What Can EnCase Identify That Other Digital Forensics Tools Can't?
If you are a digital forensics specialist or enthusiast, you will no doubt have come across the EnCase tool. It is often one of the first pieces of software employed when digital documents need to be thoroughly investigated.
But what is so special about EnCase? Wouldn't other, less well known tools uncover the same types of information EnCase has been able to? After all, there are plenty of alternatives (FTK, Oxygen, X-Ways, Helix, Winhex, Logicube Talon, Replica, etc.) and most forensic specialists will use a number of different tools depending on the use case.
This article picks out three areas where EnCase can claim an advantage over its rivals and contributes to its strong reputation in both digital forensics and proactive cyber security.
Carving Image Files
Carving is the process by which discrete files are separated from other information in unallocated disc space. This is done via the identification of the header and trailer/footer codes associated with certain file types and is a core skill that should be mastered by digital forensic specialists.
While EnCase is not normally valued for its carving abilities (in fact, it is often criticised for its performance with this function), it does often outperform many competing tools on carving image files. This is especially important in cases involving visual evidence (e.g. child pornography).
To try this out using the EnCase Evidence Processor, select the 'File Carver' module. You can then select from a host of file types including documents, spreadsheets, charts, presentations, emails and pictures. The more options you select, the slower the process so try to reduce these to the likely sources of the information you are looking for.
You will find every type of image file under the sun under the 'picture' option and you can even import your own file type. By checking the 'search unallocated' option, EnCase will search for these images without referring to the file system of the drive. But what exactly is it looking for? Take for example a simple JPEG image. This will always begin with an identifying header 'FFD8FFE0' and trailer 'FFD9.' By locating these hex values, EnCase can retrieve deleted images and, by searching within unallocated space, this even includes images within corrupted or reformatted drives.
Once processing has been completed, the recovered images can be viewed under the records menu (look at the Carver entries in the Evidence Processor and the images will be in the unallocated clusters folder). All images can be sorted by name and size etc. (although not by date as this information is not preserved outside of a file table).
Once you have recovered all the images you need, you can select them and save them in one or more folders using the 'bookmark' function. These folders can then be added to an examination report for use in your case.
The above process uses EnCase 7.10 and the steps may vary in other versions of the program.
Finding Deliberately Hidden Keywords
Although the search function in EnCase can be time consuming, it does have specific advantages that can make a huge difference in a case.
All digital forensics tools have the ability to hunt for keywords within files but many use a physical keyword search mechanism which can miss important keywords, especially those which have been deliberately hidden.
EnCase uses what is termed 'logical raw keyword searches' and this differs from physical keyword search programs in a couple of very important ways.
Physical search programs will use the drive's file system to identify discrete files and search within them for the keywords of interest. However, this depends on the keyword actually being contained within a discrete file or files in the first place.
Consequently, this method will miss any keywords which have been split between files or that are stored in meta data fields or non-contiguous blocks on the disk (i.e. blocks that are not next to one another). Storing keywords in this way is a tactic used by some sophisticated criminals who want to communicate in code with colleagues. This is similar to certain code systems which use patterns to hide meaningful messages within apparently random text.
Logical raw keyword searches do not focus on specific files or locations on a disc. This means that they can identify instances of keywords fragmented between non-contiguous clusters of disc space.
EnCase is also not restricted to searching for 'western' character sets. Although the default option is set to ANSI Latin-1 only to speed up processing, searching for characters using UTF8, UTF7, Unicode and Unicode Big-endian is made possible by simply checking the relevant boxes. Checking Unicode is recommended if querying Microsoft Office documents since this often stores non-English characters in 2-byte lengths using this character set.
The keyword search function of EnCase can be accessed via either the Evidence Processor or the Evidence tab.
Via the Evidence tab, you will need to check the relevant drives and then click 'Process Evidence.'
If using the Evidence Processor you will need to use the 'Search for Keywords' module and either create a new keyword list or import one.
Real Time Endpoint Investigation
The examples above pertain to EnCase's use in digital forensics, particularly when investigating criminal activity. However, this software is also used by cyber security teams as a powerful and versatile method of post-event investigation and active data breach prevention. EnCase Endpoint Investigator 8.08 has enhanced its already powerful decryption capabilities to cover Apple File System, Dell full disk and Symantec endpoint encryption. As businesses increasingly move into the cloud, the ability to acquire evidence from both cloud-based and on premises versions of business suites such as Microsoft Office 365 is becoming more important.
For government agencies and large, medium and small businesses, cyber security responsibilities often include a host of tasks such as investigating compliance violations, discreet employee monitoring and preventing intellectual property theft. For smaller teams, this can mean outsourcing forensic investigations to consultants or digital forensic investigation teams. Not only is this expensive but it introduces its own security risks. EnCase Endpoint Investigator can solve this dilemma by acting as a 'force multiplier' enabling businesses to keep such sensitive investigations in-house without disrupting operations or reducing productivity. EnCase can simplify the triage process across your entire network by identifying the importance of potential evidence, setting a priority level and requesting further processing where necessary. Its ability to maximize visibility across off and on-network endpoints is a huge advantage and EnCase Mobile Investigator extends the ability to acquire and analyze data to a wide variety of mobile devices. Finally, should a corporate breach end up in the courts, EnCase's proven ability to produce verifiable evidence will stand businesses in good stead.
EnCase is not the only digital forensic tool and some would say it isn't even the best. However, the three benefits detailed above does help make the job of the digital forensics specialist and cyber security professional much easier and produces consistently reliable results. It's no wonder that this tool has an impressive record when it comes to solving a wide range of criminal and civil cases involving everything from contract fraud to multiple homicides. As we have seen, it is also now an increasingly top choice for cyber security investigations and network breach prevention.
DCG Technical Solutions, Inc.: