Show and Search for NTFS Owner in EnCase

Windows can be such a weird and wonderful thing, both at the same time. In a digital forensics sense, the artifacts left behind from user activity often give me delight. The same artifacts can often leave me scratching my head about why it exists in the first place. One of those features is the owner property in the NTFS file permissions.

User Activity

When a user creates a file, Windows typically drops that user account as the named owner of that file in the NTFS permissions. Sometimes, it assigns a local user group (say administrators) instead of a specific user, though I do not know the details of conditions surrounding that difference. Not the point of this post anyways.

To steps to see the owner of a file will vary a bit depending on the version of Windows you are using. The artifact itself is not affected by the version.

In Windows 8, right click on the file and choose properties. At the top, switch from the general tab to the security tab. Then, click the advanced button at the bottom. A new window will show, and the owner is listed near the top.


Showing in EnCase

To see the very same data in EnCase is fairly straight forward. Choose a file in the table pane. Then in the view (lower) pane, you will see a tab called permissions. The view will switch and list one of the records as the owner.


Forensic Usefulness

As you might have noticed, the file system in the above image looks a lot like a CMS package on a web server. If you did, great eye! Web servers use a specific account to access and store content for the anonymous users that make requests. This user account is assigned permissions on the file system to prevent that anonymous user from going where they aren’t allowed.

Some web applications allow those anonymous users to upload files to be used by the web application or even submitted to the company for some purpose. Because the web server user account is used for these interactions, you will find that user account as the owner for any files that were uploaded through the web application.

In the event of a web server compromise, this web server user account is often the early stages of attackers interacting with the computer. Attackers want to get their files into that file system to allow more control. These are called web shells and offer nearly identical functionality to the typical remote access tool category, only through a website interface.

What if we could get EnCase to display all files that are owned by this web server user account? I am glad you asked!

Filtering in EnCase

EnCase offers conditions and filters to limit the files shown on screen. Simply put, conditions are easier to create (point and click) while filters are hard (type EnScript code). I will show you the steps to create a condition that will show you only the files with the prompted value in the owner field. This can be done in EnCase v5 through v8 and the windows will look nearly identical.

First step, find the conditions tab and create a new one. I name mine “find sid as owner”, but you can call it whatever makes sense to you.

Next, we have to create a mini-filter before the condition can function. Go to the filters tab, then double click on the PermissionRoot option on the right. Name it “prm_sid2owner”.

Add a new term. Choose ID in the properties list, choose find in the operators list, leave the value box empty, and check the ‘prompt for value’ checkbox. Click ok.

Add another new term. Choose property in the properties list, choose matches in the operators list, type ‘owner’ in the value box. Click ok.

Now right click on the ‘main’ at the top of the tree and choose change logic. Click ok. You should see ‘prm_sid2owner’ listed on the left.


Now, go back the conditions and add a new term. At the bottom of the property list, you will find the mini-filter we just created.


Now you can apply this to your case. You can supply a fill SID value or a partial. You can also give a list of SID values to search for if you were looking for multiple users.


Hope this helps! Reach out with any questions or comments.

James Habben

Show Your Timezone in X-Ways

I posted earlier about how to enable EnCase to show the timezone for all of the timestamps that it displays. I wanted to follow that up with a post on how that can be accomplished with X-Ways Forensic (XWF) as well.

Showing Your Timezone

This is a pretty simple one. Don’t do anything. The default setting already has the timezone offset displayed with times. Well, you have to do one small thing, and that is to expand the column. XWF has it displayed in a slightly greyed color and all you have to do is make the column wider to show it.


Setting Time Zones

I haven’t done extensive testing on this, but it seems that XWF is similar to EnCase in that it takes the timezone setting of the machine your are running on to use inside the case.

To change that setting, use the ‘Options’ menu and select ‘General Options’. In there, you will find a button at the button at the bottom of the window for ‘Display Time zone…’. Click that.


Once you have that window open, choose your timezone and click OK and OK.


Edit: Jarle gave me a couple more ways to change the timezone.

You can set the timezone with a right click at the top of the case tree in the Case Data window on the left of the screen. Choose the ‘Properties…’ option.


On that window, you have two options. Set the timezone for the entire case (orange arrow), or unlock the option (pink arrow) to set the timezone for each evidence file or even for each partition of each evidence file.


If you check the box, then you do another right click > properties on each item you need to change the setting for and you will get this window.


Thanks for reading!

James Habben

Show Your Timezone in EnCase

A question came up on my team about how to adjust time zones on evidence in EnCase. I figured I would put together a short post in case it might help others.

Setting Time Zones

When you start a case with EnCase, it grabs the timezone that is currently being used by the workstation you are running it on. All of the evidence that you bring into that case is assigned that same timezone.

You can apply a timezone change at a couple levels. First, directly to an evidence file. Second, to multiple evidence files. In EnCase v6, you open a case directly to whats called the ‘entries’ view. Entries are a generic name given to refer to any object inside an evidence file such as files, folders, alternate data streams, NTFS meta files, partitions, etc. even including the evidence file itself. Starting in EnCase v7 (and carried into v8), you are dropped in the ‘evidence’ view and must interact with that list in order to enter the ‘entries’ view. Whatever version you are using, go into the entries view.

