Copyrighted Material

Index

Note to the Reader: Throughout this index boldfaced page numbers indicate primary discus- sions of a topic. Italicized page numbers indicate illustrations.

Add Keyword List dialog box, 363–364, 364 A Add Local Device dialog box, 156–157, 158 , About the Examiner report, 672 166, 166 Accelerated Graphics Port (AGP) standard Add Note Bookmark dialog box, 386–387, 387 expansion slots, 9 Add Partition dialog box, 577, 578 video cards, 10 Add Partition feature in NTFS, 76 access control lists (ACLs), 26 Add Partition menu, 583–585, 584 – 585 access times in link files, 507 – 509 , 508 Add To Hash Library dialog box, 458, 459 Acquire option in LinEn, 174, 174 Advanced Encryption Standard (AES) acquiring digital evidence, 120 – 121 encryption, 178 boot disks Advanced tab in FastBloc, 161, 161 , 163 booting from, 124 – 127 advanced topics, 572 – 573 creating, 121 – 124 , 121 – 124 Base64 encoding, 619 – 622 , 620 – 621 drive-to-drive DOS acquisition, 128 email, 614 – 619 , 614 – 617 steps, 128 – 132 , 129 – 130 EnCase Decryption Suite, 622 – 629 , 623 – 627 supplemental information, 132 – 135 exam essentials, 648 EnCase Portable, 180 – 188 , 181 – 188 mounting files, 588 – 593 , 589 – 590 , 593 Enterprise and FIM, 176 – 180 , 177 , 179 partitions, 573 – 588 , 573 – 586 exam essentials, 192 – 193 Physical Disk Emulator, 636 – 641 , 637 – 639 FastBloc SE, 163 – 168 , 165 – 168 registry. See registry FastBloc/Tableau, 151 restoration, 633 – 636 , 634 – 636 FastBloc 2 features, 152 – 154 , 153 – 154 review questions, 649 – 652 models, 151 – 152 summary, 645 – 647 steps, 154 – 162 , 156 – 161 Virtual File System, 629 – 632 , 629 , 631 – 632 hints, 188 – 189 Aegis Padlock Pro tool, 668 LinEn, 168 AES (Advanced Encryption Standard) mounting file systems as read-only, encryption, 178 168 – 169 agency seals, 674 overview, 171 – 173 AGP (Accelerated Graphics Port) standard steps, 173 – 176 , 174 – 175 expansion slots, 9 updates, 169 – 171 , 170 – 171 video cards, 10 network. See network acquisitions AIM Plus history files, 372 review questions, 194 COPYRIGHTED – 197 aliases MATERIAL summary, 189 – 191 file signature analysis, 443–445 acquisition hashes, 149, 202 long filenames, 50–51 Acquisition menu, 184, 185 allocated clusters, 45 ActiveTimeBias key, 482–483 allocation units, 25 adapters Alter Boot Table option, 170 crossover, 136 Alternate Path option drive, 154 acquisition locations, 160, 206 Add Evidence File option, 617 hashes, 148 Add Evidence screen, 253, 254 America Online (AOL) files, 277 686 ASCII format – body text for reports

American Standard Code for Information backup case files, 219, 253 Interchange (ASCII) format, 337 – 338 Backup Every 30 Minutes option, 220 bookmarks, 384 backup utility, 220 – 227 , 221 – 226 low-bit, 619 bad clusters, 45 Analyze EFS module, 494, 623, 624 , 627 bad file signatures, 444 anchors in reports, 675 $BadClus file, 75 AND operators bagging evidence, 110 – 112 indexed searches, 420–421, 420 bar code scanners, 97 registry filters, 612, 613 base-2 numbering system, 327 – 333 , 332 – 333 ANSI Latin - 1 search option, 359 base-16 numbering system, 333 – 336 , 335 – 336 Anson, Steve, 105, 558, 604 base case folders, 250–251 antistatic bags, 111 Base64 encoding AOL (America Online) files, 277 bookmarks, 384–385 application binding, 437 – 438 email attachments, 619 – 622 , 620 – 621 application.evtx file, 554 Basic Input Output System (BIOS) .arc extension, 592 description, 11 Archive attribute in FAT, 50 time in, 476 archive files, 219 batteries .art files, 277 CMOS, 10 – 11 Artifact Parser, 497, 497 – 498 , 509–510, 510 laptops, 109 artifacts BCD (Boot Configuration Data) file, 19 description, 474 BCD (Boot Configuration Data) hive, 598 Windows. See Windows operating system Bemer, Robert W., 337 artifacts BestCrypt software, 103–104 ASCII (American Standard Code for Information Bias key, 482 Interchange) format, 337 – 338 big endian storage, 50 bookmarks, 384 binary numbers, 327 – 333 , 332 – 333 low-bit, 619 binding applications, 437 – 438 ASCII charts, 337 BinHex method, 620 ASCII tables, 337 BIOS (Basic Input Output System) asterisks (*) description, 11 GREP, 365 time in, 476 registry keys, 600 BIOS parameter blocks (BPBs), 38–39 $AttrDef file, 75 bit-flag values for FAT, 49 – 50 attributes of FAT files and directories, 49 – 50 , BitBucket key, 499 54, 55 BitLocker, 103–104 audit policies, 549, 549 $Bitmap file, 74 – 75 auditing levels, 552 – 554 , 552 bits Auto Extents feature, 282 binary numbers, 327–328, 331–333, 332 – 333 autodetect driver option, 140 hexadecimal numbers, 334–336, 335 AUTOEXEC.BAT file, 17, 596 block size evidence files, 203 LinEn, 175 in network acquisitions, 145–147 B blocking device writes, 130 backslashes (\) blocks in file systems, 25 GREP, 366–367 blocks of data, 203–204 registry keys, 600 body text for reports, 404 Body Text tab – Case category on Home screen 687

Body Text tab, 403–404, 403 booting up Bookmark Data dialog box, 378, 380 from forensic boot disks, 124 – 127 Bookmark Data option, 56 in network acquisitions, 139 Bookmark Field menu, 408–409, 409 BOOTMGR file, 19 Bookmark option, 377 bootstrap program, 14–15 Bookmark Single Item dialog box, 387, 388 BPBs (BIOS parameter blocks), 38–39 bookmarks, 377 breathing masks, 100 color for, 314 browser history, 348 data types, 382, 384 – 386 burning reports to CDs and DVDs, 678 – 679 , 679 exercise, 414 – 415 bypass, Recycle Bin, 498 – 500 , 499 FAT directory entries, 56–58, 57 byte ordering Highlighted Data, 378 – 386 , 378 – 383 description, 50 Home screen, 248 FAT, 49 INFO2 records, 491 time stamps, 476, 480 Internet history, 529–530, 530 bytes miscellaneous, 390 – 397 , 391 – 396 binary numbers, 330–332 notable file, 387 – 389 , 387 – 389 hexadecimal numbers, 334–336, 335 notes, 386 – 387 , 387 .bzip2 extension, 592 organizing, 397 – 398 , 397 partitions, 580–582, 581 – 582 , 585 reports, 397 – 414 , 397 – 403 , 405 – 413 , 675 – 678 , 676 – 678 C search hits, 377 .cab extension, 592 selected items, 389 – 390 , 390 cables Bookmarks view flat-ribbon, 155 Internet history, 530, 530 network acquisition, 136 – 137 partitions, 23, 581–582, 585 photographing, 110 Boolean conditions, 310 cache folders Boolean operators evidence, 231 , 232 GREP, 366 Internet, 532–533, 533 indexed searches, 420–421, 420 caches registry filters, 612, 613 backing up, 220 Boot Configuration Data (BCD) file, 19 path setting, 251 Boot Configuration Data (BCD) hive, 598 cameras boot disks scene photographing, 99 booting from, 124 – 127 screen photographing, 102 creating, 121 – 124 , 121 – 124 Carve HTML Files option, 615 LinEn, 169 Carve Webmail Files option, 615 network acquisitions, 137 , 137 Case Analysis tool, 619 $Boot file, 75 Case Analyzer boot indicator byte, 15 Internet history, 531 BOOT.INI file, 19 link files, 509, 510 boot mode in FireWire, 134 Case Analyzer EnScript boot order in setup routine, 127 event logs, 557, 557 boot process, 14 – 17 , 16 Job Summary report, 610, 610 DOS, 17 , 18 Recycle Bin file status, 497, 498 Windows, 17 – 18 time zone offsets, 483, 484 boot sectors, 36 – 43 , 36 – 38 Case Analyzer Report, 483 bootable partitions, 574 Case category on Home screen, 242 688 Case Info fields – Complementary Metal-Oxide Semiconductor (CMOS)

