EnCase
 |
|
|---|---|
 Blank EnCase (V6.16.1) project file |
|
| Developer(s) | Guidance Software |
| Stable release | 6.18 / October 27, 2010 |
| Development status | Active |
| Operating system | Windows |
| Available in | English |
| Type | Computer forensics |
| Website | www.guidancesoftware.com |
EnCase is a computer forensics product produced by Guidance Software used to analyze digital media (for example in civil/criminal investigations, network investigations, data compliance and electronic discovery). The software is available to law enforcement agencies and corporations.[1]
EnCase includes tools for data acquisition, file recovery, indexing/search and file parsing.[2] Special training is usually required to operate the software.
Data recovered by EnCase has been used successfully in various court systems around the world such as in the case of the BTK Killer.[3][4]
Contents |
[edit] Use
EnCase contains tools for several areas of the digital forensic process; acquisition, analysis and reporting. The software also includes a scripting facility called EnScript with various API's for interacting with evidence.
[edit] Acquisition
EnCase contains functionality to create forensic images of suspect media. Images are stored in proprietary EnCase Evidence File Format; the compressible file format is prefixed with case data information and consists of a bit-by-bit (i.e. exact) copy of the media inter-spaced with hashes (usually MD5 or SHA-1) for every 64K of data. The file format also appends an MD5 hash of the entire drive as a footer.[1]
[edit] Analysis
After imaging, EnCase can be used to examine the files stored in the image using common tools such as a document viewer and hex editor. It can also examine parts of the filesystem not normally exposed to the user, such as deleted file entries, on-disk checksums and log/journaling data. It can also search for and attempt to recover deleted files.
[edit] Reporting
Evidential material can be "bookmarked" within the program and produced as a report in various formats.
[edit] Accreditation
In 2001, Jessica M. Bair, a former U.S. Army Criminal Investigation Command Special Agent and computer forensics examiner, created the EnCase Certified Examiner (EnCE) program with John Colbert, to certify professionals in the use of Guidance Software's EnCase computer forensics software. By 2009, over 2,100 professionals were certified in EnCase. In 2006, Bair was the technical editor for the Sybex published Official EnCE Study Guide[5].
In 2009, Bair created the EnCase Certified eDiscovery Practitioner (EnCEP) program to certify professionals in the use of Guidance Software's EnCase eDiscovery software, as well as their proficiency in eDiscovery planning, project management and best practices spanning legal hold to load file creation.
[edit] Countermeasures
Because EnCase is well known and popular with law enforcement, considerable research has been conducted into defeating it (as well as anti-computer forensics in general). The Metasploit Project produces an anti-forensics toolkit, which includes tools to prevent EnCase from finding data or from operating at all. Manual defences are possible too, for example by modifying the file system.[6]
Furthermore, because law enforcement procedures involving EnCase have to be documented and available for public scrutiny in many judicial systems, those wishing to defend themselves against its use have a considerable pool of information to study.
Copies of EnCase have been widely leaked on peer-to-peer file sharing networks, allowing full analysis of the software. Proof-of-concept code exists that can cause EnCase to crash, or even use buffer overflow exploits to run arbitrary code on the investigator's computer. It is known that EnCase is vulnerable to zip bombs, for example 42.zip.[7]
[edit] References
- ^ a b Martin S. Olivier, Sujeet Shenoi, ed (2006). Advances in digital forensics II. Springer. ISBN 0387368906. http://books.google.com/books?id=jr2PPjwXJQwC. Retrieved 31 August 2010.
- ^ "Encase Law Enforcement". Guidance Software. http://www.guidancesoftware.com/computer-forensics-digital-investigation-law-enforcement.htm. Retrieved 16 June 2010.
- ^ "Teacher may not have seen images". Cambridge News. http://www.cambridge-news.co.uk/cn_news_home/DisplayArticle.asp?ID=375053. Retrieved 2009-01-11.
- ^ Taub, Eric A. (2006-04-05). "Deleting may be easy, but your hard drive still tells all". New York Times. http://www.nytimes.com/2006/04/05/technology/techspecial4/05forensic.html?_r=1&ref=techspecial4. Retrieved 2009-01-11.
- ^ Steve, Bunting (2006). EnCase Computer Forensics: The Official EnCE: EnCase Certified Examiner Study Guide. Sybex. pp. 576. ISBN 0782144357. http://www.amazon.com/EnCase-Computer-Forensics-Official-EnCase-Certified/dp/0782144357.
- ^ Breaking EnCase with FILE0 and Winhex
- ^ A website to download the 42.zip decompression bomb from
[edit] Further reading
- Garber, Lee. "EnCase: A Case Study in Computer-Forensic Technology". IEEE Computer Society. http://www.cosgrovecomputer.com/documents/computer_magazine_article.pdf. Retrieved 10 November 2010.
[edit] External links
|
||||||||||||||||||||||||||
