Site icon Eminence Papers

EnCase Forensics

EnCase Forensics

Do you need help with your assignment ? Get in touch with us at eminencepapers.com.

Please use only EnCase to answer the questions and include screenshots when available. All questions are worth 3 points unless otherwise indicated. Image: Durden

  1. Please Create a New Case:

Case Name: Exercise 3

Enter your Name as the Examiner

  1. What is the Acquisition and Verification Hash for this Image?

Acquisition Hash – 9a3e82dcd48d01be7d40502c508509c9

Verification Hash – 9a3e82dcd48d01be7d40502c508509c9

  1. Explain the difference between the E01 and the Ex01 format.

The EX01 format replaced the E01 format with the release of Encase 7. This new format of EX01 contains high levels of security, such as AES256 encryption with passwords or keypairs, an option for MD5 or SHA-1hashing, and LZ compression.

  1. Using the directory structure, please tell me the possible OS systems this device could be. You could include what it is NOT. Take screenshots and describe why.

Since my laptop uses the NTLS file system, the most commonly used system in the modern generation, its operating system is Windows 7. The Master File Table forms the largest segment of the NTLS file system. MFT lists all files together with their attributes and security parameters.

  1. What does MBR stand for, and where is it located?

MBR stands for Master Boot Record and is located on the first sector of the hard disk; hence it is created along with the first partition on the drive.

  1. How many Partition Entries are there in this Image?

7 Partition Entries

  1. (4pts) Decoded\analyze each partition table found? (Starting Cluster, total Number of clusters, File System, and if it is an active partition.)

Starting Cluster – 2.048

Total Number of Clusters – 27.256.832

File System – NTPS

Partition – is active because it is valid.

  1. What is the name of each volume?

Name, Tag, and File Ext.

  1. Describe the difference between the Home Plate/Set Include button and the Dixon box.
  2. Find a file that is resident. Describe what it is and why the file you picked is resident.

Encase v22.3. The encase v22.3 file is used by digital forensic investigators to realize the advantage of AFF4 functionality. This file that I picked is an example of a resident file because it is the primary copy stored on the disk, irrespective of whether the computer is online.

  1. What is the size of entries in the MFT? Please create a Text style for this Length and name it MFT.

The size of entries in the MFT is often 1024 bytes.

MFT file size

  1. (5pts) Choose three files and then find them within the MFT. What will the offset of the files be within the MFT?

The three files I found were flags, link count, and signature, as illustrated in the Image in question 11 above. The flag files are represented by 01 00, the link count files are represented by 01 00, and the signature file is represented by 46 49 4c 45. Therefore, the attribute offset of the files within MFT would be represented by 38 00.

  1. (5pts) Create a Logical (l01) collection for the user Administrator, including the Registry Files. (SAM, System, Security, System, Ntuser)

  1. Describe the difference between disk slack and file slack.

RAM slack refers to the slack between the end of the logical file and the other sector parts. File slack is the remaining bit towards the end of the cluster. To further enhance understanding, RAM slack is the slack at the byte and sector level, while file slack is the sectors to the cluster level.

  1. Export a file listing of items. Create a Pivot table using Excel to tell me how many files each extension has on this drive. Provide a few screenshots of this.

ORDER A PLAGIARISM-FREE PAPER HERE

We’ll write everything from scratch

Question 


Please use only EnCase to answer the questions and include screenshots when available. All questions are worth 3 points unless otherwise indicated. Image:Tdurden

EnCase Forensics

  1. Please Create a New Case:

Case Name: Exercise 3

Enter your Name as the Examiner

  1. What is the Acquisition and Verification Hash for this image?
  2. Explain the difference in the E01 and the Ex01 format?
  3. Using the directory structure, please tell me the possible OS systems this device could be. You could include what it is NOT. Take screen shots and describe why.
  4. What does MBR stand for and where is it located?
  5. How many Partition Entries are there in this Image?
  6. (4pts) Decoded\analyze each partition table found? (Starting Cluster, total Number of clusters, File System and if it is an active partition.)
  7. What is the name of each volume?
  8. Describe the difference in the Home Plate/Set Include button and the Dixon box.
  9. Find a file that is a resident file. Describe what it is and why the file you picked is a resident file.
  10. What is the size of entries in the MFT? Please create a Text style for this Length and name it MFT.
  11. (5pts) Choose 3 file and then find them within the MFT. What will the offset of the files be within the MFT?
  12. (5pts) Create a Logical (l01) collection for the user Administrator, include the Registry Files. (SAM, System, Security, System, Ntuser)
  13. Describe the difference in disk slack and file slack.
  14. Export a file listing of items. Create a Pivot table using Excel in order to tell me how many files of each extension that are on this drive. Provide a few screenshots of this.
Exit mobile version