Case Info fields, 251 Clean Boot option, 139 case numbers, 251 Clear All confirmation window, 167 Case Options dialog box, 218, 218 , 249, 249 CLFS (Common Log File System), 75 Case Processor, 609 – 611 , 610 – 611 Client Info tab, 638, 639 case-sensitivity .CLOOP extension, 592 custom strings, 313 Cluster Number field, 296 searches, 357, 359, 421, 421 Cluster view, 282 Case tab, 222, 222 clusters, 25 cases and case files, 217 – 219 , 218 – 219 Disk view, 280, 282 backups, 222, 222 exFAT, 82 creating, 249 – 254 , 253 – 254 FAT. See FAT (File Allocation Table) file description, 2–3 system categories navigation data, 296 hash analysis, 464, 464 NTFS, 73–74 hash sets, 458, 460 Virtual File System, 629 Home screen, 242 CMOS (Complementary Metal-Oxide Category column in Table view, 271 Semiconductor) CD Inspector CD images, 79 batteries, 10 – 11 CD-ROM (Compact Disc - Read-Only Memory) boot process, 15 drives, 8 description, 10 CD-RW (Compact Disc - Read/Write) drives, 8 CMOS chips, 10–11 CDs CMOS data, 10 burning reports to, 678 – 679 , 679 Code Page column, 272 file systems, 77 – 79 , 78 Code Page tab Linux, 169 – 171 , 170 – 171 FAT directory entries, 54, 56 network boot, 138 searches, 360 central processing units (CPUs), 3 Text view, 285, 285 – 286 boot process, 14–15 Codemeter device, 182, 186 description, 4 Collapse All option, 258, 258 chain of custody, 110 collisions, hash, 210, 449 Change Desktop Icons option, 517 color and color codes Change from a System Diskette to a Boot Floppy crossover cables, 136 option, 122–123 Disk view, 280 Change Hash Library option, 462 settings, 313 – 314 , 314 Change Icon dialog box, 505, 505 Timeline view, 279, 280 characters, 336 Colors tab, 314 ASCII, 337 – 338 Colors view, 313, 314 Unicode, 338 – 339 , 339 COMMAND.COM file, 17, 121, 121 – 122 chassis, 2–3 comments for bookmarks, 378, 379 , 392, 393 checklists for first response, 92 – 94 Common Log File System (CLFS), 75 chmod command, 174 Compact Disc - Read-Only Memory (CD-ROM) Choose Destination dialog box, 170, 170 drives, 8 chronological sorts, 268 Compact Disc - Read/Write (CD-RW) drives, 8 CHS (Cylinder Head Sector) system, 4–5, 574 Complementary Metal-Oxide Semiconductor chunks (CMOS) evidence acquisition, 131 batteries, 10 – 11 LinEn, 175 boot process, 15 circumflexes (^) in GREP, 365 description, 10 compound files – DATE command 689

compound files Create Copy Of Drive Or Memory option, 184, 186 archive, 219 Create Hash Set dialog box, 458 mounting, 588–590, 589 Create Shortcut Wizard, 506, 506 searching, 593 creator codes, 437 compression cross-contamination of data, 172, 251 AOL files, 277 cross-platform file exchanges, 438 evidence, 131, 203–206 crossover cables, 136 file headers, 203 CryptHunter tool, 104 LZ format, 206 cscript command, 104 network acquisitions, 145, 147 – 148 curly brackets ({}) in GREP, 366 computers and computer systems Current value, 342, 342 first response issue, 92 – 94 CurrentControlSet key, 602, 603 shutdown procedures, 106 – 110 , 109 Cyclical Redundancy Check (CRC) conditions evidence files, 201 – 208 , 210 , 212 – 213 configuration files, 230 network acquisitions, 145 – 146 registry, 611 – 613 , 611 – 613 Cylinder Head Sector (CHS) system, 4–5, 574 View pane, 298 , 298 cylinders, 5 CONFIG.SYS file, 17, 595–596 configuration Enterprise and FIM, 177, 177 files, 227 – 230 , 228 – 231 D connectors daily backups, 226, 226 drives, 5–7 daisy chaining FireWire devices, 151 keyed, 155 dashes (-) in GREP, 365, 367 power, 4 .dat extension, 275 Console tab, 396, 396 data blocks in CRC, 202 container reports, 671 – 674 , 673 Data Capture option, 606–608, 607 Content.IE5 folder, 521, 521 , 532 Data Link Layer (DLL) protocol, 12 context for times, 475 data overview, 326 – 327 cookie files, 74 binary numbers, 327 – 333 , 332 – 333 Cookies folder, 521, 523 – 525 , 524 – 525 bookmarking. See bookmarks CookieView decoder, 525 characters, 336 – 339 , 339 copies Evidence Processor, 340 – 351 , 341 – 352 evidence, 120, 186 exam essentials, 428 – 429 search results, 377 hexadecimal numbers, 333 – 336 , 335 – 336 Volume Shadow Service, 544 – 549 , 545 – 548 registry, 340 – 345 , 341 – 344 Copy Evidence To dialog box, 186 review questions, 430 – 433 Copy Files dialog box, 171, 171 searches. See searches and searching Copy option, 377 summary, 426 – 427 Cpio files, 592 data storage area in FAT, 46 CPUs (central processing units), 3 directory entries, 48 – 51 boot process, 14–15 root directory, 46 – 48 , 47 – 48 description, 4 data structures for bookmarks, 382, 383 CRC (Cyclical Redundancy Check) data types evidence files, 201 – 208 , 210 , 212 – 213 bookmarks, 382, 384 – 386 network acquisitions, 145 – 146 registry, 601 Create a New Partition Wizard, 22 DATE command, 17 Create Boot Disk option, 122–123, 169 690 dates and times – Doc view

dates and times Desktop folder, 516 – 518 , 517 artifacts, 475 Desktop Icon Settings dialog box, 517, 517 time stamps, 476 – 481 , 477 – 481 destination folders time zone offsets, 481 – 487 , 484 – 485 bookmarks, 380, 380 , 389 time zones, 475 – 476 , 476 partitions, 23 bookmarks, 385 detaching View pane, 300 evidence acquisition, 131 detail in Home screen, 246–247 formats, 310, 313, 313 Detect Legacy FastBloc option, 156, 157 hashes, 217 Device Configuration Overlay (DCO) data, 125 Internet history, 527, 527 FastBloc SE, 164 Recycle Bin files, 489 LinEn, 176 Timeline view, 278–279, 278 network acquisitions, 135 daylight saving time, 486 Device Manager, 155, 156 DaylightBias key, 482–483 DEVICE statements, 17 DaylightName key, 482 devices DaylightStart key, 482 Tree pane, 255 – 257 , 255 – 257 .dbx extension, 590 write blocking, 130 DCO (Device Configuration Overlay) data, 125 dictionary attacks, 628 FastBloc SE, 164 digital evidence LinEn, 176 acquiring. See acquiring digital evidence network acquisitions, 135 seizing, 102 – 105 , 103 – 104 DCode tool, 481 Digital Versatile Disc – Read/Write (DVD-RW), 8 DCode view, 480 Direct ATA mode, 125, 128–129, 129 – 130 dd tool, 200, 546, 546 DirectCD format, 78 dead hard drive revival, 133 Directory attribute, 50 Debug tab, 314–315, 315 directory entries in FAT, 34–35, 47, 47 Decode tab and view GREP expression for, 372 bookmarks, 380, 382, 382 – 383 storing, 48 – 51 FAT directory entries, 54, 57 viewing, 52 – 58 , 52 – 55 , 57 partitions, 23, 292 , 293 , 573, 574 Directory Entry Record, 82 print jobs, 540, 541 directory entry status byte, 72 – 73 , 72 Win2000 Info File Record, 492 dirty status in FAT, 45, 46 decoders, cookie, 525 Disk Manager, 22 decryption, 622 – 629 , 623 – 627 Disk view, 305 Deep Freeze program, 525 exFAT, 79, 80 default colors, 313 overview, 280 – 284 , 281 – 283 Delete Partition option, 579 partitions, 23, 582–583, 584 , 586, 586 deleted files. See Recycle Bin disks. See boot disks; drives deleting Dixon boxes files bookmarks, 390 FAT, 66 – 70 for keyword searches, 354 in Recycle Bin, 494 – 496 , 495 – 496 overview, 294 – 295 folders, 361 selected object count, 258–259, 259 , 304 partitions, 576, 576 , 579 DLL (Data Link Layer) protocol, 12 demodulation, 12 Do Not Move Files to the Recycle Bin option, descriptions 498–499 cases, 251 .doc/.docx extension, 591 Table view, 272 Doc view, 289 , 289 Documents folder – .EnCondition extension 691

