How to Creating Image & Data Extraction of Digital Device ?

What is Digital Forensic

Digital Forensic is the application of investigation and analysis techniques to gather and preserve evidence from a particular computing device in a way that is suitable for presentation in a court of law. Computer forensic and mobile forensic are the part of digital forensic.

For digital forensic purpose there are many tools available but EnCase is popular forensic tool.

EnCase is extensively used by forensic experts in Codec Network as part of digital forensic. Codec network provide a Professional Training platform where young collegiate and entry level executives are being groomed with  latest practical tools and deep Cyber security expertise and knowledge  to get groomed at per with our Industry professionals.

Codec Network is Best Institute for CHFI Certification Training in, Delhi India. We provides CHFI training course in New Delhi Centre, with Lab Facility. We prepare for latest Version on CHFI Training  Certification in Delhi| NCR, candidates need to work on a Live project.

Phases of Computer Forensic Investigation

The different and distinct phases of a computer forensic investigation are
1. Collection – Collection of evidence from the crime scene. The evidence includes Hard disk, laptops, mobile, computer, books and other accessories.

  1. Preservation – Preservation of evidence related to the crime scene. This phase includes imaging of hard disks or other digital devices, labeling the gathered evidence and then securely stores the evidence in a well protected (safe and secure) environment.
  2. Filtering – It can also be called “Analyzing”. It is the process where the evidence (data) is filtered and only the evidence (data) related to the crime is analyzed and rest of the data is not considered for further investigation.
  3. Report – It is the last step in the digital forensics process. It is summarized in the preparation of a report that contains all results, procedures or steps that have been done and document all the methods and tools that are used to collect and extract the evidence. This phase is most crucial in order to avoid questioning of the integrity of the investigation and investigation in the court of law.


Overview of EnCase

EnCase Forensics is a very popular software and is widely accepted in the court of law in forensic investigation. EnCase is bundled with numerous features which aid in all the four phases of forensic investigation.

Features of EnCase

EnCase features and supported operating systems are:

  • Operating Systems Supported Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and above, Solaris 8/9 both 32 & 64 bit, AIX, OSX
  • File Systems Supported FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS, jfs), LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and TiVo 1 and TiVo 2. Now supports Novell file system.
  • File Types Support – Supports over 400 different file formats. Now supports Microsoft Office 2007 documents and the mbox format which is quite common among mail user agents.
  • Image Formats VMware, dd, and Safeback v2 image formats, also supports CD/DVD. Now supports LinEn utility for Linux systems
  • Internet and Email Support Hotmail, Outlook, Lotus Notes, Yahoo, AOL, Netscape, mbox and Outlook Express) and supports Internet Explorer, Mozilla, Opera and Safari
  • Gallery View Displays images of BMPs, JPGs, GIFs, & TIFFs.


Forensic Process using EnCase

  • Collection: With EnCase data can be collected by hard disk, flopy disk, pen drive, cd-roms, digital camera, memory card and other digital devices.
  • Preservation: In this

Step 1) Open EnCase forensic-710 and click on add local device. If there is any write blocker attached with    machine  and digital deice then tick to 1,2 and 5 option otherwise untick to all and click on Next button.


Step 2) Tick in the box of name column which shows the connected device name or label like (1,2,3 or any numeric number) and click on finish button.

Step 3) now to open evidences click on label number of device which shows in “name” column and again right click on label number and choose acquire option.


Step 4) then a pop up will appear with three tabs. In location tab fill all the fields. In format tab if you want to encrypt the evidence file then enable the Compression field otherwise disable it. In Verification Hash field value should be choose MD5 and SHA1 after it click on OK button.

Step 5) after it image creation will be start and time taken to create the image will be shown on right side of the bottom.

Step 6) Device will automatically disconnect after creating the image. Image will save in the folder which we set the path earlier.

  • Filtering:

Step 7) now using that image, data will be filter and analyze for further investigation.

Report: At left side of the bottom report will be show

About Codec Network

We are Best Institute for CEH and CHFI Training in Delhi NCR. Codec Networks provides EC Council Training Certification in Delhi Centre Base on Practical and live Project Training. We prepare you for Cyber | IT | Web Security Training with the latest Version in EC Council.


Codec Networks provides IT Trainings from EC Council CEH ECSA, LPT, CHFI, Network Security, Penetration Testing, ISACA, ISC2, PECB ISO 27001LA LI, Cisco Networking CCNA CCNP, Linux Administration RHCE, Prog Languages JAVA, Advanced Java, android development. We also offer B2B Industry Solutions and Services in IT | Information|Cyber Security in Delhi NCR India.

View all posts by

Leave a Reply

Your email address will not be published. Required fields are marked *