- EnCase
EnCase is a series of proprietary
forensic software products produced byGuidance Software . It is used by many law enforcement agencies around the world.EnCase is capable of making forensic quality recordings of data stored on PCs, and of recovering some insecurely deleted data. Special training is usually required to operate the software in a law enforcement capacity.
Method of operation
The first thing a user of Encase will normally do is use the software to create images of suspect media (hard drives, CDs etc). Images are stored in proprietary formats and contain an
MD5 checksum to validate their authenticity. Unlike typical imaging software such asNorton Ghost , Encase makes images that are exact copies of the original, byte for byte, in order to be able to fully examine unused parts of the media for deleted files and so forth.After imaging, Encase can be used to examine the files stored on the image using common tools such as a document viewer and hex editor. It can also examine parts of the
filesystem not normally exposed to the user, such as deleted file entries, on-disk checksums and log/journaling data. It can also search for and attempt to recover deleted files.Finally, any relevant files can be saved to the users PC, along with checksums and other metadata, for use as evidence.
It should be noted that Encase only uses common tools to perform its analysis, the main benefit to the user being that the tools are all tied together and are of forensic (i.e. verifiable) quality.
Encase recovered data as evidence
Data recovered by Encase has been used successfully in various court systems around the world. However, there are questions regarding the validity of evidence recovered by Encase. For example,
MD5 checksums are used to ensure data has not been altered or tampered with, however MD5 checksums are known to be forgeable. See the mainMD5 article for details.Another issue with data recovered by Encase is that typically there is no way to determine who created or accessed the data. Although user account data can provide some clues, the ease with which anyone who has physical access to the machine or who has control of the machine remotely (e.g. by a
trojan or remote administration tool) make positive identification of the owner, or even those who knew of the data's existence difficult.Countermeasures
Because EnCase is well known and popular with law enforcement, considerable research has been conducted into defeating it (as well as
counter forensics in general). TheMetasploit Project produces an anti-forensics toolkit. Manual defences are possible too, for example by modifying the file system [http://web.archive.org/web/20061021193155/http://www.safehack.com/Textware/forensic/Anti_Forensic_Break_Encase.pdf] .Furthermore, because law enforcement procedures involving Encase have to be documented and available for public scrutiny in many judicial systems, those wishing to defend themselves against its use have a considerable pool of information to study.
Copies of EnCase have been widely leaked on to
P2P networks, allowing full analysis of the software. Proof-of-concept code exists that can cause EnCase to crash, or even use buffer overflow exploits to run arbitrary code on the investigators computer. It is known that EnCase is vulnerable tocompression bombs , for example 42.zip. [http://www.unforgettable.dk/]ee also
*
computer forensics
*counter forensics External links
* [http://www.guidancesoftware.com/ Guidance Software web site]
Wikimedia Foundation. 2010.
