Using various parts from helpful responses, the following process allowed me to bring the 4 split/compressed Norton Ghost (GHO) image files into EnCase.

Note: The Ghost image files were NOT created with any ”forensic” switch, so they are not to be considered a bit-stream image.

Note: To my surprise Mount Image Pro does NOT support Ghost images at all, according to my conversation with Tech Support. Anyway, let’s get going.

Situation:

4 split/compressed Norton Ghost image files (File1.gho, File1_001.ghs, File1_002.ghs, File1_003.ghs). The image files were created with Norton Ghost v11. They needed to be loaded into EnCase.

Solution:

1. Load the 4 split/compressed GHO files into Ghost Explorer (Ghost Explorer - Downloads: 29, Size: 537.81 kB) Note: I don’t provide support for this product or have any affiliation with the creator.
2. Once loaded, select the partition in the left pane. In my case it showed up as NTFS.
3. Go to View -> Options. Uncheck “split image”.
4. While the partition is selected, go to File -> Compile…
5. Make sure you “split image” is unchecked in the dialog. Enter the new name of the single GHO image you are about to create.
6. Click “Save”.  This will create a single GHO file. Note: This will NOT uncompress the files. So there are additional steps we need to take.
7. Now that we have a single GHO file, you need to have access to a version of Norton Ghost that has the Ghost32.exe application. In my case this file was part of Norton v11.  I was not able to verify if this executable exists on older Norton products.
8. Use the following command line to convert the GHO into a VMware VMDK file.
   ghost32.exe -clone,mode=restore,src=C:\…\YOUR_FILENAME.gho,dst=C:\…\YOUR_NEWFILE.vmdk -batch -sure
9. Start EnCase and add your VMDK file to your case.
10. Now you can acquire the drive via EnCase or perform your analyis.

Disclaimer: The MAC date/times seem to remain in tact thoughout this process; however, you need to validate your evidence!

I think it is important to realize that certification in any area of expertise should be designed to tell the world that you have attained something that sets you apart from others in the field. Digital forensic certification should be measured much like a college degree program. There are a number of undergrad and post graduate degree programs out there that are designed simply to make money through mail order and not to provide something of real value that tells the world that you have earned a college degree through a nationally or internationally accepted and recognized degree program. The programs I will discuss here have various requirements and levels of difficulty and it is up to you decide the direction you want to go. Any good certification program in digital forensics should have a practical examination component and a written examination that requires the student to show their knowledge and proficiency in performing digital forensic work. The organization putting forth the certification should also require certificate holders to subscribe to best practices standards and to a code of ethics. Additionally, the certificate holder should be required to recertify and prescribed interval and maintain continuing education in the field of digital forensics.

Digital forensic education programs leading to certification are generally divided into two areas; those open only to law enforcement and those open to any professional. Those open only to law enforcement typically also allow “non-sworn” personnel to attend if they are engaged in a full time position with a government agency that prepares criminal cases and assists in the prosecution of defendants. There are two programs that fall into the law enforcement only classification the CFCE and SCERS certifications.

The Certified Forensic Computer Examiner (CFCE) certification is offered through the International Association of Computer Investigative Specialists (IACIS). This program is offered by attending a two week intensive training course in Orlando, Florida. This course is offered every year and is now offered in multiple countries. IACIS began in the early 90’s and the training course is staffed by a host of volunteers who each year gives up two weeks of their Summer to teach and coach in the two week class. While the course is geared for the novice it will be very difficult to keep up in the class if you have not acquired at least a basic knowledge of technical background in the Windows operating systems. The class covers everything from basic FAT file systems to NTFS and Unix/Linux basics and also includes the various Apple Macintosh file systems. The class also covers the logical and the physical disk structures and computer forensic artifacts. Following the completion of the class the student is granted the Certified Electronic Evidence Collection Specialist (CEECS) certification which signifies training in how to seize and gather digital evidence in forensically sound manner.

