Digital Forensics with EnCase

I attended a BCS event in Dundee last night. The speaker was Guidance Software‘s Russell May, he was discussing and demonstrating EnCase. Russell’s presentation style was very good, a few slides and plenty of demonstrations.

EnCase is a rather powerful tool that provides access to the file systems of Windows, Linux, AIX, OS X, Solaris – or to be more precise: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, ad TiVo┬« 1, TiVo 2, VMware, Microsoft Virtual PC, DD and SafeBack v2 image formats. All this from a single unified interface. It’s a product that is intended to work with “├»mages” rather than live hard drives, which makes perfect sense from an evidence preservation perspective.

Speaking of evidence preservation, Russell showed us a handful of photographs from real live “busts”. He stressed the importance of photographing “the scene”, particularly if you are seizing computer equipment that will be used as evidence. The photographs allow you to recreate the scene very quickly, wiring and all. Also worth photographing is the inside of the computer. Folks tend to hide all sorts of interesting stuff inside their PC’s base unit…Russell has found secondary unconnected hard drives, money and drugs!

Russell brought along a handful of Word documents that contained some text and images. There were documents that looked fairly normal to the untrained eye, i.e. some regular text and some benign images. However, looking at the file size, it is perhaps obvious that we were not being shown the big picture [sic]. Indeed, one of the documents had one large image sitting on top of 4 slightly smaller images. Another document appeared to contain nothing more than a short paragraph of text – in reality, an embedded Picture Object had its width and height set to 0…all we could see were the overlapping grab handles (which looked remarkably like a full-stop!)

Further examples saw Russell restore deleted partitions, identify numerous files with the incorrect extension (e.g. .VXD instead of .JPG), discover DOS batch files (.BAT) that convert between file extensions. We were even able to see how EnCase dealt with Alternate Data Streams (ADS). One thing that we didn’t see was how EnCase handled encrypted drives (using, for example, Private Disk, BitLocker, etc.)

I was pleased to see Russell push home the fact that the Format command doesn’t actually wipe out anything. The Format command actually performs a number of reads (typically three) and a verify. Any sectors that fail this read-verify test are marked as bad sectors and are thus ignored. In a nutshell, using FDisk and/or Format isn’t enough to stop a tool like EnCase or even a disk sector editor (such as this one by Acronis).

My key “take away” was the fact that EnCase and all other software-based forensic tools struggle with files that have been securely deleted using such tools as Eraser, SDelete or CCleaner. These tools offer a variety of secure delete options, including 1-pass, 3-pass US DoD 5220.22-M (8-306/E), 7-pass US DoD 5220.22-M (8-306/E, C and E) and 35-pass (Gutmann). The importance of this fact cannot be under-estimated – if you plan to dispose of your PC, it’s important to clear it out such that the next owner cannot recover your personal data, The BBC reports tales of woe from folks who didn’t clear out their hard drives here, here and here.

Personally, I use Eraser and CCleaner – both have a clean Windows user interface, Eraser even integrates with the Shell so that it appears when you right-click on a file or folder. If you are using CCleaner, the secure deletion options are secreted away here:


…and if you’re using Eraser, the Edit -> Preferences -> Erasing (Control-E) menu option leads to this screen:


Related Links
EnCase (and here)
Secure File Deletion – Eraser, SDelete, CCleaner
Alternate Data Streams
Gutmann’s algorithm – Secure Deletion of Data from Magnetic and Solid-State Memory (here also)
Encrypted Disks – Private Disk, BitLocker

If you found this information useful, please consider donating via PayPal!

Technorati Tags: , , , , , , , , , , , , , ,

Confidence Tricks

This seems to have been a weekend for computer support. Today, Sunday, I found myself looking at an eMachines PC that refused to connect to the Internet using the https protocol. The machine’s owner had already mentioned that he had ditched Norton Antivirus (and gone through a lot of pain trying to uninstall it) and had chosen WinAntiVirus as a replacement. Why? Well, a moderately reputable web-site “popped” something up that told him his computer needed “fixing”, a fake “you are infected” type of message. WinFixer and WinAntiVirus would “fix it” for a small fee. To all extents and purposes, it sounds fairly legit, you pay your money, you get a download link for a couple of products, you believe that you’re protected. Except, these two products do little more than invite their friends (ad-ware, spyware, malware, etc.) in to play about on your computer. From there, it goes from bad to worse. And it’s not new as this post confirms.

