EnCase
Encyclopedia
EnCase is a computer forensics
product produced by Guidance Software
used to analyze digital media
(for example in civil/criminal investigations, network investigations, data compliance and electronic discovery
). The software is available to law enforcement agencies
and corporations.
EnCase includes tools for data acquisition, file recovery, indexing/search and file parsing. Special training is usually required to operate the software.
Data recovered by EnCase has been used successfully in various court systems around the world such as in the case of the BTK Killer.
; acquisition, analysis and reporting. The software also includes a scripting facility called EnScript with various API's for interacting with evidence.
-by-bit (i.e. exact) copy of the media inter-spaced with hashes (usually MD5
or SHA-1) for every 64K of data. The file format also appends an MD5 hash of the entire drive as a footer.
. It can also examine parts of the filesystem not normally exposed to the user, such as deleted file entries, on-disk checksums and log/journaling data. It can also search for and attempt to recover deleted files.
Special Agent
and computer forensics examiner, created the EnCase Certified Examiner (EnCE) program with John Colbert, to certify professionals in the use of Guidance Software's EnCase computer forensics software. By 2009, over 2,100 professionals were certified in EnCase. In 2006, Bair was the technical editor for the Sybex published Official EnCE Study Guide.
In 2009, Bair created the EnCase Certified eDiscovery Practitioner (EnCEP) program to certify professionals in the use of Guidance Software's EnCase eDiscovery software, as well as their proficiency in eDiscovery planning, project management
and best practices spanning legal hold
to load file
creation.
in general). The Metasploit Project
produces an anti-forensics toolkit, which includes tools to prevent EnCase from finding data or from operating at all. Manual defences are possible too, for example by modifying the file system.
Furthermore, because law enforcement procedures involving EnCase have to be documented and available for public scrutiny in many judicial systems, those wishing to defend themselves against its use have a considerable pool of information to study.
Copies of EnCase have been widely leaked on peer-to-peer
file sharing
networks, allowing full analysis of the software. Proof-of-concept code exists that can cause EnCase to crash, or even use buffer overflow exploits to run arbitrary code on the investigator's computer. It is known that EnCase is vulnerable to zip bomb
s, for example 42.zip.
Computer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
product produced by Guidance Software
Guidance Software
Guidance Software, Inc. is a public company founded in 1997. Headquartered in Pasadena, Calif., the company develops and provides software solutions for digital investigations primarily in the United States, Europe, the Middle East, Africa, and the Asia/Pacific Rim...
used to analyze digital media
Digital media
Digital media is a form of electronic media where data is stored in digital form. It can refer to the technical aspect of storage and transmission Digital media is a form of electronic media where data is stored in digital (as opposed to analog) form. It can refer to the technical aspect of...
(for example in civil/criminal investigations, network investigations, data compliance and electronic discovery
Electronic Discovery
Electronic discovery refers to discovery in civil litigation which deals with the exchange of information in electronic format . Usually a digital forensics analysis is performed to recover evidence...
). The software is available to law enforcement agencies
Law enforcement agency
In North American English, a law enforcement agency is a government agency responsible for the enforcement of the laws.Outside North America, such organizations are called police services. In North America, some of these services are called police while others have other names In North American...
and corporations.
EnCase includes tools for data acquisition, file recovery, indexing/search and file parsing. Special training is usually required to operate the software.
Data recovered by EnCase has been used successfully in various court systems around the world such as in the case of the BTK Killer.
Use
EnCase contains tools for several areas of the digital forensic processDigital forensic process
The Digital forensic process is a recognised scientific and forensic process used in digital forensics investigations. Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings...
; acquisition, analysis and reporting. The software also includes a scripting facility called EnScript with various API's for interacting with evidence.
Acquisition
EnCase contains functionality to create forensic images of suspect media. Images are stored in proprietary EnCase Evidence File Format; the compressible file format is prefixed with case data information and consists of a bitBit
A bit is the basic unit of information in computing and telecommunications; it is the amount of information stored by a digital device or other physical system that exists in one of two possible distinct states...
-by-bit (i.e. exact) copy of the media inter-spaced with hashes (usually MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
or SHA-1) for every 64K of data. The file format also appends an MD5 hash of the entire drive as a footer.
Analysis
After imaging, EnCase can be used to examine the files stored in the image using common tools such as a document viewer and hex editorHex editor
A hex editor is a type of computer program that allows a user to manipulate the fundamental binary data that makes up computer files. Note that computer files can be very small to very large...
. It can also examine parts of the filesystem not normally exposed to the user, such as deleted file entries, on-disk checksums and log/journaling data. It can also search for and attempt to recover deleted files.
Reporting
Evidential material can be "bookmarked" within the program and produced as a report in various formats.Accreditation
In 2001, Jessica M. Bair, a former U.S. Army Criminal Investigation CommandU.S. Army Criminal Investigation Command
United States Army Criminal Investigation Command investigates felony crimes and serious violations of military law within the United States Army...
Special Agent
Special agent
Special agent is usually the title for a detective or investigator for a state, county, municipal, federal or tribal government. An agent is a worker for any federal agency, and a secret agent is one who works for an intelligence agency....
and computer forensics examiner, created the EnCase Certified Examiner (EnCE) program with John Colbert, to certify professionals in the use of Guidance Software's EnCase computer forensics software. By 2009, over 2,100 professionals were certified in EnCase. In 2006, Bair was the technical editor for the Sybex published Official EnCE Study Guide.
In 2009, Bair created the EnCase Certified eDiscovery Practitioner (EnCEP) program to certify professionals in the use of Guidance Software's EnCase eDiscovery software, as well as their proficiency in eDiscovery planning, project management
Project management
Project management is the discipline of planning, organizing, securing, and managing resources to achieve specific goals. A project is a temporary endeavor with a defined beginning and end , undertaken to meet unique goals and objectives, typically to bring about beneficial change or added value...
and best practices spanning legal hold
Legal hold
A legal hold is a process which an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated....
to load file
Load file
A load file in the litigation community is commonly referred to as the file used to import data into a database; or the file used to link images...
creation.
Countermeasures
Because EnCase is well known and popular with law enforcement, considerable research has been conducted into defeating it (as well as anti-computer forensicsAnti-computer forensics
Anti-computer forensics is a general term for a set of techniques used as countermeasures to forensic analysis.- Definition :...
in general). The Metasploit Project
Metasploit Project
The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development....
produces an anti-forensics toolkit, which includes tools to prevent EnCase from finding data or from operating at all. Manual defences are possible too, for example by modifying the file system.
Furthermore, because law enforcement procedures involving EnCase have to be documented and available for public scrutiny in many judicial systems, those wishing to defend themselves against its use have a considerable pool of information to study.
Copies of EnCase have been widely leaked on peer-to-peer
Peer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
file sharing
File sharing
File sharing is the practice of distributing or providing access to digitally stored information, such as computer programs, multimedia , documents, or electronic books. It may be implemented through a variety of ways...
networks, allowing full analysis of the software. Proof-of-concept code exists that can cause EnCase to crash, or even use buffer overflow exploits to run arbitrary code on the investigator's computer. It is known that EnCase is vulnerable to zip bomb
Zip bomb
A zip bomb, also known as a Zip of Death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it...
s, for example 42.zip.