How EnCase Software has Been Used Major Crime Cases (Plus how to use EnCase Forensic Imager Yourself)
As with all professions, choosing the right tools for the job is a crucial part of digital forensics. EnCase digital forensic tools, created by Guidance Software (now part of OpenText), are among the most well-known programs in the industry. In this article, we look at some examples of how EnCase has been used to great effect in various criminal and civic cases. For example, we look at how it was instrumental in winning a client $64 million dollars. We also look at its role in numerous high profile homicide cases (both for the prosecution and defense). Finally, we present a summary of how digital forensic professionals can make use of EnCase Forensic Imager to extract evidence from a hard drive and make an authentic copy.
The $64 Million Dollar Question
The first example of EnCase’s utility involves a case of fraud.
Provider of IT consulting and forensic IT support, Los Angeles based Insync Consulting Group, was brought in by one half of a business partnership who was disputing the size of his share in the company. Despite the contract stating he had just a 5% stake, he knew that he had originally signed to accept a 15% share. The extra 10% was worth a whopping $64 million but some digging was needed to get to the bottom of the case.
The incriminating evidence was found using EnCase. It discovered not only that the critical ‘1’ had been deleted but also revealed who had removed it and – just as important – when. This case illustrates both the value of EnCase as an investigative tool and the importance of finding and protecting digital records as evidence.
With an estimated 92% of new information being stored on some kind of magnetic media, the central role of the digital forensic investigator is clear to see.
EnCase in Criminal Investigations
EnCase has been involved in the digital forensic investigations of several high profile homicide cases with investigators for both the prosecution and defense often debating the conclusions of the other.
In 2002, David Westerfield’s defense used EnCase to search the defendant’s disks and computers for evidence of child pornography. Although their interpretation was disputed, they did prove that pornographic content was accessed at the time the defendant was undergoing a police interrogation adding weight to their suggestion that it was actually Westerfield’s son who was accessing the content (thus denying the prosecution the ‘smoking gun’ of a motive for the abduction and murder of a child). Westerfield was eventually convicted of the murder and is currently on Death Row.
In 2004, EnCase was instrumental in the conviction of Scott Peterson who killed his wife Laci and their unborn son. Investigators took away Peterson’s five PCs and used EnCase to recover his internet search history. Amongst the incriminating evidence was a search for the tide times in the area where Laci’s body was found.
In 2005, EnCase was utilized to examine a floppy disk from serial killer Dennis Rader, dubbed the BTK strangler. The murderer had sent the disk to KSAS-TV unaware that a clue to his identity was present in the form of metadata from a deleted Microsoft Word document. Using EnCase, investigators traced Rader and finally put an end to his killing spree.
In 2008, EnCase was used in another prominent homicide case: the murder of two-year old Caylee Anthony by her mother Casey. In this case, the killer’s recovered search history revealed search queries for chloroform.
EnCase and the Capture of Bin Laden
The location, capture and killing of Osama Bin Laden, the mastermind behind the 911 terrorist attacks, made front page news across the world with the role of the Navy SEALs receiving global attention. Fewer headlines focused on the role of digital forensics (or as the army calls it, DOMEX) in the cracking of the various computers, hard drives, USB sticks and DVDs that were found in Bin Laden’s home in Pakistan.
In such a highly complex and sensitive investigation, digital evidence clearly has to be trustworthy and kept safe from deliberate tampering or accidental corruption.It is widely thought that the secretive National Media Exploitation Center (NMEC) carried out the digital forensic investigations that followed Bin Laden’s death and that EnCase played a major role (a job description for the role included the need for, “complete training in EnCase Forensic Software up through the EnCase Advanced training course or equivalent.” With EnCase, NMEC can crack encrypted media and recover deleted documents. Vound’s Intella software is also likely to have been used due to its ability of trawling through large volumes of emails.
The work may have been carried out in either the United States or a secret location in Afghanistan and the extracted data will have been uploaded to NMEC’s HARMONY database, the repository for all exploited media used in the so-called ‘War on Terror.’
It was hoped that the investigation might lead to the capture of Bin Laden’s successor, Ayman al-Zawahiri but despite a $25 million bounty on his head, al-Zawahiri is still a free man.
How to use EnCase Forensic Imager in a Real Case
For digital forensic investigators looking to extract evidence from a hard drive, here is a brief summary of the process.
Evidence extraction process:
- Open EnCase Imager and choose ‘Add Local Device’
- Uncheck ‘Only Show Write-Blocked’ (keep all other options checked).
- You will see a list of digital assets. Select the physical drives containing the evidence you need and click ‘Finish.’
- Under the ‘Evidence’ tab, double click to see the drive contents. Uncheck anything you do not want to image.
- Click ‘Acquire.’ Choose the output destination and file type (e.g. E01). Click ‘OK.’
- To prove authenticity, select ‘Hash’ from the ‘Device’ menu. Once the hashing process has completed, you can save the report at the bottom.
Evidence restoration process:
- Open EnCase Imager and choose ‘Add Evidence File.’
- Browse to find the evidence file you created.
- Double click on the image and check the files to be restored.
- Click ‘Restore’ under the ‘Device’ menu.
- Connect the destination drive and click ‘Next.’ (Warning: All data on this drive will be overwritten)
- Select the relevant drive, check the hash verification options and click ‘Finish.’
- You will need to type ‘Yes’ into the box to continue.
- Once the restoration is complete, the evidence will be available on the destination drive. You can check the hash values in the accompanying report which can be added to a text or Word file for future verification.
The examples above highlight the central role of digital forensic software in solving complex criminal and civic cases. Both fraudsters and killers overestimate their ability to cover their digital tracks. Nevertheless, the trail isn’t always easy to follow. The top digital forensic minds need the help of sophisticated technology to win in the courtroom. EnCase has a proven track record to earn itself a place in the professional investigator’s toolbox.
Brent Whitfield is the CEO of DCG Technical Solutions Inc. located in Los Angeles, CA since 1993. DCG provides the specialist advice and IT Services Los Angeles area businesses who need to remain competitive and productive, while being sensitive to limited IT budgets. Brent writes & blogs frequently and has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. https://www.dcgla.com was recognized among the Top 10 Fastest Growing MSPs in North America by MSP Mentor. Because of Brent’s experience as an MSP, he is actively serving on partner advisory councils for many of the major MSP vendors providing backup, RMM, and software to the market. He also leads SMBTN – Los Angeles, a MSP peer group that focuses on continuing education for MSP’s and IT professionals. Twitter: @DCGCloud
On the web
For the full story on the exploitation of Bin Laden’s digital media, see this CNET article.