To set the timezone, decide if you want an evidence specific or global change. Then right click on the evidence name or the ‘entries’ item at the top of the tree. Towards the bottom find the ‘Device’ sub-menu, then choose the ‘Modify time zone settings…’ option.


A small window will pop up to show the list of time zones that EnCase has available. If you are examining a computer that isn’t properly patched with the current Daylight Saving Time setting, you can force that.


Click OK, and the times showing in EnCase will all be adjusted without having to do anything further.

Showing Your Timezone

I encourage everyone reading this to update this setting. Digital forensics requires us to be very accurate and specific. It tells EnCase to attach the timezone setting to every date that is displayed. It has saved me from a situation of reporting an incorrect time more than once. After changing this setting, your dates will look like these. I typically keep the columns smaller and only expanded the ‘Last Accessed’ field to show the full value.


To make this change, find the ‘Tools’ menu in the bar at the top, and choose the ‘options’ option. Then click on the ‘Date’ tab. Check the box at the top of that tab page.


Thanks for reading!

James Habben

Living with a Credit Freeze

Brian Krebs published an article “How I Learned to Stop Worrying and Embrace the Security Freeze” in 2015. I decided to embark on that journey as well, although my laziness caused the onset of that journey to be staggered longer than it should have. I have had freezes in place for quite a few years now, and I wanted to share my experiences for each of the major bureaus.


First, I want to say that it is very surprising, even to this day, to see the staggering number of companies (that deal with pulling credit reports or scores) that have never heard of a credit freeze. There are so many places that want to run your credit, from as simple as getting electricity turned on and all the way to getting a home mortgage. I feel like I have been more of an educator to that industry than anyone else!

Some have heard of a freeze, and are very curious to ask questions about it. It feels almost like being a celebrity with questions like “what’s it like to have a freeze?” (no joke). Others have heard of it and straight up dismiss me because they claim to have no ability to handle the freeze except for me having to unfreeze and then refreeze when they are done. Many of them think it is so simple and free (it’s not), so they just expect you to take that on. One company straight up refused to work with me at all until there was no freeze on my credit.


The current situation has no standards on how these credit freezes should work. There are some various state laws that define how much the bureaus can charge to place a freeze, but there is nothing in those laws to define the process. Each of the three major bureaus does things slightly different.

In general, you visit the web portal for each bureau and supply enough personal information to identify yourself. Stuff that really wouldn’t be hard to assemble about a target victim for those inclined to that side of morals, but that’s another rambling for another day. After validating you know enough about someone yourself, you pay some amount of money to place the freeze. After that clears, you get a PIN code. Equifax gave me a 10 digit, Experian gave me a 10 digit, and TransUnion gave me a 6 digit. These numbers have different uses depending on the bureau.

In general, I haven’t had problems with the companies knowing who they use to pull credit history. They are willing to discuss and work with me when I explain that I have a freeze and the reason for the freeze. Sometimes, they have to pass you off to a different person who is the one responsible for performing the task.


I want to start with this one because it is the one I have held a freeze with for the longest, and it seems to be the most popular credit bureau with the companies I have interfaced with.

For those companies that were willing to work with me, it has been the absolute smoothest of all three bureaus. I store the 10 digit PIN in my KeePass database, and I can give this number to the company looking to pull information about my credit history. Simple as that. Later, I can go onto the Experian web portal to change that PIN. The process is similar to when you first place the freeze in supplying enough personal information to identify yourself.

I had to unfreeze with Experian one time when a company absolutely refused to accept a PIN to process the transaction. It cost me something like $20 to schedule an unfreeze followed by a refreeze after so many days.


I list this one next because it has been the next easiest to work with in pulling credit history. The PIN you get from them is only to use when interacting with the web portal, so supplying this PIN to a company seeking your credit info will come back with a refusal based on being a wrong number. In fact, the PIN you receive as a part of the freeze process is a 10 digit, and the creditor company is prompted for only 4 digits – an obvious mismatch.

The code required by those companies has to be generated each time, but the best part is that Equifax doesn’t charge for creating these codes. The downside is that you need to login to their web portal to generate them, so you have to be more prepared. You can create a global temporary lift for a time period or a temporary lift for a single company. When doing a temporary lift for a single company, the portal asks you for the company name seeking your credit, but funny enough they only allow you to type 9 characters in that box. It seems that the name is more of a note for reference later than it is as a part of the validation. The other thing is asks you for is that 10 digit code you received when placing the freeze. At the end of that process, you get a link to open a PDF file that contains a 4 digit single use code. Give that to the company running your credit and it will go through, even immediately within minutes of generating that code.


I put this one last because I wasn’t able to figure out a way to have a temporary lift without having to pay some amount of money. I have had to login to the web portal to place a temporary lift. They charged me $10 and it didn’t matter if it was a global lift or a specific company lift.


I have lived with these credit freeze for many years, and it has allowed me to have a little more peace in light of the world I live in. It sets a much higher wall in front of my metadata and I can deal with the occasional hassle that I described above.


I hope this helps you. I encourage you to look at getting a credit freeze to protect yourself.


James Habben