Documents folder, 228, 518 Edit File Viewers dialog box, 309 Documents and Settings folder, 623, 624 Edit "Other Information" dialog box, 403, 403 , DOS 406–407, 407 , 410 boot disks Edit Text Styles screen, 56 benefits, 126 editing registry, 596 using, 126 – 127 EDS (EnCase Decryption Suite), 494, 622 – 629 , boot process, 17 , 18 623 – 627 drive-to-drive acquisition, 128 EFI (Extensible Firmware Interface), 11 – 12 steps, 128 – 132 , 129 – 130 8 dot 3 naming convention supplemental information, 132 – 135 FAT, 49 – 51 shutdown procedures, 106 ISO 9660 standard, 77, 78 time zones, 475 EISA expansion slots, 9 DOS Directory Entry data type, 386 electronic fingerprints, 147 dot double dot signatures, 72–73, 72 email double-clicking files, 308 address searches, 369 double words (Dwords), 330–331 archive files, 219 drive-to-drive DOS acquisition, 128 Base64 encoding, 619 – 622 , 620 – 621 steps, 128 – 132 , 129 – 130 overview, 614 – 619 , 614 – 617 supplemental information, 132 – 135 settings, 347–348, 348 drivers for network acquisitions, 140 Email folder, 252 drives EMF (Enhanced Metafile) files, 537–540, 539 , 541 adapters, 154 ENBCD (EnCase Network Boot CD), 137 – 138 boot process, 15–17, 16 ENBD (EnCase Network Boot Disk), 137 – 138 description, 4 – 7 EnCase concepts, 200 encrypted, 103–104 backup utility, 220 – 227 , 221 – 226 for evidence acquisition, 188 case files, 217 – 219 , 218 – 219 hashing, 215 – 217 , 216 – 217 configuration files, 227 – 230 , 228 – 231 partitions, 20 – 24 , 24 CRC, MD5, and SHA-1, 201 – 202 Physical Disk Emulator, 636 – 641 , 637 – 639 disk and volume hashing, 215 – 217 , 216 – 217 previewing, 162 – 163 evidence cache folders, 231 , 232 size ratings, 330 evidence files Drives dialog box, 634, 635 components and function, 202 – 206 , DRVSPACE.BIN file, 121, 123 202 , 205 DVD-ROM (DVD-ROM Digital Versatile Disc – format, 200 – 201 , 206 , 207 Read-Only Memory), 8 verification, 207 – 215 , 208 – 209 , 211 – 212 DVD-RW (Digital Versatile Disc - Read/Write), 8 exam essentials, 235 DVDs, burning reports to, 678 – 679 , 679 review questions, 236 – 239 Dwords (double words), 330–331 summary, 233 – 235 dynamic keys, 601–602 EnCase Decryption Suite (EDS), 494, 622 – 629 , DynamicDaylightTimeDisabled key, 342, 343 623 – 627 EnCase Network Boot CD (ENBCD), 137 – 138 EnCase Network Boot Disk (ENBD), 137 – 138 EnCase Portable E acquisition, 180 – 188 , 181 – 188 .e extension, 204 RAM memory imaging, 102 .edb extension, 592 snapshot feature, 102 Edit dialog box for searches, 373 – 374 , 374 .EnCondition extension, 230 692 encryption – Evidence view

encryption evidence disks and volumes, 103–104 acquiring. See acquiring digital evidence Enterprise, 178 cache folders, 231 , 232 End of File (EOF) markers, 58, 59 , 61 restoring, 633 – 636 , 634 – 636 .Enfilter extension, 230 Evidence category in Home screen, 242 Enhanced Metafile (EMF) files, 537–540, 539 , 541 Evidence File column, 273 EnScripts, 299 , 299 evidence files bookmarks, 396–397 components and function, 202 – 206 , 202 , 205 event logs, 557, 557 cross-contamination, 172 Job Summary report, 610, 610 format, 200 – 201 , 206 , 207 Portable Management, 181, 181 names, 227 Recycle Bin file status, 497, 498 verification, 207 – 215 , 208 – 209 , 211 – 212 registry, 608 – 611 , 609 – 611 evidence handling at scene, 98 storing, 230 bagging and tagging, 110 – 112 time zone offsets, 483, 484 recording and photographing, 99 Enter item menu, 625, 626 securing scene, 98 – 99 Enterprise acquisitions, 176 – 180 , 177 , 179 seizing computer evidence, 99 Entries tab for keyword searches, 354 computer shutdown procedures, Entries Tree-Table view, 246, 248 106 – 110 , 109 Entry Modified column, 272 physical evidence, 99 – 101 environment, 242 volatile digital evidence, 102 – 105 , 103 – 104 case creation, 249 – 254 , 253 – 254 Evidence Number setting, 145 exam essentials, 320 Evidence Processor Home screen, 242 – 245 , 243 – 246 data in, 340 – 351 , 341 – 352 layout, 246 – 248 , 247 – 248 email, 614–615, 614 , 618 Macintosh, 315 – 317 file signature analysis, 442, 442 options, 310 – 315 , 311 – 315 hash analysis, 463 review questions, 321 – 324 Internet history, 529, 529 summary, 318 – 319 link files, 509 Table pane navigation. See Table pane print jobs, 540 Tree pane navigation, 255 – 265 , 255 – 265 Recycle Bin file status, 496 – 497 , 497 – 498 View pane navigation. See View pane registry, 609, 610 EOF (End of File) markers, 58, 59 , 61 time zone offsets, 483–484, 484 epoch time, 476–477 Windows Event log parser, 555 – 557 , 556 – 557 error checking Evidence tab CRC, 201–208, 210, 212–213 EnCase Portable, 186, 187 parity bits, 337 evidence file verification, 210, 211 , 214 Error Granularity setting Evidence Processor from, 345, 345 LinEn, 175 FastBloc, 158, 159 , 162–163 network acquisitions, 146 , 147 FastBloc SE, 167 error messages in FAT boot sector, 38 file signature analysis, 446–447 even parity scheme, 337 hashes, 215 event logs, 549 Home screen, 242, 244 – 245 , 245 auditing levels, 552 – 554 , 552 mounting files, 589–590 information in, 549 – 551 , 550 – 551 partitions, 577 Windows Event log parser, 555 – 557 , 556 – 557 time zone offsets, 484 Windows Vista/7, 554 – 555 , 554 – 555 Evidence Table tab, 458 Evidence view, 302 .evt extension – file segment size 693

.evt extension, 554 directory entry status byte, 72 – 73 , 72 .evtx extension, 554 FAT area, 43 – 45 , 43 – 46 .ex extension, 205 files Ex01 format, 206 deleting and undeleting, 66 – 70 examination suggestions, 641 – 645 slack space, 70 – 71 , 71 Exceptions tab, 141 storing, 58 – 65 , 59 – 62 exFAT file system time stamps, 487 overview, 79 – 83 , 80 physical layout, 36 , 36 partitions, 22 reserved area, 36 – 43 , 36 – 38 Expand All option, 258, 258 FAT12 file system, 22 expansion slots, 9 FAT16 file system, 22 Export dialog box, 362, 363 FAT32 file system, 22 Export folder, 252 Favorites folder, 520 – 521 , 520 exporting FDISK utility, 24, 172–173, 576 keywords, 362 – 363 , 363 FedEx tracking numbers, GREP expression reports, 669 – 671 , 670 for, 372 expressions, GREP Field Intelligence Model (FIM) 6 creating, 366 – 367 acquisitions, 176 – 180 , 177 , 179 testing, 367 – 369 , 367 – 369 availability, 105, 148 useful, 371 – 372 , 373 configuration, 179–180, 179 $Extend file, 75 licensing, 177 extended ASCII character set, 337 snapshot feature, 102 Extensible Firmware Interface (EFI), 11 – 12 field kit checklists, 94 – 96 extensions Field tab binding. See file signature analysis email, 616, 617 changed, 275 file signature analysis, 446 FAT files, 50 Field view, 294 Extensions tab, 440 File Acquired column, 273 external viewers, 308 – 309 , 309 – 310 File Allocation Table file system. See FAT (File Allocation Table) file system File Carver, 349, 351 email, 615 F print jobs, 540, 542 false condition, 310–312, 311 – 312 webmail, 375 fans, 4 File Created column, 272 FastBloc device, 121 File Deleted column, 272 FastBloc SE acquisitions, 163 – 168 , 165 – 168 File Ext column, 271 FastBloc/Tableau acquisitions, 151 File Extents column, 273 FastBloc 2 features, 152 – 154 , 153 – 154 File Extents tab, 60, 61 models, 151 – 152 File Extents view, 291 , 291 steps, 154 – 162 , 156 – 161 file group bookmarks, 390 FAT (File Allocation Table) file system, 25–26 File Identifier column, 274 basics, 34 – 35 File Integrity field, 212 data storage area, 46 – 51 , 47 – 48 file offsets directory entries link files, 507, 507 GREP expression for, 372 navigation data, 296 storing, 48 – 51 file segment size, 131, 145, 204 viewing, 52 – 58 , 52 – 55 , 57 694 file signature analysis – floppy disks and drives