Shortly after graduation from the two week class the student applies for and is assigned a regional coach who will help guide the student through a series of five practical exercises designed to cause the student to explore digital forensic issues, locate forensic artifacts, and prepare a technical report based on their findings and conclusions. Each report is reviewed for thoroughness and once all issues in the exercise are resolved the student advances to the next practical. The final practical is a full size hard drive that must be imaged correctly and fully reported on. Once the final practical is completed the student is presented with an one hundred question multi-part written essay examination that usually requires several days to complete. The student must pass at 80%. If successful, the student is awarded the Certified Forensic Computer Examiner designation. The CFCE is required to maintain annual training hours and to recertify every three years. The cost of this program is approximately $1600 plus room and board. In the event that a student wishes to participate in the certification process without attending the two week training course there is also an external certification method. Each year approximately 200 students begin the process but only about 50 percent complete it. The CFCE is allowed to maintain their certification when separating from the public sector provided the separation was under honorable conditions.

The Seized Computer Evidence Recovery Specialist (SCERS) training program is only available to law enforcement and is part of the Federal Training Program offered at the Federal Law Enforcement Training Center (FLETC) in Glynco, Georgia. Students who are from a non governmental private entity may take part in the training provided they are sponsored by a law enforcement agency and the agency training coordinator or other responsible party within the agency makes the request for the student to attend. There is a prerequisite for this training in that the student must have completed the Digital Evidence Acquisition Specialist Training Program (DEASTP) or the Criminal Investigations in an Automated Environment Training Program (CIAETP) to qualify for admission to the SCERS Program. The SCERS program is quite expensive at $5,047 US but as a part of this price the student receives numerous pieces of hardware including a mini personal computer as well as the top selling forensic software products like Guidance Software™ Encase Forensic and AccessData™ FTK; generally almost everything needed to conduct digital forensic examinations and analysis. The training program covers two weeks and involves extensive after classroom time. The in class curriculum is very similar to the CFCE program but also provides an introduction to the use of some forensic software tools. At the conclusion of the training program the student must pass a graded practical examination to be awarded the SCERS certification.

Private Sector Programs

For the digital forensic professional in the private sector there are several programs leading to certification. These programs are of course also offered to professionals in law enforcement but it is not required. These programs are generally divided into two areas; programs offering certification using non vendor specific digital forensic methodology and those which certify the student in the use of a particular piece of forensic software.

The High-Tech Crime Network (HTCN) offers several levels of proficiency for applicants seeking to attain certification. The HTCN state that they are the only certifying body that actually perform a background check on applicants and award a certification based on experience in the computer forensic industry. The candidate must provide satisfactory proof that he or she has received a minimum number of hours in computer crime and/or computer forensic training and must be able to document their experience in the field. The applicant can download a 17 page application from the HTCN website, submit the notarized application to HTCN with a $50 non-refundable application processing fee. The applicant must also submit a copy of the notarized application to their direct supervisor who authenticates the information contained in the application and also must sign a notarized affidavit to that effect. The supervisor then forwards the affidavit to the HTCN under separate cover. The applicant then waits 45-90 days for the HTCN decision concerning approval for certification. Prior to being awarded certification the applicant must become a member of HTCN and be an annual dues paying member in good standing and pay the remaining $450 to get their certificate.

The HTCN offers four different certifications:

Certified Computer Crime Investigator, Basic Level requires candidates have 2 years of investigative experience or a bachelor’s degree and one year of experience. It also requires 18 moths of experience directly related to the investigation of computer-incidents/ crimes. The basic certificate also requires the candidate to have completed 40 hours of training in computer crime investigation from an approved source.

Certified Computer Crime Investigator, Advanced Level candidates must have an additional year of investigative experience and 4 years of experience directly related to the investigation of computer crime. Candidates for the advanced certificate must have completed 80 hours of training.

Certified Computer Forensic Technician, Basic requires 3 years of investigative experience or a bachelor’s degree and 2 years of experience. Candidates must have 18 months of computer investigation experience and 40 hours of computer forensic training from an approved source and must pass a written examination on computer forensics. Additionally, the candidate must provide documentation that they have performed at least 10 computer forensic examinations.

Certified Computer Forensic Technician, Advanced also requires 3 years of investigative experience but must have 4 years of direct experience related to computer forensics. Additionally, the candidate must have 80 hours of computer forensic training. Candidates for the advanced certificate must have been the lead examiner in at least 20 examinations in the past 3 years and in 40 or more or additional computing investigations as the lead forensic technician, supervisor, or contributor. The candidate must have been involved in a total of at least 60 computer forensic investigations at some level in the last 3 years.

