite, 622 – 629 , 623 – 627 supplemental information, 132 – 135 exam essentials, 648 EnCase Portable, 180 – 188 , 181 – 188 mounting files, 588 – 593 , 589 – 590 , 593 Enterprise and FIM, 176 – 180 , 177 , 179 partitions, 573 – 588 , 573 – 586 exam essentials, 192 – 193 Physical Disk Emulator, 636 – 641 , 637 – 639 FastBloc SE, 163 – 168 , 165 – 168 registry. See registry FastBloc/Tableau, 151 restoration, 633 – 636 , 634 – 636 FastBloc 2 features, 152 – 154 , 153 – 154 review questions, 649 – 652 models, 151 – 152 summary, 645 – 647 steps, 154 – 162 , 156 – 161 Virtual File System, 629 – 632 , 629 , 631 – 632 hints, 188 – 189 Aegis Padlock Pro tool, 668 LinEn, 168 AES (Advanced Encryption Standard) mounting file systems as read-only, encryption, 178 168 – 169 agency seals, 674 overview, 171 – 173 AGP (Accelerated Graphics Port) standard steps, 173 – 176 , 174 – 175 expansion slots, 9 updates, 169 – 171 , 170 – 171 video cards, 10 network. See network acquisitions AIM Plus history files, 372 review questions, 194COPYRIGHTED – 197 aliases MATERIAL summary, 189 – 191 file signature analysis, 443–445 acquisition hashes, 149, 202 long filenames, 50–51 Acquisition menu, 184, 185 allocated clusters, 45 ActiveTimeBias key, 482–483 allocation units, 25 adapters Alter Boot Table option, 170 crossover, 136 Alternate Path option drive, 154 acquisition locations, 160, 206 Add Evidence File option, 617 hashes, 148 Add Evidence screen, 253, 254 America Online (AOL) files, 277 686 ASCII format – body text for reports American Standard Code for Information backup case files, 219, 253 Interchange (ASCII) format, 337 – 338 Backup Every 30 Minutes option, 220 bookmarks, 384 backup utility, 220 – 227 , 221 – 226 low-bit, 619 bad clusters, 45 Analyze EFS module, 494, 623, 624 , 627 bad file signatures, 444 anchors in reports, 675 $BadClus file, 75 AND operators bagging evidence, 110 – 112 indexed searches, 420–421, 420 bar code scanners, 97 registry filters, 612, 613 base-2 numbering system, 327 – 333 , 332 – 333 ANSI Latin - 1 search option, 359 base-16 numbering system, 333 – 336 , 335 – 336 Anson, Steve, 105, 558, 604 base case folders, 250–251 antistatic bags, 111 Base64 encoding AOL (America Online) files, 277 bookmarks, 384–385 application binding, 437 – 438 email attachments, 619 – 622 , 620 – 621 application.evtx file, 554 Basic Input Output System (BIOS) .arc extension, 592 description, 11 Archive attribute in FAT, 50 time in, 476 archive files, 219 batteries .art files, 277 CMOS, 10 – 11 Artifact Parser, 497, 497 – 498 , 509–510, 510 laptops, 109 artifacts BCD (Boot Configuration Data) file, 19 description, 474 BCD (Boot Configuration Data) hive, 598 Windows. See Windows operating system Bemer, Robert W., 337 artifacts BestCrypt software, 103–104 ASCII (American Standard Code for Information Bias key, 482 Interchange) format, 337 – 338 big endian storage, 50 bookmarks, 384 binary numbers, 327 – 333 , 332 – 333 low-bit, 619 binding applications, 437 – 438 ASCII charts, 337 BinHex method, 620 ASCII tables, 337 BIOS (Basic Input Output System) asterisks (*) description, 11 GREP, 365 time in, 476 registry keys, 600 BIOS parameter blocks (BPBs), 38–39 $AttrDef file, 75 bit-flag values for FAT, 49 – 50 attributes of FAT files and directories, 49 – 50 , BitBucket key, 499 54, 55 BitLocker, 103–104 audit policies, 549, 549 $Bitmap file, 74 – 75 auditing levels, 552 – 554 , 552 bits Auto Extents feature, 282 binary numbers, 327–328, 331–333, 332 – 333 autodetect driver option, 140 hexadecimal numbers, 334–336, 335 AUTOEXEC.BAT file, 17, 596 block size evidence files, 203 LinEn, 175 in network acquisitions, 145–147 B blocking device writes, 130 backslashes (\) blocks in file systems, 25 GREP, 366–367 blocks of data, 203–204 registry keys, 600 body text for reports, 404 Body Text tab – Case category on Home screen 687 Body Text tab, 403–404, 403 booting up Bookmark Data dialog box, 378, 380 from forensic boot disks, 124 – 127 Bookmark Data option, 56 in network acquisitions, 139 Bookmark Field menu, 408–409, 409 BOOTMGR file, 19 Bookmark option, 377 bootstrap program, 14–15 Bookmark Single Item dialog box, 387, 388 BPBs (BIOS parameter blocks), 38–39 bookmarks, 377 breathing masks, 100 color for, 314 browser history, 348 