EnCase
From Wikipedia, the free encyclopedia
| This article may not meet the general notability guideline or one of the following specific guidelines for inclusion on Wikipedia: Biographies, Books, Companies, Fiction, Music, Neologisms, Numbers, Web content, or several proposals for new guidelines. If you are familiar with the subject matter, please expand or rewrite the article to establish its notability. The best way to address this concern is to reference published, third-party sources about the subject. If notability cannot be established, the article is more likely to be considered for redirection, merge or ultimately deletion, per Wikipedia:Guide to deletion. This article has been tagged since February 2008. |
 |
This article needs additional citations for verification. Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (February 2008) |
EnCase is a series of proprietary forensic software products produced by Guidance Software. It is used by many law enforcement agencies around the world.
EnCase is capable of making forensic quality recordings of data stored on PCs, and of recovering some insecurely deleted data. Special training is usually required to operate the software in a law enforcement capacity.
Contents |
[edit] Method of operation
The first thing a user of Encase will normally do is use the software to create images of suspect media (hard drives, CDs etc). Images are stored in proprietary formats and contain an MD5 checksum to validate their authenticity. Unlike typical imaging software such as Norton Ghost, Encase makes images that are exact copies of the original, byte for byte, in order to be able to fully examine unused parts of the media for deleted files and so forth.
After imaging, Encase can be used to examine the files stored on the image using common tools such as a document viewer and hex editor. It can also examine parts of the filesystem not normally exposed to the user, such as deleted file entries, on-disk checksums and log/journaling data. It can also search for and attempt to recover deleted files.
Finally, any relevant files can be saved to the users PC, along with checksums and other metadata, for use as evidence.
It should be noted that Encase only uses common tools to perform its analysis, the main benefit to the user being that the tools are all tied together and are of forensic (i.e. verifiable) quality.
[edit] Encase recovered data as evidence
Data recovered by Encase has been used successfully in various court systems around the world. However, there are questions regarding the validity of evidence recovered by Encase. For example, MD5 checksums are used to ensure data has not been altered or tampered with, however MD5 checksums are known to be forgeable. See the main MD5 article for details.
Another issue with data recovered by Encase is that typically there is no way to determine who created or accessed the data. Although user account data can provide some clues, the ease with which anyone who has physical access to the machine or who has control of the machine remotely (e.g. by a trojan or remove administration tool) make positive identification of the owner, or even those who knew of the data's existence difficult.
[edit] Countermeasures
Because EnCase is well known and popular with law enforcement, considerable research has been conducted in to defeating it (as well as counter forensics in general). The Metasploit Project produces an anti-forensics toolkit that includes a tool called "Transmogrify", specifically designed to defeat EnCase's file signaturing capabilities. Manual defences are possible too, for example by modifying the file system [1].
Furthermore, because law enforcement procedures involving Encase have to be documented and available for public scrutiny in many judicial systems, those wishing to defend themselves against it's use have a considerable pool of information to study.
Copies of EnCase have been widely leaked on to P2P networks, allowing full analysis of the software. Proof-of-concept code exists that can cause EnCase to crash, or even use buffer overflow exploits to run arbitrary code on the investigators computer. It is known that EnCase is vulnerable to compression bombs, for example 42.zip.[2]