file signature analysis, 275, 347, 436 paperless reports, 673, 673 , 678 – 679 , 679 application binding, 437 – 438 swap, 3, 511, 516, 535 – 536 conducting, 442 – 447 , 442 – 444 , 447 – 448 FileSignatures.ini file, 438 exam essentials, 468 Filesystem key, 508 review questions, 469 – 472 FileTypes.ini file, 230, 438 summary, 466 – 467 filters file signatures configuration files, 230 creating, 438 – 442 , 439 – 441 file signature analysis, 447, 447 – 448 link files, 508 hash analysis, 464 – 465 , 464 non-Windows systems, 594 registry, 606, 606 , 611 – 613 , 611 – 613 file slack, 71 View pane, 298 , 298 File System Information (FSINFO), 38 FIM (Field Intelligence Model) 6 file systems, 34 acquisitions, 176 – 180 , 177 , 179 CD, 77 – 79 , 78 availability, 105, 148 exam essentials, 84 configuration, 179–180, 179 exFAT, 79 – 83 , 80 licensing, 177 FAT. See FAT (File Allocation Table) file system snapshot feature, 102 mounting as read-only, 168 – 169 Find feature, 297 , 297 NTFS, 73 – 77 Find Email feature, 614–615, 614 , 617 overview, 25 – 26 Find Entries By Hash Category option, 464 review questions, 85 – 89 Find Internet Artifacts feature, 529, 529 summary, 83 Find Related option, 377 file types finding. See searches and searching codes, 437 fingerprints, 99, 147 database, 349 firewalls, 140–141, 141 Table view, 271 FireWire (IEEE 1394 standard) File Types view, 306 – 307 , 307 , 438, 439 daisy chaining devices, 151 Filename Extension Record, 82 description, 8 filenames drive acquisition, 134 CD standards, 77, 78 first response, 90 FAT, 49 – 51 evidence handling at scene, 98 files bagging and tagging, 110 – 112 deleted. See Recycle Bin recording and photographing, 99 double-clicking, 308 securing scene, 98 – 99 evidence. See evidence files seizing. See seizing computer evidence extensions, 275 exam essentials, 113 – 114 binding. See file signature analysis planning and preparation issues, 90 – 91 changed, 275 computer systems, 92 – 94 FAT, 50 field kit checklists, 94 – 96 FAT personnel, 91 – 92 deleting and undeleting, 66 – 70 physical location, 91 slack space, 70 – 71 , 71 search authority, 97 – 98 storage, 58 – 65 , 59 – 62 review questions, 115 – 118 hibernation, 536 , 537 summary, 113 integrity, 202, 202 flat-ribbon cables, 155 keyword, 353 – 354 , 360 – 361 , 361 – 362 floppy disks and drives, 120 link. See link files boot process, 15–17, 16 management, 252 description, 7 mounting, 340, 588 – 593 , 589 – 590 , 593 for evidence acquisition, 188 ownership, 493 – 494 , 494 forensic boot disks, 122–124, 123 folders – Hardware Analysis report 695

folders, 511 – 515 Global view, 310, 311 – 312 bookmarks, 380, 380 , 392, 394 , 404–406, 405 globally unique identification numbers (GUIDs), case files, 217–219, 218 231, 232 Cookies, 523 – 525 , 524 – 525 bookmarks, 386 deleted. See Recycle Bin Recycle Bin files, 493 Desktop, 516 – 518 , 517 Table view, 274 Documents, 518 Glossary report, 672 Favorites, 520 – 521 , 520 gloves, 99–100 hash libraries, 450–451, 450 GMT (Greenwich mean time), 475 History, 526 – 531 , 527 , 529 – 531 Go To feature, 282, 283 keyword, 356, 356 , 360 – 361 , 361 – 362 Go To File feature Low, 521 – 523 , 521 bookmarks, 582, 582 names, 252 indexed searches, 418, 419 paperless reports, 673, 673 , 678 – 679 , 679 partitions, 586 Recent, 515 – 516 , 515 search hits, 377 recursive feature, 395 Go To Template tool, 402, 402 Send To, 518 GPS (Global Positioning System) data, 295 – 296 , Temp, 519 , 519 295 , 305 Temporary Internet Files, 532 – 533 , 533 granularity Tree pane, 258 errors, 146 , 147 Windows, 512 , 514 evidence acquisition, 132 Forensic Acquisition Utility tools, 546 Home screen, 246–247 forensic boot disks Greenwich mean time (GMT), 475 booting from, 124 – 127 GREP searches, 359 creating, 121 – 124 , 121 – 124 expressions forensic bridges, 153, 153 creating, 366 – 367 Format: Notable File dialog box, 409–410, testing, 367 – 369 , 367 – 369 409 – 410 useful, 371 – 372 , 373 Format tab for FastBloc, 161, 161 , 163 keywords, 364 Formats tab for reports, 407, 407 symbols, 364 – 366 Formatting Options dialog box, 170, 170 GUIDs (globally unique identification numbers), fragmented files, 70 231, 232 FrontPage, 673 – 674 bookmarks, 386 FSINFO (File System Information), 38 Recycle Bin files, 493 full case path, 250 Table view, 274 Full Path Name field, 296 .gzip extension, 592

G H Gallery view, 304 hard drives. See drives file signature analysis, 446–447 hardware, 2 overview, 275 – 277 , 275 – 277 boot process, 14 – 20 , 16 , 18 search hits, 377 component overview, 2 – 14 Garner, George, 546 exam essentials, 27 General Procedures report, 672 file systems, 25 – 26 Generate Image Hash setting, 147 partitions, 20 – 24 , 24 global application data configuration, 228 review questions, 28 – 31 Global Positioning System (GPS) data, 295 – 296 , summary, 27 295 , 305 Hardware Analysis report, 672 696 Hash Analysis option – indexing text

Hash Analysis option, 347 hive files, 596 – 602 Hash Set column, 274 Evidence Processor, 340 – 345 , 341 – 344 Hash/Sig Selected tool, 458, 463 in restore points, 604 – 605 hashes HKEY_ hives, 597 , 602 acquisition, 149, 202 HKLM hive keys, 598 collisions, 210, 449 HKU hive keys, 598 – 599 disks and volumes, 215 – 217 , 216 – 217 Home screen, 242 – 245 , 243 – 246 EnCase Decryption Suite, 625 – 629 , 627 Host Protected Area (HPA) data, 125 hash analysis, 436, 449 FastBloc SE, 164 exam essentials, 468 LinEn, 176 MD5 hash, 449 network acquisitions, 135 process, 462 – 465 , 462 – 464 HTML data type, 384 review questions, 469 – 472 HTML (Unicode) data type, 384 sets and libraries, 449 – 460 , 450 – 461 HTML (Hypertext Markup Language) editors, summary, 466 – 467 672–673 LinEn, 174, 174 hyperlinks network acquisitions, 148 compound files, 589, 589 Header tab, 441, 441 email, 615 headers hive files, 340–342, 341 BinHex, 620 options, 347 email, 615 reports, 671 – 678 , 676 – 678 evidence files, 202–203, 202 file signature analysis, 443 link files, 508 heads, disk drive, 4–5 I heat sinks, 4 IBMBIO.COM file, 17 Helix distribution, 169 IBMDOS.COM file, 17 Hex view, 287 , 287 , 305 IDE (Integrated Drive Electronics) controllers, 6 Find feature in, 297 IEEE 1394 standard (FireWire) Home screen, 247 daisy chaining devices, 151 partitions, 23, 292, 293 description, 8 hexadecimal numbers drive acquisition, 134 bookmarks, 384 IEEE 1394a ports, 8 GREP, 365 IEEE 1394b ports, 8 overview, 333 – 336 , 335 – 336 images of original evidence, 120, 200–201 HFS format, 78 Import Legacy Hash Sets option, 454 HFS+ (Hierarchical File System Plus) format, 437 importing hibernation files, 3, 511, 536 , 537 keywords, 362 – 363 , 363 hidden columns, 269, 269 legacy hash sets, 454–455, 455 Hidden file attribute, 50 incident response. See first response hidden servers, 111 index.dat file, 524, 527–528, 532–533, 546, Hierarchical File System Plus (HFS+) format, 437 561–562 high-bit ASCII set, 337, 384 index files in Recycle Bin, 489, 496, 496 , 500 – High Sierra standard, 77 502 , 502 Higher Resolution option, 278 Index tab, 416, 417 Highlighted Data bookmarks, 378 – 386 , 378 – 383 indexed searches history vs. raw searches, 352 – 353 Internet, 348, 523, 526 – 531 , 527 , 529 – 531 searching with, 415 – 421 , 416 – 422 registry, 595 – 596 tags in, 423–425, 423 – 425 History folder, 521, 526 – 531 , 527 , 529 – 531 indexing text, 349 , 349 INFO2 file – LBA (Logical Block Addressing) 697