data types, 382, 384 – 386 burning reports to CDs and DVDs, 678 – 679 , 679 exercise, 414 – 415 bypass, Recycle Bin, 498 – 500 , 499 FAT directory entries, 56–58, 57 byte ordering Highlighted Data, 378 – 386 , 378 – 383 description, 50 Home screen, 248 FAT, 49 INFO2 records, 491 time stamps, 476, 480 Internet history, 529–530, 530 bytes miscellaneous, 390 – 397 , 391 – 396 binary numbers, 330–332 notable file, 387 – 389 , 387 – 389 hexadecimal numbers, 334–336, 335 notes, 386 – 387 , 387 .bzip2 extension, 592 organizing, 397 – 398 , 397 partitions, 580–582, 581 – 582 , 585 reports, 397 – 414 , 397 – 403 , 405 – 413 , 675 – 678 , 676 – 678 C search hits, 377 .cab extension, 592 selected items, 389 – 390 , 390 cables Bookmarks view flat-ribbon, 155 Internet history, 530, 530 network acquisition, 136 – 137 partitions, 23, 581–582, 585 photographing, 110 Boolean conditions, 310 cache folders Boolean operators evidence, 231 , 232 GREP, 366 Internet, 532–533, 533 indexed searches, 420–421, 420 caches registry filters, 612, 613 backing up, 220 Boot Configuration Data (BCD) file, 19 path setting, 251 Boot Configuration Data (BCD) hive, 598 cameras boot disks scene photographing, 99 booting from, 124 – 127 screen photographing, 102 creating, 121 – 124 , 121 – 124 Carve HTML Files option, 615 LinEn, 169 Carve Webmail Files option, 615 network acquisitions, 137 , 137 Case Analysis tool, 619 $Boot file, 75 Case Analyzer boot indicator byte, 15 Internet history, 531 BOOT.INI file, 19 link files, 509, 510 boot mode in FireWire, 134 Case Analyzer EnScript boot order in setup routine, 127 event logs, 557, 557 boot process, 14 – 17 , 16 Job Summary report, 610, 610 DOS, 17 , 18 Recycle Bin file status, 497, 498 Windows, 17 – 18 time zone offsets, 483, 484 boot sectors, 36 – 43 , 36 – 38 Case Analyzer Report, 483 bootable partitions, 574 Case category on Home screen, 242 688 Case Info fields – Complementary Metal-Oxide Semiconductor (CMOS) Case Info fields, 251 Clean Boot option, 139 case numbers, 251 Clear All confirmation window, 167 Case Options dialog box, 218, 218 , 249, 249 CLFS (Common Log File System), 75 Case Processor, 609 – 611 , 610 – 611 Client Info tab, 638, 639 case-sensitivity .CLOOP extension, 592 custom strings, 313 Cluster Number field, 296 searches, 357, 359, 421, 421 Cluster view, 282 Case tab, 222, 222 clusters, 25 cases and case files, 217 – 219 , 218 – 219 Disk view, 280, 282 backups, 222, 222 exFAT, 82 creating, 249 – 254 , 253 – 254 FAT. See FAT (File Allocation Table) file description, 2–3 system categories navigation data, 296 hash analysis, 464, 464 NTFS, 73–74 hash sets, 458, 460 Virtual File System, 629 Home screen, 242 CMOS (Complementary Metal-Oxide Category column in Table view, 271 Semiconductor) CD Inspector CD images, 79 batteries, 10 – 11 CD-ROM (Compact Disc - Read-Only Memory) boot process, 15 drives, 8 description, 10 CD-RW (Compact Disc - Read/Write) drives, 8 CMOS chips, 10–11 CDs CMOS data, 10 burning reports to, 678 – 679 , 679 Code Page column, 272 file systems, 77 – 79 , 78 Code Page tab Linux, 169 – 171 , 170 – 171 FAT directory entries, 54, 56 network boot, 138 searches, 360 central processing units (CPUs), 3 Text view, 285, 285 – 286 boot process, 14–15 Codemeter device, 182, 186 description, 4 Collapse All option, 258, 258 chain of custody, 110 collisions, hash, 210, 449 Change Desktop Icons option, 517 color and color codes Change from a System Diskette to a Boot Floppy crossover cables, 136 option, 122–123 Disk view, 280 Change Hash Library option, 462 settings, 313 – 314 , 314 Change Icon dialog box, 505, 505 Timeline view, 279, 280 characters, 336 Colors tab, 314 ASCII, 337 – 338 Colors view, 313, 314 Unicode, 338 – 339 , 339 COMMAND.COM file, 17, 121, 121 – 122 chassis, 2–3 comments for bookmarks, 378, 379 , 392, 393 checklists for first response, 92 – 94 Common Log File System (CLFS), 75 chmod command, 174 Compact Disc - Read-Only Memory (CD-ROM) Choose Destination dialog box, 170, 170 drives, 8 chronological sorts, 268 Compact Disc - Read/Write (CD-RW) drives, 8 CHS (Cylinder Head Sector) system, 4–5, 574 Complementary Metal-Oxide Semiconductor chunks (CMOS) evidence acquisition, 131 batteries, 10 – 11 LinEn, 175 boot process, 15 circumflexes (^) in GREP, 365