Encase Forensic 7.5 Image: Guidance Software, Inc.
Guidance Software, Inc., makes computer forensics, security, and e-discovery software. The Los Angeles-based digital and e-discovery investigations company upgraded on October 11, 2012, its EnCase Forensic product, which is designed to forensically collect data and conduct investigations. Law firms and legal departments use EnCase to collect, examine, and analyze data for evidence in corporate and government investigations, civil litigation, and criminal trials.
EnCase Forensic can acquire and analyze data from Microsoft Windows, Linux, AIX, Apple OS X, and Sun/Oracle Solaris operating systems. The application supports handling, reviewing, and reporting on potential evidence that includes deleted files, file slack, and unallocated space. EnCase Forensic also makes exact duplicates of original data, which can be verified by hash and Cyclic Redundancy Check values, to transfer evidence to clients, government officials, or outside counsel.
Guidance Software boasts that the latest version of EnCase Forensic, 7.05, processes data three times faster than its predecessor. It does this without overutilizing the CPU, using memory and ample disk cache. The new version lets you select a subset of files from collected data for prioritized processing, so you can view and analyze some potential evidence while EnCase Forensic continues to work on the corpus of a collection. You can view the early results of keyword searches while the application completes the search query in the background and simultaneously view multiple records as well as email threads and related conversations.
Other features included in v7:
• Acquire data from supported smartphones.
• Embed hyperlinks in exported reports.
• Case analyzer can indicate computer activity from the metadata of files collected.
I took EnCase Forensic for a test drive on my Lenovo ThinkPad T520 (dual core Intel i7-2860QM CPU at 2.5 GHz, 8 gigabytes RAM) running Windows 7 (64-bit) operating system, which is recommended by Guidance Software. A separate, external SATA 7200 RPM hard disk for evidence storage is also recommended. I stayed with the internal Intel SSD 320 Series 2.5-inch drive (160 GB) that shipped with my system, which required 425 megabytes of free disk space to install the application.
I found EnCase v7 very usable, without a steep learning curve to create a case, collect evidence, analyze data, and report results.
TEST DRIVE
The EnCase Forensic graphical user interface can't be much easier to use to start a case. One-click access to recent cases are displayed prominently, with case file actions to start a new case and open an existing case just below. See Figure 1.
Figure 1 shows the Encase Forensic graphical user interface. Guidance Software's Windows executable file opens up to a familiar browser-like interface with hyperlinks to begin workflows to open an existing case or start a new case.
When an existing case is selected, the case page becomes the focal point of the UI with context-specific tasks such as add evidence. When you drill down into the evidence of a case, the UI changes to a view to examine evidence in a troika of panes: a hierarchical tree view, a table list view of a selected item in the hierarchy, and a view of discreet evidence selected from the table view. EnCase Forensic uses Oracle Corp.'s Outside In technology to view evidence without the native application installed on the local machine.
I started a new case and a dialog box displayed to enter the case name, case path, and evidence cache locations. To speed the encase.exe program, which is a multithreaded application that calls various modules to accomplish tasks, Guidance Software uses disk cache. So if you want the benefits of the faster EnCase Processor in version 7, I would follow the software maker's advice and use a large, external SATA 7200 RPM hard drive.
After I selected name and file locations for my new case, I clicked OK and the UI changed context to add evidence to the case. I was prompted to choose the type and location of the evidence such as a local device connected to my computer, a raw image file (e.g., FAT32, NTFS, Solaris UFS, HPUX HFS, VMware's VxFS, and Netware), an existing evidence file (an EnCase image file used to store digital evidence acquired from computer memory, a hard disk), a storage volume image, or logical files.
I plugged in a USB thumb drive and selected the new local device for acquisition. I had the option to preview and acquire physical memory used by applications, such as msword.exe as well as the programs that enabled desktop synchronization with Google Drive and Microsoft SkyDrive. Note that if the target device has antivirus software running, the driver used to access memory may destabilize the acquiring machine. So disable any antivirus programs during acquisition. See Figure 2.
Figure 2: EnCase Forensic UI to add a local device to acquire evidence.
After I selected the USB drive and physical memory for specific applications, another dialog box opened to specify metadata for each targeted acquisition. I had to repeat information already produced in the case metadata, such as case number and case examiner. After I filled in the metadata for each acquisition, I kicked off the acquisition process and EnCase Forensic began to acquire the external device and portions of physical memory, using an ample amount of CPU, disk, and memory, but leaving me plenty of resources to engage other activities. See Figure 3.
Figure 3: A view of Windows 7 Resource Monitor while EnCase Forensic acquired evidence from an external drive and physical memory.
ADDING LOGICAL EVIDENCE
After acquiring evidence from an external drive and memory, I directed my attention to a Logical Evidence File that Guidance Software provided for my review. I opened a new case and selected the option to add the evidence file (.ex01). Before I took another step I verified that the acquisition hash made at the time the file was acquired and the verification hash were the same. If not, the file would have been corrupt or tampered with.
The next thing for me to do was to verify that the time zone settings for EnCase Forensic matched the time zone settings for the evidence file. This is another opportunity for automation, as I had to traverse registry settings in the evidence file to ferret the information out. I mounted the appropriate Windows Registry file to view the time zone of the source of the evidence file. I noted that I could mount a file for viewing and calculate the unallocated space as well as find deleted content.
After I viewed the file structure (i.e., mounted the appropriate Registry file), I found that the evidence was gathered from a source using Pacific Standard Time. I changed the time zone setting in EnCase Forensic to match that.