INFO2 file Joliet standard, 77, 78 overview, 488 – 492 , 489 – 493 jump instruction for FAT boot sector, 38–39 replacement for, 500 junctions for folders, 513 for restoring files, 495–496, 495 Initial Splash Screen report, 671 Initialized Size column, 273 inittab file, 171 K Insert Hyperlink dialog box, 676, 677 keyboards INSTALL statements, 17 in boot process, 15 integer values ports, 12 bookmarks, 385 keyed connectors, 155 representation of, 338 keymasters, SAFE, 178–180 Integrated Drive Electronics (IDE) controllers, 6 keys integrity of files, 202, 202 EnCase Decryption Suite, 625, 626 integrity seals, 202 registry, 596 – 602 , 599 – 600 International Organization for .keyword extension, 354, 360 Standardization, 436 Keyword hits tab, 376, 376 International Telecommunications Union Keyword Tester feature, 360, 367 – 369 , 367 – 369 Telecommunications Standardization Sector keywords, 348 , 348 (ITU-T), 436 creating, 354 – 360 , 354 – 358 Internet files and folders for, 353 – 354 , 360 – 361 , history files, 348, 523, 526 – 531 , 527 , 529 – 531 361 – 362 shortcut files, 520 GREP, 364 – 373 , 367 – 369 , 3751 temporary files, 521, 532 – 533 , 533 importing and exporting, 362 – 363 , 363 Internet Evidence Finder tool, 615 indexed searches, 417, 417 IO.SYS file, 17, 121, 123 lists, 363 – 364 , 363 – 364 IP addresses, 338 network acquisition searches, 144 Is Deleted column, 272 KEYWORDS.INI file, 353 Is Duplicate column, 274 Kojak lights, 111 Is Internal column, 274 Is Overwritten column, 274 Is Picture column, 272, 310, 311 – 312 ISA expansion slots, 9 L ISO 9660 standard, 77, 78 labels for cables, 110 Itanium systems, 11 LanMan hashes, 628–629 Item Path column, 272 laptops Item Path option, 409, 409 network acquisitions, 135 Item Type column, 271 shutting down, 109 ITU-T (International Telecommunications Last Accessed column, 271 Union Telecommunications Standardization Last Written information Sector), 436 dates and times, 475, 484 FAT, 49 link files, 507–508, 507 – 508 J Recent folder, 516 Table view, 272 Jaz disks, 189 latex gloves, 99 Job Summary menu, 610, 610 law enforcement applications, 180 Johnson, Ryan, 558, 604 layout, 246 – 248 , 247 – 248 Johnson-Grace compression, 277 LBA (Logical Block Addressing), 5 698 LEFs (logical evidence files) – master file tables (MFTs)

LEFs (logical evidence files), 511 Lock indicator for devices, 130 left nibbles lock view, 294 binary numbers, 330–331, 332 – 333 locked columns, 266–267, 266 – 267 hexadecimal numbers, 333–336, 335 log record bookmarks, 390 – 392 , 391 – 392 legacy operating system artifacts, 543 – 544 Log Records view, 635, 636 Length field in navigation, 296 $LogFile file, 75 levels, auditing, 552 – 554 , 552 logic operators libraries, hash, 449 – 460 , 450 – 461 GREP, 366 licensing indexed searches, 420–421, 420 certification files for, 230, 231 registry filters, 612, 613 Enterprise and FIM, 177 Logical Block Addressing (LBA), 5 line wrap and length, 285, 286 logical evidence files (LEFs), 511 LinEn (Linux EnCase) acquisitions, 120, 168 logical names in evidence files, 227 mounting file systems as read-only, 168 – 169 Logical Sector Number field, 296 overview, 171 – 173 Logical Size column, 271 steps, 173 – 176 , 174 – 175 logs, 549 updates, 169 – 171 , 170 – 171 auditing levels, 552 – 554 , 552 link files, 504 information in, 549 – 551 , 550 – 551 importance, 505 – 508 , 506 – 508 Windows Event log parser, 555 – 557 , 556 – 557 parser, 509 – 511 , 510 Windows Vista/7, 554 – 555 , 554 – 555 Recent folder, 516 long filenames in FAT, 49 – 51 shortcut properties, 504 – 505 , 504 – 505 low-bit ASCII set, 337, 384, 619 links Low folder, 521 – 523 , 521 , 532 hyperlinks. See hyperlinks Lower Resolution option, 278 NTFS, 75 lowercase letters, 338 to reports, 404, 405 Lx file format, 206 symbolic. See symbolic links LZ compression format, 206 Linux boot CD updates, 169 – 171 , 170 – 171 boot runlevels, 171 shutdown procedures, 108 M Linux EnCase. See LinEn (Linux EnCase) MAC (Media Access Control) addresses, 12 acquisitions MacBook Air models, 181 Linux Swap partitions, 26 Macintosh systems lists, keyword, 363 – 364 , 363 – 364 application binding, 438 little endian storage drive acquisition, 134 description, 50 EnCase Portable, 181 FAT directory entries, 49 shutdown procedures, 108, 109 time stamps, 476, 480 working with, 315 – 317 live capture and analysis, 102, 105 .MailDB extension, 591 .lnk extension, 504, 516 mainboards, 4 Load Selected Device option, 158 Manage Hash Library option, 451, 451 Load Selected Evidence option, 245 Mandatory Integrity Control (MIC), 522 local-host files, 531 mapped drives, Recycle Bin files from, 503 local.ini file, 228 master boot records (MBRs), 573, 573 , 576 Local Security Policy, 549 boot process, 15 – 17 , 16 local time offsets, 478 partitions, 20–22 locating partitions, 573 – 588, 573 – 586 master devices, 6 Location tab in FastBloc, 160, 163 master file tables (MFTs), 25 .mbox extension – network acquisitions 699

.mbox extension, 592 Mount As Network Share dialog box, 630, 631 MBRs (master boot records), 573, 573 , 576 mount command, 172–173 boot process, 15 – 17 , 16 mountable files, 602 partitions, 20–22 mounted encryption, 104 .mbx extension, 590 mounting MCA (Micro Channel Architecture) expansion file systems as read-only, 168 – 169 slots, 9 files, 340, 588 – 593 , 589 – 590 , 593 MD5 (Message Digest 5) hashes partitions, 573 – 588 , 573 – 586 collisions, 210, 449 registry, 601 – 602 , 603 copied evidence, 233 mouse ports, 12 creating, 147, 458, 458 moving columns, 270 description, 201 – 202 , 449 MS-DOS time stamp, 487 disks and volumes, 215–216 MSDOS.SYS file, 17 evidence files, 203–205 .msi extension, 591 LinEn, 174 multiple cases, opening, 251 Table view, 272 Multipurpose Internet Mail Extensions (MIME) verification, 149, 149 , 207 – 211 standard, 619 Media Access Control (MAC) addresses, 12 My Documents folder, 518 media type in FAT, 44, 44 meets and bounds for partitions, 26 memory in boot process, 14–15 N RAM. See RAM (random access memory) names types, 3 bookmarks, 392, 393 , 675 Message Digest 5. See MD5 (Message Digest 5) cases, 250 hashes CD files, 77, 78 metadata evidence files, 227 backing up, 220 FAT files, 49 – 51 file systems, 25 folders, 252, 380 reports, 406–408, 407 – 408 , 411 hash sets, 458, 460 $MFT (master file table) file, 74 keywords, 359 $MFTMirr file, 74 Recycle Bin files, 500, 501 MFTs (master file tables), 25 Table view, 266–267, 271 MIC (Mandatory Integrity Control), 522 NAS tab, 314 Micro Channel Architecture (MCA) expansion navigation slots, 9 Table pane. See Table pane microprocessors, 4 Tree pane, 255 – 265 , 255 – 265 Microsoft Expression Studio, 673 View pane. See View pane Microsoft FrontPage, 673 – 674 netstat.exe command, 105 Microsoft Office documents, 593 network acquisitions, 135 military applications, 180 benefits, 135 – 136 MIME (Multipurpose Internet Mail Extensions) boot CDs, 138 standard, 619 boot disks, 137 , 137 modems, 12 booting up, 139 Modify Time Zone Settings option, 344, 485, 485 cables, 136 – 137 modulation, 12 options, 142 – 149 , 143 – 144 , 147 , 149 motherboards, 4 setting up, 140 – 142 , 141 – 142 Mount As Emulated Disk feature, 637–638, steps, 138 638 – 639 700 network connections – parent folders