LC Tech offers training in several computer crime disciplines marketed as the High Tech Crime Institute (HTCI) that culminate in certification one of which is the Computer Crime Scene Technician (CCST). HTCI offers tracks of study in which the student is required to attend training courses in certain topics to achieve certification in a particular area of study. Other forensic designations through HTCI include Certified Computer Network Investigator (CCNI), Certified Computer Forensic Technician (CCFT), and the Forensic Operating System Specialist (FOSS). Each of these tracks has their own exam and results in the designation of High Tech Crime Investigator Basic, Intermediate or Advanced.

The International Society of Forensic Computer Examiners (ISFCE) offers the Certified Computer Examiner (CCE) certification. CCE certification exams are offered at several locations around the country. CCE authorized training centers are also found at university and other locations in the US and internationally. The applicant must have documented training at one of the approved training facilities or have 18 months of responsible computer forensic examination experience. As an additional option the candidate may produce documented proof of a valid self study in computer forensic examination. The initial CCE process consists of a proctored multiple choice online exam and the forensic examination of a floppy disk, CDR, and hard drive. An 80% or better score is required to complete the process. The fee for the process in $395 US and additionally may also include a proctoring fee. The CCE must adhere to the ISFCE code of ethics and complete recertification every 2 years. A CCE may take additional online examinations particular to computer operating systems such as FAT, NTFS, Linux/UNIX, or Apple Macintosh in order to receive specific endorsements for demonstrated learning in these areas. The attainment of 3 or more such endorsements grants the CCE the advanced certification of Master Certified Computer Examiner (MCCE). There is no fee for membership to the ISFCE once the candidate has completed the CCE certification but there is a recertification fee of $75 US. The CCE also requires continuing education in computer forensics.

The International Information Systems Forensic Association offers the Certified Information Forensic Investigator (CIFI) certification. Training courses aimed at attaining this certification are available at various Technet Training Centers around the US. Candidates wishing to sit for the CIFI examination can do so at any Prometrics testing center for a fee of $150 US. Candidates must score a 70% or better on the exam to qualify.

New Technologies, Inc. acquired in 2000 by Armour Holdings, Inc. offers comprehensive training in computer forensics and a Certificate of Professional Development through the Oregon State University. Students earn the certificate of completion and college credit through the university. NTI offers their classes in Portland, Oregon and Jacksonville, Florida. The process involves both a practical and written examinations.

In addition to these non-vendor specific training and certification opportunities several of the forensic software vendors are also offering forensic certification using their products. Guidance Software makers of the EnCase line of forensic software offers the EnCase Certified Examiner (EnCE) certification. The EnCE has two paths to certification. One path requires that the candidate attend Guidance Software computer forensic or incident response training at the intermediate level or above. Those candidates must possess a valid EnCase software license personally owned or purchased through a training site or business. He or she must have 18 months of investigative experience with at least 6 months or verified experience in computer forensic examinations endorsed by their department head. The other path is for candidates who have other computer forensic training and have not taken the Guidance Software courses. In addition to the EnCase software license requirement the candidate must have 80 verifiable hours of authorized classroom computer forensic training with 18 months of total investigative experience including 6 months of experience in computer forensic examinations, or 32 hours of classroom training and two years of total investigative experience with 1 year of computer forensic examination experience. Both paths to certification require a two phase testing process. Phase I is a computerized examination proctored through Prometric Testing Centers. It requires and 80% or better grade on the exam. Phase II is practical test requiring the candidate to examine computer evidence on CD-ROM. Candidates have 60 days to complete the practical and submit a report of their findings. Candidates must achieve and 85% or higher rating on the practical.

AccessData Corporation makers of the Forensic Tool Kit (FTK) and Password Recovery Toolkit (PRTK) have recently developed the AccessData Certified Examiner (ACE) certification. Candidates for the ACE certificate are required to possess (individually or through their employer) a licensed copy of FTK, PRTK, and Registry Viewer. The applicant must also have completed the AccessData Forensic Boot Camp and Windows Forensic training classes. There is no waiver or allowance for other types of forensic training. The applicant must also have 6 months of computer forensic experience. Successful completion of the process is also in two phases. Phase I is an 80% or better score on the computerized exam administered by Prometric Testing and Phase II involves completion of a Practical Based Assessment (PBA) administered by AccessData. The cost of the certification at the time of this writing is $395 US.