ENCASE EVIDENCE PROCESSOR
Before processing the evidence file, I knew that I wanted to index the evidence and exclude information that would not be evidence, i.e., National Institute of Standards Technology's National Software Registry Library Reference Data Set (version 2.38). From the EnCase Forensic tools menu, I clicked Manage Hash Library and pointed the library laid out on my local disk. Then I selected the evidence file and clicked "Process Evidence" from the menu. A dialog box opened up.
I enabled "Recover Folders," which allowed me to recover files that were deleted or corrupted and to locate hidden files on FAT and NTFS volumes. I also enabled Hash analysis, which allowed me to create MD5 or SHA1 hash values to compare to other evidence in other files, if the need arose. Double clicking on "Hash Analysis" opens another dialog box to select MD5 or SHA1 or both.
Figure 4. EnCase Forensic options to process evidence files.
I opted to expand compound files, i.e., extract archive files, and find internet artifacts that included browser bookmarks and history. The options to index text and metadata included setting a maximum word length (default = 64 characters) and exclude all files in the Hash Library. I opted to include private information and load a number of keywords to index.
Other processing options included the ability to collect custom registry keys on Windows systems (System Info Parser); recover instant messages from AOL, MSN, and Yahoo messengers (IM Parser); find file fragments, file slack, and unallocated file space (File Carver); and collect contents of Windows event logs (Windows Event Log Parser). Once I set the processing options, I saved them to a configuration file (*.EnProc) to reuse them on other evidence files and clicked OK to process the .ex01 file.
Once processing was complete, I pulled down the "View" menu and selected "Search." A Search tab opened up with pull-down menus for search conditions, filters, a function to load saved searches, and features to bookmark and tag files.
I viewed my keyword hits in one click from the key icon available from the search menu. The results displayed the number of files that contained a keyword and the number of times a keyword appeared in the entire collection. The file custodian's name, "Tyler," appeared in the most items and had more hits than any other keywords, which listed persons of interest in the case. The next highest was "John," so I searched with the word "John" (227 hits, 136 items). I combined the search terms ("John AND Tyler") and narrowed my search to 53 documents. I found a few documents and emails worth returning to. I highlighted those files and clicked "Go To" and the UI changed to the logical location of the file in the file system. I bookmarked these files and right-clicked them to "Find Relevant" files by name and see threaded email conversations.
The case file template that I had been working with since identifying my case as a "forensic" investigation came with default tags to mark files for "Review," "Add to Report," "Follow Up with Submitter," "Ignore," and "Important." I added a "Privilege" tag. Then I took an email message from a search of "John OR Tyler" with a subject matter of "Still in Business" and searched for the email conversation. I selected all the files from the search result showing the conversation and tagged them privileged.
SMARTPHONE ACQUISITION
I plugged my Droid Bionic (System 6.7.246.XT875) running Android version 4.0.4 into the Lenovo ThinkPad used for this review. Per Guidance Software, I set Android security to allow unknown sources to run on the device and enabled USB debugging. After a couple of starts and stops, I received the message that EnCase Forensic 7 does not yet support the OS on my platform. Drat.
I loaded into my case an example evidence file from Guidance Software that was captured from an HTC EVO 4G running Google Android. Once loaded, the smartphone acquisition was saved into an evidence file for EnCase Forensic to process, analyze, and search the evidence like any other evidence file acquisition. And I did not need any additional hardware devices or software.
With two evidence files loaded into my case, I simultaneously searched both files and my results window reflected hits from both files. In addition to the universal search, placing the two evidence files in the same case also allowed me to tag files of interest from both files and relate them in a report. Analyzing multiple evidence files can be complex, but EnCase Forensic streamlines finding hits in files.
From a table view of search results, I viewed individual items in "Transcript" view, which provides the plain text version of content. Rather than using the "Find" and "Find Next" functions to search for hits in the file, I clicked on "Compressed View" to only see the hit highlights in the file context. Clicking on the "Next Item" button (or "Previous Item" button) scrolls through my search results quickly to find and review hit highlights. See Figure 5.
Figure 5. EnCase Forensic "Compressed View" option to speed through views of hit highlights from a table list of search results.
If I am the only member of my team with EnCase Forensic, I will want to make evidence available for review without everyone looking over my shoulder. Guidance Software developed the "Review Package" option to package up potential evidence for an outside reviewer. I selected a number of images from a filtered view of two logical evidence files. From the Search tab menu "Review Package," I selected "Export" and a dialog box opened for me to package up the selected items and choose the metadata to attend the items in a list view provided by an HTML application file (.hta), which can only be viewed in Internet Explorer. See Figure 6.
Figure 6. This image shows how to export evidence from EnCase Forensic using the "Review Package" tool to enable outside review and comments. (See an image of the resulting .hta file here.)
At any time during my investigation, EnCase Forensic includes reporting options available from a report template that details the investigation and examination of individual file types such as email, internet artifacts, documents, and photographs.
CONCLUSION
Guidance Software has made it easy for an EnCase Forensic v7 to collect, process, analyze, and report forensic evidence from computer and smartphone sources. Without formal training, I feel confident that I can use new version to forensically collect and process evidence for trial. But looking at the 500-plus pages of the user guide, I have barely scratched the surface of EnCase Forensic.
PRICING INFORMATION
EnCase Forensic version 7 starts at $3,495 with volume discounts available.
A browser or device that allows javascript is required to view this content.
Attorney Sean Doherty is LTN's technology editor.You must be signed in to comment on an articleSign In or Subscribe">
No comments:
Post a Comment