network connections, 13 Network Interface Cards (NICs), 12 O Network Settings tab, 141 odd parity scheme, 337 Network Support option, 139 offsets, time zone, 476, 481 – 487 , 484 – 485 networked storage, 251 Open File option, 398–399, 400 New Case Options dialog box, 412, 412 Open Hash Library option, 451 New File Type dialog box, 307–308, 308 , 440– opening multiple cases, 251 441, 440 – 441 OpenWithList key, 437 New Hash Library option, 453 OpenWithProgids key, 437 New Keyword dialog box, 356–357, 357 operating system artifacts. See Windows operating New Raw Search Selected dialog box, 355–356, system artifacts 355 , 373, 374 Options menu and tab New tab for bookmarks, 583 backups, 220, 221 New Technology File System. See NTFS (New file types, 440, 440 – 441 Technology File System) global options, 310 New Text Style menu, 285, 285 reports, 403, 403 nibbles Text view, 285, 286 binary numbers, 327, 330–331, 332 – 333 OR operators hexadecimal numbers, 334–336, 335 GREP, 366 NICs (Network Interface Cards), 12 indexed searches, 420–421, 420 No Audit setting, 549, 550 registry filters, 612, 613 noise files, 425 organization nonvolatile random access memory (NVRAM), 3 cases, 252 normal system shutdowns, 106 registry, 596 – 601 , 597 , 599 – 600 notable file bookmarks, 387 – 389 , 387 – 389 , 406– Original Path column, 274 408, 407 – 408 Output Path setting, 145, 148 notes bookmarks, 386 – 387 , 387 Overwrite Diskette with a Boot Floppy Base Notes setting for network acquisitions, 145 Image option, 122–123 .nsf extension, 592 overwritten FAT files, 68–70 NSRL files, 450–451, 450 – 452 , 457, 465 ownership of files in Recycle Bin, 493 – 494 , 494 NT Loader (NTLDR) file, 19 NTDETECT.COM file, 19 NTFS (New Technology File System), 25–26 basics, 73 – 77 P with Linux, 172 packet writing in UDF, 78 partitions, 22, 172, 574–576, 575 , 577 packing lists for first response, 94 – 96 time stamps, 487 page files, 511, 516, 535 – 536 , 537 time zones, 475 paper trails, 110 NTFS-3G driver, 172 paperless reports NTLDR (NT Loader) file, 19 bookmarks, 675 – 678 , 676 – 678 NTOSKRNL.EXE file, 19 burning to CDs and DVDs, 678 – 679 , 679 NTUSER.DAT file, 513–514, 605 container, 671 – 674 , 673 numbers exporting, 669 – 671 , 670 binary, 327 – 333 , 332 – 333 hyperlinks, 671 – 678 , 676 – 678 hexadecimal, 333 – 336 , 335 – 336 overview, 668 – 669 stored as text, 338 parallel cables, 140 NVRAM (nonvolatile random access memory), 3 parallel ports, 13 parent folders, 52, 52 parentheses () in GREP – print spooling 701

parentheses () in GREP, 366 .pfc extension, 592 parity bits, 337 PGPdisk software, 103 parsers photographers, 99 event logs, 555 – 557 , 556 – 557 photographing link files, 509 – 511 , 510 cables and tags, 110 partial recovery of FAT files, 70 scenes, 99 Partition Entry data type, 386 screens, 102 Partition Entry view, 573, 574 Physical Disk Emulator (PDE) module, 636 – 641 , Partition Finder, 580–581, 580 – 581 637 – 639 Partition menu, 282, 283 physical evidence, seizing, 99 – 101 partitions physical location as first response issue, 91 for devices, 130 Physical Location column, 273 Disk view, 282, 283 Physical Sector column, 273 exFAT, 79 Physical Sector Number field, 296 locating and mounting, 573 – 588 , 573 – 586 Physical Size column, 273 NTFS, 73–74, 574–576, 575 , 577 picture data types, 384 – 385 partition tables, 20 – 24 , 24 Picture view, 288 , 288 recovery, 587 – 588 pipe symbols (|) in GREP, 366 passwords platters, 4–5 EnCase Decryption Suite, 625 – 629 , 626 – 627 plus signs (+) in GREP, 365 evidence acquisition, 131 pointers for case files, 219 network acquisitions, 145 PolAdtEv key, 552 paths policies, audit, 549, 549 acquisition, 145, 148 Portable Management tool, 181–182, 181 , 186, caches, 251 187 , 191 cases, 250 ports FAT files, 58–59, 59 keyboard, 12 Recycle Bin files, 489 mouse, 12 PC Cards (PCMCIA cards), 9 parallel, 13 pcert files, 230 serial, 13 PCI (Peripheral Component Interconnect) USB, 8 cards, 10 pound signs (#) in GREP, 365–367 expansion slots, 9 Power On Self-Test (POST), 14 – 15 PCI Express expansion slots, 9 power supplies, 3 – 4 PCI Express video cards, 10 PowerPoint viewer, 309 PCMCIA cards (PC Cards), 9 .ppt/.pptx extension, 591 PDE (Physical Disk Emulator) module, 636 – 641 , Prepare option, 181, 182 637 – 639 preserving original digital evidence, 120 Pearson, Scott, 558, 604 previewing periods (.) FIM, 180 GREP, 365, 367 hard drives, 162 – 163 registry keys, 600 network acquisitions, 136 permissions, 227 Previous Versions tab, 548, 548 LinEn, 174 primary evidence caches Recycle Bin files, 493, 494 backing up, 220 Table view, 273 path setting, 251 Permissions view, 291 , 292 primary IDEs, 6 personnel as first response issue, 91 – 92 print spooling, 537 – 543 , 538 – 539 , 541 – 542 702 Process box – registered local-host files

Process box, 347, 347 Raw Search Selected menu, 355, 355 Process Monitor, 605–608, 606 raw searches profiles, roaming, 514 keyword, 354 – 355 , 355 , 373, 374 program counters, 14 overview, 352–353 Properties dialog box raw text in bookmarks, 380, 381 network acquisitions, 141 Read Ahead hashes, 148 shortcuts, 504–505, 504 – 505 read-only, mounting file systems as, 168 – 169 Protected column, 271 Read only attribute in FAT, 50 Protected File Analysis option, 347 read-only memory (ROM), 3 Protection Complexity column, 271 Real-Time Clock (RTC) .pst extension, 591, 594 boot process, 14 Public folder, 516–517 description, 10 "pulling the plug", 109 Recent Cases section, 242 Recent folder, 508, 515 – 516 , 515 recorders at scenes, 99 recording scenes, 99 Q Records tab Quad words, 331 email, 614–615, 615 querying hash libraries, 456, 456 Evidence Processor, 306, 306 , 351 question marks (?) Internet history, 529, 530 GREP, 365, 367 Temporary Internet Files, 533, 533 registry keys, 600 Recover Folders option, 347 questions for first response, 92 – 93 recovery Quick Reacquisition setting, 147 – 148 artifacts, 534 – 535 Quick View Plus view, 309 backups, 222–224, 224 – 225 Quit option in LinEn, 174, 174 FAT files, 66 – 70 Quoted Printable data type, 384 partitions, 587 – 588 Qwords, 331 volume shadow copies for, 544 – 549 , 545 – 548 Rector, Roy, 669 recursive folders, 395, 404, 405 Recycle Bin, 310, 487 – 488 R bypass, 498 – 500 , 499 radio frequency (RF) energy, 111–112 on desktop, 517 RAID (Redundant Array of Inexpensive Disks), 7 , file status in, 496 – 497 , 497 – 498 257, 257 INFO2 file, 488 – 492 , 489 – 493 Rainbow Crack tool, 628 operation, 488 RAM (random access memory) ownership of files in, 493 – 494 , 494 boot process, 14 restoring and deleting files in, 494 – 496 , description, 3 495 – 496 imaging, 102 – 103 , 103 Windows Vista/Windows 7, 500 – 503 , link files, 511 500 – 503 slack, 71 Recycle Bin Properties dialog box, 498–499, 499 swap files for, 536 Redundant Array of Inexpensive Disks (RAID), 7 , ranges in GREP, 365 257, 257 Raptor imager, 169 REG_ data types, 601 .rar extension, 592 regedit command, 596 RAW mode for print jobs, 537–539, 538 – 539 regedt32.exe command, 596 Raw Search menu, 373, 374 registered local-host files, 531 registry – saving 703

registry Results tab and view application binding, 437 file signature analysis, 447, 448 Evidence Processor, 340 – 345 , 341 – 344 queries, 424, 425 filters, 606, 606 , 611 – 613 , 611 – 613 registry filters, 612 history, 595 – 596 reverifying evidence files, 212 mounting and viewing, 601 – 602 , 603 RF (radio frequency) energy, 111–112 organization and terminology, 596 – 601 , 597 , right-click menus, 262, 264, 264 599 – 600 right nibbles in binary numbers, 330–331, Recycle Bin, 499, 499 332 – 333 research techniques, 605 – 608 , 606 – 608 Rivest, Shamir, and Adleman (RSA) algorithm, 147 in restore points, 604 – 605 roaming profiles, 514 scripts, 608 – 611 , 609 – 611 Rock Ridge extension, 78 time zone offsets, 481–483 ROM (read-only memory), 3 warnings, 595 root directory Remote Desktop, 607–608, 607 – 608 FAT, 46 – 48 , 47 – 48 Remote tab, 607, 607 NTFS, 75 Remove User Defined Partitions option, 579 root user folders, 512, 512 – 513 renaming evidence files, 227 ROT-13 data type, 384 reparse points, 513 RSA (Rivest, Shamir, and Adleman) algorithm, 147 Replace Source Drive option, 144, 160 RTC (Real-Time Clock) Report - Save As dialog box, 669, 670 boot process, 14 Report tab and view, 289 , 303 description, 10 evidence file verification, 208, 209 , 212 RTC/NVRAM memory, 11 FastBloc, 161 Run Filter On All Evidence In Case option, 464 file signature analysis, 446 runlevels, Linux boot, 171 Home screen, 247 .rzip extension, 592 notable file bookmarks, 389, 389 Report Templates tab, 400–402, 402 , 407, 410, 410 reports S bookmarks, 393, 395 , 397 – 414 , 397 – 403 , SAFE (Secure Authentication for EnCase), 105, 405 – 413 178 – 180 , 179 hashes, 216, 217 safety as first response issue, 91 network acquisitions, 149, 149 SAM (Security Accounts Manager) registry file, 493 paperless. See paperless reports password hashes in, 627 – 629 Reports tab, 398 repair folder, 602 reserved area in FAT, 36 – 43 , 36 – 38 restore point filename, 605 resident data in NTFS, 74 SAS (Serial Attached SCSI) drives, 6 – 7 resolution of Timeline view, 278, 279 SATA (Serial Advanced Technology Attachment) Restore dialog box, 633, 634 controllers, 6 Restore Backup dialog box, 225, 225 Save As Template dialog box, 250, 250 , 411, 412 restore points Save Results option, 377 backups, 222, 223 saving registry hive files in, 604 – 605 bookmark reports, 398, 399 restoring cases, 253–254 backups, 222–224, 224 – 225 searches, 377, 421, 422 evidence, 633 – 636 , 634 – 636 templates, 250, 250 , 411, 412 Recycle Bin files, 494 – 496 , 495 – 496 704 Scan EFS module – SHA-1 hashes

