You are currently browsing the archives for the EnCase category.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Dec | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | ||||
- 27. December 2011: Working with WinFE
- 27. December 2011: Editing Existing WinFE
- 20. December 2011: Creating WinFE Boot Disc
- 6. December 2011: Bitlocker Decryption with Known Key without Admin Privileges
- 1. July 2011: Dual Boot Windows 7 (encrypted) with Ubuntu 11.04 (encrypted)
- 3. May 2011: EnCase7 Quick Look
- 30. March 2011: Volatile Memory and Logs
- 11. November 2010: Is your anti-virus completely cleaning?
Archive for the EnCase Category
EnCase7 Quick Look
3. May 2011 by Ric.
Thought I would walk through EnCase v7 Preview Version as others might wish to see the new interface. After extracting the compressed file the following files were available.
Installing the software hasn’t changed much from v6. Couple additional directories and the removal of Backup. Backup is now located within the Case area.
The introduction front end has changed.
Selecting New Case shows additional options within Case Options. The Case Info area populates additional information within the Report. The three options None, Basic, and Forensic vary in content amount.
Basic input options.
Forensic input options are extensively more.
Creating a Case front end.
Adding Evidence button can be used via the menu bar or front end. The additional options of Add Local Device… etc are not in operation within the Preview Version.
Adding evidence is relatively the same as v6. The v7 Preview Version came with an evidence file and cert. The cert works per specific dongle.
The Case area directory structure has changed and we can see the Backup moved.
After evidence is add the following screen should appear and verify the evidence.
After verified, hashs match within the Fields view. Also notice Processing Status shows unprocessed.
It becomes necessary to process the evidence to recover folders, process compressed files, etc. The Process Evidence button is located under the Add Evidence area tab. Appears to take over for the once known Search tab.
After evidence is processed the status will change.
Viewing the evidence is conducted by clicking on the evidence under the name column or using the Viewing tab to switch to Entry.
Entry view goes back towards the traditional view of EnCase.
Noticed the right-click option have disappeared.
They have been moved to the side button area in the menu bar.
Gallery view hasn’t changed.
Viewing the registry and other compound files is still done via view file structure.
Registry view.
Bookmarking can be accomplished by using the Decode tab and selecting the appropriate view and a right-click.
Viewing email has changed with different views. After processing the evidence, switching to the Records tab allows the different email views.
After digging into the email .PST inbox you can follow email message conversations by using the Find Related tab.
Selecting Show Related Messages populates the conversations that match based on your first selection.
Report tab has also seem some changes and looks pretty good.
Take a look at the Preview Manual of additional information.
Also the Release Notes have some nice details if interested.
–Ric
Posted in EnCase | No Comments »