While it may not be necessary to have a certificate in Digital Forensic proficiency to conduct computer forensic work it shows that you have submitted your knowledge and skills in this area for review by an outside party. Much like the Certified Fraud Examiner, possessing a certificate in digital forensics sets you apart from others in the field. The CFE is highly recognized and a very valuable certification to have in today’s job market. Be certain the certification you choose in Digital Forensics will have the respect of your peers in the industry and be something that you can proudly display. It’s been said that computer forensics is a community of practice; we all learn from each other. Having a certification does not make you an expert but it does say something important about you and your level of knowledge and skill.

As a caveat, you should know that many states are requiring private computer forensic examiners to be licensed private investigators. If you are considering this field as an independent private examiner you should check with your state to find out if they will require licensing as a PI before you engage any clients.

Richard Cannon is both a Certified Forensic Computer Examiner and a Certified Fraud Examiner and has over 20 years experience in the fields of criminal and civil investigation and for the past 6 years he has worked in the field of digital investigation and analysis. He is the former Forensic Technology Director for the Association of Certified Fraud Examiners. He has written on the topic of digital investigation and spoken at a number of conferences both in the US and internationally on the subject of Digital Forensic Evidence and the investigation of fraud using digital forensic methodology. Mr. Cannon is currently Chief Investigator for Corporate InfoSec at a large global corporation and continues to conduct forensic examinations and investigations.

What does it do?

This EnScript plug-in is used to identify and export entries which would exceed the path depths limitations of 245 characters during a normal EnCase export. The script will loop through entries that are blue-checked and identify entries which exceed the above limit based on the FullPath column and the specified export path.

The script will export the identified entries that exceed the 245 character limit. Once exported it will also “uncheck” them so they will no longer cause an error. This should leave you with items you can safely export using the native EnCase Copy Folder… function.

The script will create a sub-directory called “pathdepth” inside the user specified export folder and export data using the Logical Size of an entry. In addition, a log file is created which contains the reference to the original entry details.

Since the script generates a flat export, it renames the files with a prefix to guarantee uniqueness. This prefix is actually the MFT record number on NTFS volumes (File Identifier).

Please report any bugs or suggestions to EnScript Support

Developing, maintaining and hosting this content does take time and financial resources. Your support is much appreciated.

ver 1.0.34
+ (fixed) Log file now supports UNICODE characters

ver 1.0.33
+ (fixed) File names with invalid characters are now saved in #_MD5.ext format and recorded in log file

ver 1.0.32
+ (fixed) Moved FileID() after file name

ver 1.0.31
+ (fixed) total byte size of selected files keeps increasing if going back and forth with new destination path
+ (fixed) split file type extension into own column in export log
+ (fixed) exclude case name in path upon export
+ (fixed) remove CaseName from path calculations
+ (fixed) add original file name to export log
+ (fixed) uniform export format: with MFT FileIdentifier available (file.ext_id.ext), without MFT FileIdentifier availabe (file.ext_hash.ext)

ver 1.0.9
+ added MD5 hash value to the exported file name if no MFT file identifier is available. File Identifier is only available if the MFT is within the evidence file. In case of a LEF that doesn’t have the MFT, it shows a zero.
+ added check if entry is folder. Folders are not considered for export.

Developing, maintaining and hosting this content does take time and financial resources. Your support is much appreciated.

NOTE: No guarantee is made that this EnScript is error free. Please use at your own risk and validate your findings.

The EnScript can be downloaded here: Long File Path Export (LFPE) EnScript - Downloads: 28, Version: 1.0.34, Size: 36.55 kB
(Requires EnCase 6.11.2)

Problem: How do you locate the parent email which contained the attachment with the keyword hit?

Answer 1: Manually review each single item in your search result set. Using the “View the item in a different list – Email tab”. Ok, if you have only a few items.

Answer 2: Wait for a new version of FTK to come out and hope the feature to export parent emails is included. According to AccessData’s support form, it might be in a new release.

Answer 3: Use the attached Microsoft Excel spreadsheet. I recently worked a case where I was in the same situation and needed a somewhat automated tool. So I took it upon myself to write a VB macro that basically compares two columns from the FTK “Copy special…” feature.

Here is how you would use the tool.

Within FTK perform the following steps:

Step 1: Perform your search on emails with attachments within FTK

Step 2: Right-click in your search result pane and select “Copy Special …”

Step 3: Select “All Currently Listed Items”

Step 4: Only check the “File name” and “Attachment Info” column

Step 5: Select “Clipboard” within the Copy destination section.

