gallery view - whats in it?

In encases gallery view - what images is it actually showing you? And what images on a PC may still be on the PC but not shown in gallery view until you do "something"? Is gallery view showing any images from unallocated space? Or not?

Is it showing images in file containers like truecrypt, virtual machines, comrpessed archives like winzip or not? Any other images that arent the norm that gallery view will miss?

Also - in encase can you see a field perhaps in the table view of the user that created the file? I.e. saved it to the disc? Which field represents document owner in the various views in encase?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SirtenKenCommented:
In encases gallery view - what images is it actually showing you?
I'm going to assume you have version 6. The answer might differ somewhat for 7, since there is some additional processing and indexing going on first.
Gallery view is showing you pictures based on extensions - jpg, gif, etc.


And what images on a PC may still be on the PC but not shown in gallery view until you do "something"?
If you perform a signature analysis, it will show you pictures that have had their extensions changed but are still a match for well-known digital signatures for pictures.

Is gallery view showing any images from unallocated space? Or not?
No, you'll have to find those by searching for the digital signatures themselves in unallocated space.
Is it showing images in file containers like truecrypt, virtual machines, comrpessed archives like winzip or not?

It will show you pictures inside these containers if you've mounted the containers as compound file types from the right click menu.

Any other images that arent the norm that gallery view will miss?
It will miss anything not listed in the menu under  "view > file signatures"
It also will miss images embedded inside pdfs and word documents

Also - in encase can you see a field perhaps in the table view of the user that created the file? I.e. saved it to the disc?
Yes, check the permissions tab when you have the file highlighted.

Which field represents document owner in the various views in encase?
The owner's SID will be listed in the permissions next to the row showing "owner" under the property column.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Thanks so much!

re:

It will show you pictures inside these containers if you've mounted the containers as compound file types from the right click menu.
Can you provide a list of these compound file types? Can encase identify them in a search? i.e. just list all compound file types. WHat is a non compound file type called? I.e. just a word document sat on my documents for example?
0
pma111Author Commented:
If someone tinkered with an extension - would encase gallery view be fooled?

For example, i change jpg to xls, will encase base its gallery view on digital sigs or file extensions. If its digital sigs - I assume it would still show in gallery view? If not - I assume it wouldnt appear until it was changed back to jpg
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

pma111Author Commented:
Does OST/PST fall into compound file? if so how could I see images within email within those files in gallery view?

And what encase utility do you use to get images out of unallocated? do you use the file finder within case processor?
0
SirtenKenCommented:
Supported compound files include:
DOC
DOCX
XLS
XLSX
GZIP
TAR
ZIP
RAR
PST
Windows Registry Files
There may be a few more, but these are the major ones.

If an extension was changed, it would not show in gallery view unless you check the box "verify file signatures" from the search menu, in which case EnCase would be able to identify them regardless of extension.

PSTs will not show in gallery view, but you can browse through them in the tree and select the report or transcript views for more information or a rendering of the message.

File finder is a good place to start in order to find the pictures in unallocated.
0
pma111Author Commented:
Cheers - thats a shame OST is not included in the supported list.
0
pma111Author Commented:
>>File finder is a good place to start in order to find the pictures in unallocated.

Do you use any addiitional tools?

Is it a quick process to scan unallocated to carve out these files - or a long job?

Say 200Gb of unallocated for all images - what sort of time on a decent spec PC would you be looking at?

I have heard of scalpel - how would that compare in terms of speed to encase?
0
SirtenKenCommented:
Currently, for a modern pc processing 200 GB, you should do the rest of your analysis and then start the job before you go home for the day. I haven't used Scalpel, but can tell you that the latest compilation of Linux based tools (including Scapel) is to be found at http://www.sans.org/. Sign up for an account, then check out the SIFT workstation. The tools are pre-configured and help is available.
0
btanExec ConsultantCommented:
Just to add pertaining to file signature and extension, these maynot be totally reliable if they are both changed intentionally. Huge file size should trigger more priority for manual checks though. It maybe some protected volume like in truecrypt, but better confirmed with  also traces from target machine software installed. Part and parcel of piecing up the trails. Even file timestamp can be changed. See this though old article.

 http://www.anti-forensics.com/beat-encase-file-signature-analysis-on-a-windows-system

And the file slack and unallocated space are area of hiding data which can commonly surface manually, we can rely only on the tool so much. You are still the one in control and oversight...just some thoughts..
0
pma111Author Commented:
Breadtan - what methodology and tools do you use to find encrypted volmes/containers/archvies on a PC. is there a single tool or script to identify all, or a multitude of tools. I have heard of TChunt. Has encase any inbuilt encrypted file finders? How accurate are they?
0
pma111Author Commented:
And what "anti forensics" are you coming up against in practice? Are you finding them on all serious cases you do, or just the odd one here and there? Id be very interested to see what anti forensics people actually see in the field and which are the more common you encounter, and how you find them.
0
btanExec ConsultantCommented:
Encase does not have such file finder, though I am not regular to it. Truecrypt in this case has .tc extension but knowing the ability to change the ext and signature, it will not be full proof, apply for others in general. There is forum discussion on the topic checking if encase can detect truecrypt volume. You may be interested but they also highlighted hidden volume by truecrypt.

 http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3970
 
But for hidden volume, I doubt it is possible to find it withing those stream of random  bits.

 http://www.truecrypt.org/docs/?s=plausible-deniability

Talking about anti forensic, there is no strict protocol that will be follow but the fundamental of knowing the intent of obscuring and hints of specialised tools can help to steer what sort of coverage to deep dive. If user has stegno software, hex editor, truecrypt, file binder, file streams creator, etc found in the target machine,  what is your next thought :)

The challenge is when encryption and password and key is needed to open the treasury. It is not straightforward but these are means to evade leakage. They know how to exploit security as well. this l ok nk share a fair bits and I will say common one like timestamp, file signature and stegno are favoured since those are ready available. Those serious one has proprietary means whichis really security by obscurity...need to trace hints, root infection backtrack etc.
 http://www.forensicswiki.org/wiki/Anti-forensic_techniques
0
pma111Author Commented:
Thanks

>>If user has stegno software, hex editor, truecrypt, file binder, file streams creator, etc found in the target machine,  what is your next thought :)

What is your strategy to identify these?
Check program files
Check registry
What about boot CD's, portable apps etc?
0
btanExec ConsultantCommented:
either boot up examination on the cloned target HDD which is more straightforward to see the installed or stored software. Or there is software classification plugin for Encase from Bit9 that may have to streamline the process

http://www.bit9.com/company/webinar-detail.php?id=246
0
pma111Author Commented:
do you have a list of common anti forensics or data hiding tools that you could perhaps share?
0
btanExec ConsultantCommented:
suggest checking out the slides below, good summary. Can start from slide 34 onwards and slide 50 has some pointer on searching hash
 http://www.irongeek.com/i.php?page=videos/anti-forensics-occult-computing

By the way, this site has list of signature though only the common ones...
 http://www.aeicomputertech.com/forensics_file_signatures.php
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.