STATIC ACQUISITION TOOL

STATIC ACQUISITION REPORT- EnCase cyber forensics tool

STATIC ACQUISITION REPORT- EnCase cyber forensics tool

Encase is traditionally used in forensics to recover evidence from seized hard drives. Encase allows the investigator to conduct in depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information. The company also offers EnCase training and certification.

STEPS TO USE ENCASE CYBER FORENSICS TOOL…

STATIC ACQUISITION REPORT

Scope of work– Static memory acquisition from the suspect’s system, of Case number: PA76890 and offense: Breach of Computer Security

Abstract– There has been a breach of computer security in company AB, and during the investigation a suspect has been identified hence, we are collecting the evidence that is the static memory from the suspect’s system. We were able to get three type of pen drives with different file formats FAT32, exFAT, and NFTS. We have acquired the data of all the three pen drives with the different formats.

Acquisition details– Tools used during acquisition- EnCase tool, FTK imager has been used for the static memory extraction. This data Acquisition has been done from the pen drives owned by our suspect Mr. ABCD.

EVIDENCE CHAIN OF CUSTODY TRACKING

Description of Evidence
Item # Quantity Description of Item (Model, Serial #, Condition, Marks, Scratches)
1. 1 Static Memory Acquisition, disk image of pen drive with FAT 32 file format, SanDisk 4gb
2. 1 Static Memory Acquisition, disk image of pen drive with exFAT file format , SanDisk 4gb
3. 1 Static Memory Acquisition, disk image of pen drive with NTFS file format, SanDisk 4gb
Chain of Custody
Item # Date/Time Released                      by (Signature & ID#) Received                 by (Signature & ID#) Comments/Location
1. 9-02-2019, 17:35 Mr.       XYZ,            Manager, Company X ZY, Investigator _

Mode of operation

1.     Acquisiton of the FAT 32 File system (acquiring the data from the suspects pendrive have FAT 32 file format) Acquisition of the data from the hard drive/pd of the suspected system using the Software EnCase. EnCase Software should be installed in the investigators system

Fig1- Installation of the EnCase software, click next

Fig2: software scene after next

Open the EnCase software and then click New Case, enter the name and then click ok

Fig 3: new case screen

Fig4: entering the name

Then enabling the software based file blocker – FastBloc SE from the tools option

Fig 5: Enabling the FastBloc SE

SOFTWARE BASED write blocker using – attach suspect’s hard drive/pd after choosing the FastBlock SE . The attached drive will be shown with write block enabled

Fig 6: Write block enabled in the drive can be seen

Then go to Add Local Device, tick the options- Show write block, and Detect Legacy FastBloc

Fig 7: the default selected options

Fig 8: selecting the options which we want

Fig 9: device selected will be shown

Fig 10: Choose the device we want

Fig 11: add the evidence number, evidence name and notes

Select pd/source hard drive , and give evidence number, evidence name and notes Evidence will be added

Fig 12: Evidence will be added

Fig 13: figure of the files present in the pd

Figure 14: Folders can be seen including deleted folders Click on the evidence and right click and acquire

Fig 15: acquire screen

Fig 16: options of choosing acquire Fig 17: filling the options of acquire

Fig 18: adding the format for acquisition

Fig 19: options which we have selected

– add the name and location where the file will be stored, that is the disk image

-the disk image is getting acquired

-Down we can see the report- right click and save as and select the folder

-the report that has been saved

Now, we want to view the disk image, which we can view using FTK imager. With the FTK imager we will also get the hash of the files present which help us to verify the integrity of the files.

Fig 23: opening the FTK imager

Fig 24: choose the Add evidence item option

Fig 25: choose the option image file as we want to add an image file

Fig 26: choose the path of the disk image, finish

Fig 27: the files can be seen

Fig 28: right click on the root and choose export the file hash list

Fig 29: choose the folder where the hash list will be saved

Fig 30: the hash file which has been created

Contact Us
CRAW SECURITY
1st Floor, Plot no. 4, Lane no. 2,Kehar Singh Estate,Westend Marg,Behind Saket Metro Station, New Delhi – 110030
Call Us : 91-9650202445,91-9650677445
Mails Us : training@craw.in
Visit Us : www.crawsecurity.com | www.craw.in

 

现在我的胸部比没生孩子之前还要漂亮丰胸食物,就像怀孕时候那样饱满,对着老公再也没有自卑感了,一家三口好幸福丰胸方法,这都是用粉嫩公主酒酿蛋后的收获丰胸产品,真是太感谢这个粉嫩公主酒酿蛋了!添加WeChat获取免费一对一丰胸指导丰胸产品粉嫩公主