Digital Forensics with EnCase

I attended a BCS event in Dundee last night. The speaker was Guidance Software‘s Russell May, he was discussing and demonstrating EnCase. Russell’s presentation style was very good, a few slides and plenty of demonstrations.

EnCase is a rather powerful tool that provides access to the file systems of Windows, Linux, AIX, OS X, Solaris – or to be more precise: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, ad TiVo┬« 1, TiVo 2, VMware, Microsoft Virtual PC, DD and SafeBack v2 image formats. All this from a single unified interface. It’s a product that is intended to work with “├»mages” rather than live hard drives, which makes perfect sense from an evidence preservation perspective.

Speaking of evidence preservation, Russell showed us a handful of photographs from real live “busts”. He stressed the importance of photographing “the scene”, particularly if you are seizing computer equipment that will be used as evidence. The photographs allow you to recreate the scene very quickly, wiring and all. Also worth photographing is the inside of the computer. Folks tend to hide all sorts of interesting stuff inside their PC’s base unit…Russell has found secondary unconnected hard drives, money and drugs!

Russell brought along a handful of Word documents that contained some text and images. There were documents that looked fairly normal to the untrained eye, i.e. some regular text and some benign images. However, looking at the file size, it is perhaps obvious that we were not being shown the big picture [sic]. Indeed, one of the documents had one large image sitting on top of 4 slightly smaller images. Another document appeared to contain nothing more than a short paragraph of text – in reality, an embedded Picture Object had its width and height set to 0…all we could see were the overlapping grab handles (which looked remarkably like a full-stop!)

Further examples saw Russell restore deleted partitions, identify numerous files with the incorrect extension (e.g. .VXD instead of .JPG), discover DOS batch files (.BAT) that convert between file extensions. We were even able to see how EnCase dealt with Alternate Data Streams (ADS). One thing that we didn’t see was how EnCase handled encrypted drives (using, for example, Private Disk, BitLocker, etc.)

I was pleased to see Russell push home the fact that the Format command doesn’t actually wipe out anything. The Format command actually performs a number of reads (typically three) and a verify. Any sectors that fail this read-verify test are marked as bad sectors and are thus ignored. In a nutshell, using FDisk and/or Format isn’t enough to stop a tool like EnCase or even a disk sector editor (such as this one by Acronis).

My key “take away” was the fact that EnCase and all other software-based forensic tools struggle with files that have been securely deleted using such tools as Eraser, SDelete or CCleaner. These tools offer a variety of secure delete options, including 1-pass, 3-pass US DoD 5220.22-M (8-306/E), 7-pass US DoD 5220.22-M (8-306/E, C and E) and 35-pass (Gutmann). The importance of this fact cannot be under-estimated – if you plan to dispose of your PC, it’s important to clear it out such that the next owner cannot recover your personal data, The BBC reports tales of woe from folks who didn’t clear out their hard drives here, here and here.

Personally, I use Eraser and CCleaner – both have a clean Windows user interface, Eraser even integrates with the Shell so that it appears when you right-click on a file or folder. If you are using CCleaner, the secure deletion options are secreted away here:

ccleaner.gif

…and if you’re using Eraser, the Edit -> Preferences -> Erasing (Control-E) menu option leads to this screen:

eraser.gif

Related Links
EnCase (and here)
Secure File Deletion – Eraser, SDelete, CCleaner
Alternate Data Streams
Gutmann’s algorithm – Secure Deletion of Data from Magnetic and Solid-State Memory (here also)
Encrypted Disks – Private Disk, BitLocker

If you found this information useful, please consider donating via PayPal!




Technorati Tags: , , , , , , , , , , , , , ,