Scan EFS module, 623–624 $Secure file, 75 scenes Secure Storage view, 625, 625 , 627 recording and photographing, 99 securing scene, 98 – 99 securing, 98 – 99 Security Accounts Manager (SAM) registry file, 493 scert files, 230 password hashes in, 627 – 629 scheduled backups, 226 repair folder, 602 screens, photographing, 102 restore point filename, 605 scripts. See EnScripts security.evtx file, 554 SCSI (Small Computer Systems Interface) SECURITY file, 605 description, 6 security ID (SID) numbers drive-to-drive DOS acquisition, 134 bookmarks, 386 drivers, 140 Permissions view, 291, 292 seals Recycle Bin files, 493, 494 agency, 674 seizing computer evidence, 99 integrity, 202 computer shutdown procedures, 106 – 110 , 109 search-and-seizure specialists, 99 physical evidence, 99 – 101 search authority as first response issue, 97 – 98 volatile digital evidence, 102 – 105 , 103 – 104 Search category on Home screen, 242 Select key, 602, 603 Search dialog box, 374 Select Partition Finder option, 580 Search Entry Slack option, 375 Select Place In Document dialog box, 676, 677 Search Expression box, 356, 359 selected items in bookmarking, 389 – 390 , 390 Search Expression tab, 358–360, 358 Send To folder, 518 Search Hit color, 314 Serial Advanced Technology Attachment (SATA) Search tab, 376, 376 , 416, 417 controllers, 6 search warrants, 98 Serial Attached SCSI (SAS) drives, 6 – 7 searches and searching, 352 – 353 serial numbers exercise, 414 – 415 bar code scanners for, 97 hits viewing, 376 – 377 , 376 link files, 507, 508 indexed, 415 – 421 , 416 – 422 serial ports, 13 keywords for. See keywords Server Info tab, 638, 639 network acquisitions, 144 Server option in LinEn, 174, 174 vs. raw searches, 352 – 353 servers, hidden, 111 starting, 373 – 375 , 374 servlets tags, 423–425, 423 – 425 Enterprise, 178 secondary evidence caches FIM, 180 backing up, 220 Set Included Folders trigger, 259–261, 260 , path setting, 251 361, 362 secondary IDEs, 6 sets, hash, 449 – 460 , 450 – 461 Sector Offset field, 296 Setup routine, 126–127 sector slack, 71 SHA-1 hashes, 202 sectors collisions, 449 description, 4–5 copied evidence, 233 Disk view, 280, 282, 282 creating, 458, 458 evidence acquisition, 131–132 description, 202 evidence files, 203 disks and volumes, 215–216 FAT files, 35, 60, 61 evidence files, 203–205 Secure Authentication for EnCase (SAFE), 105, Table view, 272 178 – 180 , 179 verification, 207 – 211 shadow (SHD) files – system files in NTFS 705

shadow (SHD) files, 538–540, 538 – 539 solid state drives (SSDs), 5 – 6 Shared Files tab, 229–230, 229 sorting columns, 267 – 268 , 267 – 269 SHELL statements, 17 sound cards, 10 Short Name column, 274 span acquisitions over drives, 206 shortcut files, Internet, 520 Specify Backup Location option, 222 Shortcut tab, 504, 504 Specify Case File option, 222 shortcuts. See link files .spl files, 538 Show Columns option, 269, 269 Split Mode menu, 261, 261 Show False indicator, 157, 310–312, 311 – 312 spool files, 538, 538 Show Folders option, 405 spooling, print, 537 – 543 , 538 – 539 , 541 – 542 Show True indicator, 157, 310–312, 311 – 312 square brackets ([]) in GREP, 365, 367 shutdown procedures, 106 – 110 , 109 SSDs (solid state drives), 5 – 6 SID data type, 386 StandardBias key, 483 SID key, 602 StandardName key, 483 SID (security ID) numbers StandardStart key, 483 bookmarks, 386 Start and Stop Sectors setting, 145, 148 Permissions view, 291, 292 Starting Extent column, 273 Recycle Bin files, 493, 494 status, Recycle Bin files, 496 – 497 , 497 – 498 Signature Analysis column, 271 status bytes in FAT files, 65 signatures Status menu in EnCase Portable, 184, 185 analyzing. See file signature analysis status reports in EnCase Portable, 186, 187 FAT boot sector, 38 .stf extension, 592 for reports, 674 Storage tab, 181, 182 single item bookmarks, 387–389, 388 Stream Extension Record, 82 64-bit date and time stamps, 476 – 481 , 477 – 481 styles, text, 299 , 300 size SubSeven tool, 449 blocks super secret menus, 264, 625, 626 evidence files, 203 supplemental information in drive-to-drive DOS LinEn, 175 acquisition, 132 – 135 in network acquisitions, 145–147 suspect information gathering, 92 case backup, 220 swap files, 3, 511, 516, 535 – 536 , 537 link files, 507 sweeping bookmarks, 378, 379 Sizing indicator for panes, 300, 301 symbolic links Skip contents for known files or Search Only NTFS, 75 Slack Area of Files in Hash Library reparse points, 513 option, 375 Table pane, 274 slack space, 70 – 71 , 71 Tree pane, 258 slave devices, 6 symbols in GREP, 364 – 366 Small Computer Systems Interface (SCSI) SYSINIT routine, 17 description, 6 system administrators in first response, 92 drive-to-drive DOS acquisition, 134 system bus in boot process, 14 drivers, 140 system clock in boot process, 14 Snapshot feature, 102, 177 SYSTEM.DAT file, 591 Snapshot folder, 604 system date and time in evidence acquisition, 131 sneaker net, 150 system.evtx file, 554 Social Security numbers, GREP expressions for, SYSTEM file, 605 366 – 368 System file attribute in FAT, 50 SOFTWARE file, 605 system files in NTFS, 74 – 75 706 SYSTEM hive – time zones

SYSTEM hive, 340 – 345 , 341 – 344 Target Disk Mode (TDM) feature System Info Parser module, 483 FastBloc 2, 154 System Properties menu, 607–608, 607 Thunderbolt support, 9, 134 System Protection tab, 544, 545 targets for link files, 504, 507–508 system restores, volume shadow copies for, Task Manager, 105 544 – 549 , 545 – 548 TDM (Target Disk Mode) Szczerba, Joseph, 150 FastBloc 2, 154 Thunderbolt support, 9, 134 Temp folder, 252, 519 , 519 , 673 templates T bookmarks, 398, 400 – 402 , 401 tabbed viewing environment, 247 cases, 250 , 250 Table pane, 266 , 303–305 reports, 669 Disk view, 280 – 284 , 281 – 283 saving, 250, 250 , 411, 412 email, 616, 616 Temporary Internet Files folder, 521, 532 – 533 , 533 FastBloc, 158–160, 159 , 162 terminology, importance of, 13 file signature analysis, 446–447 testing GREP expressions, 367 – 369 , 367 – 369 Gallery view, 275 – 277 , 275 – 277 text and text files Home screen, 246–247, 247 bookmarks, 384 indexed searches, 418 characters, 336 – 339 , 339 Internet history, 529 FAT directory entries, 52, 56 keywords file signature analysis, 445, 447 managing, 361–362, 362 indexed searches, 415 – 421 , 416 – 422 searches, 354 indexing, 349 , 349 search hits, 377 partitions, 23 Table view, 266 – 274 , 266 – 270 styles, 299 , 300 time zone offsets, 484–485, 485 text fragment bookmarks, 378 Timeline view, 277 – 279 , 278 – 280 Text Styles feature, 52, 56 Table tab Text tab, 23 evidence file verification, 210, 214 Text view Home screen, 242, 244 FAT directory entries, 56 partitions, 23, 577 Find feature in, 297 Table view overview, 284 – 287 , 285 – 286 bookmarks, 391–397, 392 – 395 thumbnails, 276, 276 overview, 266 – 274 , 266 – 270 Thumbs.db file, 446, 591 Recycle Bin files, 493 Thunderbolt interface technology, 8 – 9 , 134 Split Mode menu, 261 tildes (~) in FAT file names, 50 Tableau acquisitions. See FastBloc/Tableau time. See dates and times acquisitions TIME command, 17 Tableau bridges, 132 Time Properties menu, 485, 485 tagging evidence, 110 – 112 time settings, 340 tags time stamps hash sets, 458, 460 link files, 506 – 509 , 507 photographing, 110 Recycle Bin files, 501–502, 502 in searches, 423–425, 423 – 425 Timeline view, 278–279, 278 Table view, 267, 271 Time Zone tab, 476, 476 Tags folder, 252 time zones, 475 – 476 , 476 .tar extension, 592 offsets, 340, 481 – 487 , 484 – 485 settings, 342 – 345 , 343 – 344 Timeline view – UUID data type 707