Step 6: Click “Copy” button

Open the Excel spreadsheet (don’t delete any of the columns)

Step 1: Click on the “FTK Feed” worksheet tab

Step 2: Paste the results you have copied above into the “FTK Feed” worksheet.

Step 3: Within the “FTK Feed” worksheet, select column B2 and sort in “ascending” order

Step 4: Go to the “Locator” tab.

Step 5: Press the button…

The macro will crawl column A and compare it to column B. Column A is considered the “base”, which was extracted from the “Attachment Info” column. It is compared to Column B, which basically contains all files and email messages. If any value from column A is in B, you are lucky. If not, the macro will mark it in RED. This still means that you have to find the message within FTK, yet now you have a list to work with.
I know the tools doesn’t really solve the problem, yet it helps automate the process of locating the missing parent email.

I hope this helps.

Everyone lies. It is not abnormal behavior until it becomes compulsive, excessive, and chronic interfering with the individual’s ability to cope with life. These compulsive liars are becoming detached from reality and have a major character flaw. About 60 percent of “normal” people tell one lie every ten minutes during a typical conversation. Everyone to some degree deceives by concealing, omitting, distorting, embellishing, exaggerating, or falsifying information or the truth. The amount of dishonesty displayed in our verbal communications is all relative and some people just tell “little lies” and some people tell “big lies” that later have major consequences. It is not easy or even possible to be truthful 100 percent of the time. All people lie with good intentions, it fulfills a basic need. Tartaglia (1999) suggests that the subtle intention of lying is to be in control. He also states that all children lie to test their parents in order to see how much they can get away with.

Lying is fundamental in the human condition and a crucial dimension of all human relationship (Smith, 2004). It follows that everyone is constantly bombarded by new and possibly inaccurate information from various media and through interpersonal relationships. Conversely, everyone practices detecting the deception they know exits in the world. This plethora of information is therefore automatically, even unconsciously, evaluated for truthfulness. But how do we know what information is accurate and what is not? Among adults, there are vast differences in deceptive abilities – a skill learned early in life (Lewis and Saarni, 1993). We rely on intuition — which may not always be right — and non-verbal communication to help in this process of determining truth. More specifically, a fundamental skill for investigators and interviewers operating in a world awash in deception, misinformation, and disinformation is the ability to know something about an interviewee’s mindset, such as, the veracity of what they might be thinking, and if they are showing defensive, neutral or aggressive signs.

To know when someone is “cognitively challenged”, anxious, and under emotional stress because they are lying, particularly when they are adamant about their truthfulness, has obvious advantages. It is important to note however that just because a person is under emotional stress does not mean that the stress is due to lying. Probably two-thirds (70 percent per Inbau, et. al., 2005) of all human communication takes place through subconsciously displayed (involuntary) body language. According to Wainwright (2003), “Body language is nearly always a better guide to the truth than even the most eloquent words”. Mehrabian (1971) concluded that only 7 percent of our information-gathering comes from the actual language used in conversation – the rest comes from body lingo and voice patterns, volume, cadence and pitch. Therefore, being able to spot these non-verbal warning signals, indicators, or gestures of deception plays a paramount role in the quality of decisions investigators and security professionals make daily. The problem with detecting lies is that most people are poor lie detectors (lie catchers); studies have shown that unless one is very highly trained in this area, there is only a slightly better than a 50-50 chance of detecting lies by intuition. About a fourth of one percent of the population can consistently detect lies (The Associated Press, 2004). Even judges and law enforcement officers are not much better than the general population at detecting lies (Ekman, 2001).

This focus of this article is neither interviewing techniques nor the formulating of interview questions nor the use of polygraph techniques (Moenssens, et. al., 1995; Ekman, 2001). These are topics expertly covered in Inbau et. al. (1986 and 2001); rather, it is a description of the common clusters of non-verbal body signals that individuals subconsciously use when they “talk with their body”. This is a brief introduction to the analysis of body language for the purpose of recognizing clues, signals, gestures, and posturing as they relate to the true emotional state and mindset of an individual, and ultimately to the true meaning of their verbal messages. Most people normally use a variety of gestures, such as hands and facial expressions (illustrators), when they speak to assist the listener. [more...]