Tag Archives: EnCase

Volume Shadow Copy

Volume Shadow Copy Part 3

What we found in the Volume Shadow Copy for Windows 7 After creating a raw image of the Volume Shadow Copy, we were able to view it in both FTK and Encase. We most often used Encase to examine the raw image file and received positive results. We cross referenced the log of what was […]

Continue reading

Treasure Hunting with FTK, EnCase, and SQLite Databases

The last tools we used to examine PirateBrowser, Mozilla 23, and Firefox Portable were EnCase and FTK.  SQLite databases that contained lists of the websites visited, as well as downloads saved by our team were found on each image.  We used a PDF from the SANS blog to assist us in finding the locations of […]

Continue reading
EnCase App Central light blue background

Investigating with the EnCase App

In digital investigations, EnCase is the go-to tool. As Brian Carrier says in his book File System Forensic Analysis, “there are no official numbers on the topic, but it is generally accepted that EnCase is the most widely used computer investigation software.” [ Carrier, Brian. File System Forensic Analysis. Upper Saddle River, NJ [u.a.: Addison-Wesley, 2011. Print.] EnCase is a valid tool for digital investigations, contributing to its popularity. EnCase is a great tool that recently became even more powerful. Continue reading

Painting a Timeline with EnCase

Blog27It has been busy at the LCDI, and we have been focusing on the timeline feature in EnCase and Forensic Tool Kit. Since we have looked into Log2Timeline already, it is hard to compare these other tools that are not as focused on timeline creation as the task specific open source tool is. With that said, here are our findings on timeline capabilities of EnCase and Forensic Tool Kit. Continue reading

Closer Look at Log2Timeline

Log2Timeline is an open source tool developed by Kristinn Gudjonsson focused on creating timelines with the purpose of digital forensic examination. With its ability to perform cross platform, it has become increasingly popular and bundled with open source forensic tools. The forensic distributions SIFT and TAPEWORM come with log2timeline preinstalled and set as primary tools on their systems. SIFT has a branched version of Log2Timeline that automates the creation of a supertimeline in the command line, while TAPEWORM uses log2timeline but places a custom graphic interface that simplifies the command for the end user. In addition to Linux distributions, Log2timeline also runs on Microsoft Windows via the command line. Continue reading