Timeline view undocking View pane, 300, 301 search hits, 377 Unicode code working with, 277 – 279 , 278 – 280 big-endian option, 359 TimeZoneInformation key, 342, 482 bookmarks, 384 TimeZoneKeyName key, 340, 342, 343 characters, 338 – 339 , 339 toolkits for first response, 94 – 96 GREP, 366 tracks, 5 keywords, 357, 357 Traeble view searches, 359 reports, 402 Uniform Resource Locators (URLs), 369, 372 Split Mode menu, 261, 262 Universal Disk Format (UDF), 78 Transactional NTFS, 75 universal serial bus (USB) Transcript view, 290 , 290 controllers, 8 transporting computer evidence, 111 ports, 8 Tree pane, 303 Universal Time, 475 cases in, 249 Unix EnCase Decryption Suite, 623 shutdown procedures, 108 FastBloc, 158–160, 159 , 162 time stamps, 476–477 file signature analysis, 446 unlocking columns, 266, 266 hashes, 215 $UpCase file, 75 Home screen, 246–247, 247 Update Existing Boot Floppy option, 122–123 indexed searches, 418 updating Linux boot CDs, 169 – 171 , 170 – 171 keywords uppercase letters, 338 managing, 356, 361–363 UPS tracking numbers, 371–372, 373 searches, 354 URL files, 520, 520 navigation, 255 – 265 , 255 – 265 URLs (Uniform Resource Locators), 369, 372 partitions, 577 U.S. Postal Service Express Mail tracking Recycle Bin files, 493 numbers, 372 time zone offsets, 484 USB (universal serial bus) Tree view controllers, 8 bookmarks, 397 ports, 8 email, 616, 616 USB - Acquisition (no drive letter assigned) partitions, 586, 586 option, 139 Split Mode menu, 261–262, 263 , 265 USB - Destination (drive letter assigned) option, 139 Tree-Table view, 261, 265 Use Current Case option, 222 tripods for screen photographing, 102 Use Initialized Size option, 375 Trojan Defense, 102 Use Single DST Offset option, 486 true condition, 310–312, 311 – 312 User Account Control (UAC), 522–523 types of partitions, 26 USER.DAT file, 591 user data, configuring, 227 – 228 , 228 User Interface Privilege Isolation (UIPI), 522–523 User List menu, 625, 627, 627 U UserPasswordHint key, 629 UAC (User Account Control), 522–523 UTF-7 option, 360 UDF (Universal Disk Format), 78 UTF-8 option, 359 UIPI (User Interface Privilege Isolation), 522–523 UUE Encoded data type, 384 unallocated clusters, 45 uuencoding method, 619 Undelete Entries Before Searching option, 375 UUID data type, 386 undeleting FAT files, 66 – 70 708 values – wildcards in GREP

Permissions view, 291 , 292 V Picture view, 288 , 288 values, registry, 596, 600 – 601 , 600 Report view, 289 VBM (volume bit map), 25 text styles, 299 , 300 VBRs. See volume boot records (VBRs) Text view, 284 – 287 , 285 – 286 Verification Hash value, 149, 149 Transcript view, 290 , 290 verification of evidence files, 207 – 215 , 208 – 209 , viewers.ini file, 228 211 – 212 Viewing Entry tab, 245, 246 Verify Acquisition option, 184 Virtual File System (VFS) Verify Evidence Files option, 215 overview, 629 – 632 , 629 , 631 – 632 Verify File Integrity option, 210, 211 , 214, 217 Table view, 274 Verify Wiped Sectors option, 634 Windows Logical Disk Manager support, versions of network boot disks, 137 – 138 640 – 641 VESA Local Bus (VL-Bus) expansion slots, 9 VirtualStore, 602, 603 VFS (Virtual File System) VL-Bus (VESA Local Bus) expansion slots, 9 overview, 629 – 632 , 629 , 631 – 632 volatile digital evidence, 102 – 105 , 103 – 104 Table view, 274 volatility of RAM, 3 Windows Logical Disk Manager support, volume bit map (VBM), 25 640 – 641 volume boot records (VBRs) video cards, 10 backup, 585, 585 – 586 video components in boot process, 14 boot process, 15–17, 16 , 19 View File Structure feature exFAT, 79 – 81 , 80 email, 615 FAT, 38 Evidence Processor, 340, 341 NTFS, 74, 574–576, 575 , 577 mounting files, 588, 589 $Volume file, 75 View menu and tab Volume label attribute in FAT, 50 evidence file verification, 214 volume media type in FAT, 44, 44 file types database, 438, 439 Volume Shadow Service (VSS), 544 – 549 , 545 – hashes, 215 548 , 604 Home screen, 244 volumes log record bookmarks, 390 encrypted, 103–104 View pane, 284 , 284 hashing, 215 – 217 , 216 – 217 conditions and filters, 298 , 298 link files, 507 Decode view, 292 , 293 vs. partitions, 20 Dixon box, 294 – 295 Voom Shadow tool, 547 Doc view, 289 , 289 VSS (Volume Shadow Service), 544 – 549 , 545 – EnScript, 299 , 299 548 , 604 Field view, 294 vssadmin command, 545–547, 545 – 546 File Extents view, 291 , 291 Find feature, 297 , 297 global views and settings, 306 – 309 , 306 – 310 W Hex view, 287 , 287 Home screen, 246–247, 247 web page titles, GREP expression for, 372 indexed searches, 418 Webmail lock view, 294 address searches, 369 navigation data, 295 – 296 , 295 searching for, 375 navigation exercise, 302 – 305 width of columns, 270, 270 pane adjustments, 300 , 301 wildcards in GREP, 365 Wilson – Zulu Time 709

Wilson, Craig, 525 link files, 504 WinAcq tool, 105 importance, 505 – 508 , 506 – 508 Windows BitLocker, 103–104 parser, 509 – 511 , 510 Windows Boot Manager, 19 Recent folder, 516 Windows Device Manager, 156 shortcut properties, 504 – 505 , 504 – 505 Windows Event log parser, 555 – 557 , 556 – 557 print spooling, 537 – 543 , 538 – 539 , 541 – 542 Windows Logical Disk Manager, 637, 637 recovering, 534 – 535 Windows operating system Recycle Bin. See Recycle Bin artifacts. See Windows operating system review questions, 566 – 569 artifacts summary, 559 – 563 bookmark data types, 386 swap files, 535 – 536 shutdown procedures, 107 – 108 volume shadow copy, 544 – 549 , 545 – 548 Windows 7 WinEn tool, 102, 103 event logs, 554 – 555 , 554 – 555 WINLOAD.EXE file, 20 Recycle Bin, 500 – 503 , 500 – 503 Wipe Remaining Sectors On Target option, 634 Windows 2000 boot process, 17 – 18 wiped hard drives, 76–77 Windows NT boot process, 17 – 18 words (data), 330–331 Windows Vista write-blocking devices event logs, 554 – 555 , 554 – 555 FastBloc, 157 Low folders, 521 – 523 , 521 FastBloc SE, 167, 167 Recycle Bin, 500 – 503, 500 – 503 forensic bridges, 153, 153 Windows XP boot process, 17 – 18 write-protecting devices, 167 Windows operating system artifacts, 474 dates and times, 475 time stamps, 476 – 481 , 477 – 481 time zone offsets, 481 – 487 , 484 – 485 X time zones, 475 – 476 , 476 x symbol in GREP, 365 event logs. See event logs .xls/.xlsx extension, 591 exam essentials, 564 – 565 xxencoding method, 619 folders, 511 – 515 , 512 , 514 Cookies, 523 – 525 , 524 – 525 Desktop, 516 – 518 , 517 Documents, 518 Y Favorites, 520 – 521 , 520 Yast (Yet Another System Tool), 168 History, 526 – 531 , 527 , 529 – 531 Low, 521 – 523 , 521 Recent, 515 – 516 , 515 Send To, 518 Z Temp, 519 , 519 Zip disks, 189 Temporary Internet Files, 532 – 533 , 533 .zip extension, 591 hibernation files, 536 , 537 Zoned-Bit Recording (ZBR), 5 legacy operating systems, 543 – 544 Zulu Time, 475