I have recently attended EnCase CFI and II Training Courses and was looking to further my understanding of some of the concepts - in particular what EnCase is actually doing when running certain automated processes such as
Partition Finder
Recover Folders
Recover Email
File Mounter
Hash and Sig Analysis
Case Initialiser
Can anyone shed some light on them or point me in the right direction as to where to look? I am not after anything tooooooo technical, just a basic rundown of what each process is looking for and/or does.
It's too easy to simply push buttons and get results - I am seeking to try and understand what is happening behind the scenes to further my knowledge and appreciation of the software used.
Any help appreciated!
Alty
In basic terms….
Partition finder, recover folders and recover email are all scripts that are looking for particular patterns in the data. For example, the recover email script will likely look for the standard format of email headers etc. I am uncertain of the course content now but certainly when I did the Intermediate it did discuss standard attributes to manually look for to potentially recover deleted partitions and folders, the partition finder and recovered folders scripts do this for you.
File Mounter will behave differently depending on the files you are mounting. So if you are trying to mount all of the zip files in your case then running this script will initialise Encase to find all of the zip files and open them placing the files inside them into your case.
Hash and Sig Analysis – Hash will go through all of the files on the computer and create their MD4 hash value which can be used to uniquely identify the file.
Sig analysis checks that the file extension matches the header information of the file. For example, given a JPG file then the header will start with JFIF so if such a file has a “gif” extension then it will be flagged as having a mismatch of signature.
Case Initialiser – this script goes through some of the registry files and extracts information relating to the current settings of the operating system.
I have recently attended EnCase CFI and II Training Courses and was looking to further my understanding of some of the concepts - in particular what EnCase is actually doing when running certain automated processes such as
Partition Finder
Recover Folders
Recover Email
File Mounter
Hash and Sig Analysis
Case InitialiserCan anyone shed some light on them or point me in the right direction as to where to look? I am not after anything tooooooo technical, just a basic rundown of what each process is looking for and/or does.
It's too easy to simply push buttons and get results - I am seeking to try and understand what is happening behind the scenes to further my knowledge and appreciation of the software used.
Any help appreciated!
Alty
You took the class but they didn't tell you what these thing's were doing? I've taken several classes through Guidance and they always have you do the behind the scenes work instead of just pushing the button so you know how it works.
I'm confused…. 😯
I have to say I'm shocked as well. Every class I've attended had us doing things manually before mashing the script buttons. I've attended almost all of them.