Luckily, I was able to uninstall WinFixer and WinAntiVirus, disable a whole raft of browser hijacks and clear down 115 items of ad-ware, spyware and malware. Whilst I was there, I killed off all the remaining Norton services and lingering processes. After a reboot and a re-scan, I was pleased to see the Windows XP shield appear at the bottom right – a clear sign that prior to my arrival something was “blocking” it thus preventing Automatic Updates from taking place. WinFixer and WinAntiVirus may not have themselves been blocking Automatic Updates and other security-related activities (such as blocking scanning software), but they were certainly responsible for something getting on the computer that did.

FWIW, the tools that I used to help me are: Crap Cleaner, Spybot and HijackThis.

On the premise that this is one of those “how do you know” scenarios, a piece of advice that I can offer is this:

If a pop-up window (or an advert within a web page) tells you that your PC is infected and offers a “clean up” solution, either ignore it or at least put it into your favourite search engine. Google, for example, provides this advisory:


Related links:

Technorati Tags: , , , , , , , , ,

IE7 Connecting…

One of my wife’s friends popped in yesterday. Seems her laptop just “went and installed IE7”. After the installation was complete, when trying to visit a web-site, IE7 would just sit there attempting to connect, displaying “Connecting…” in the solitary tab. It also consumed huge amounts of CPU time giving the impression that the machine was slow.

I know John has been lamenting about this sort of issue over here and here. And Dan was kind enough to offer his good advice elsewhere in this blog. So add-ons seemed to be the logical place to start. However, even setting the Tools -> Internet Options -> Home Page to about:blank, it’s difficult to get to the Add-ons menu in order to actually do anything with them. Of course, being the sly individual that I am, I used HijackThis to rummage around myself.

I was pleased to read this Microsoft posting that highlights a menu option that most users may not have discovered:


[scroll down and look for Toolbars that are incompatible with Internet Explorer 7]

This menu option will at least prove that your IE7 installation is working as it should. Sadly IE7’s Tools->Manage Add-ons menu item is greyed out, so you can’t simply go in and turn all the Add-ons off from here. However, you can choose Tools->Internet Options and then click on the Programs tab thus revealing the Manage Add-ons button, as the screenshots here confirm.

Armed with the knowledge that IE7 was working fine, I could now set about looking for the offending Add-on. Without beating about the bush, it turns out that it was the Norton Internet Security Add-on that was causing all the problems: disabling it forced NIS to go in search of a fix for itself, which, to my amazement, it found. It would appear that I am not alone, others are having similar problems as this post suggests.

Anyway, my wife’s friend now has a working laptop, with IE7 and NIS running happily, so all is well. YMMV

Technorati Tags: , , , , ,

Vista Developer Launch – webcast – live now!

If you couldn’t make it to Reading for the launch itself, it is being streamed live here:

More information here:

Line up for today, day 1, track 1:

1045 – 1200 Extending the Microsoft Office User Interface – Mike Taulty
1245 – 1345 Microsoft Office and XML – Making the Data Work for You – Mark Johnston
1400 – 1500 Beyond Office: Extending Your Reach with Office Server – Mike Ormond
1515 – 1615 Microsoft Office SharePoint Server – Business Intelligence and Content Management Solutions – Martin Parry
1630 – 1730 Microsoft Office SharePoint Server – New Collaboration Features and Workflow – Daniel Moth

Track 2:

1045 – 1200 Clarity – Presentation Advances in the .NET Framework Version 3.0 – Mark Johnston
1245 – 1345 Clarity – Presentation Advances in Windows Vista – Daniel Moth
1400 – 1500 Confidence – Security and Reliability with Windows Vista – Martin Parry
1515 – 1615 Connectivity – Windows Vista for Syndication and Workflow – Mike Ormond
1630 – 1730 Connectivity – Distributed Applications on Windows Vista – Mike Taulty

On-demand downloadable versions of the sessions can be found here.

Technorati Tags: , , , ,

Yet another instance of software that sucks…

Last year I lamented about how BT expected me to contact my administrator to solve their problem.

Tonight, whilst trying to book some flights via AirMiles, I stumbled upon this unbelievable error message:


Amazingly, I had used the drop-down menu to select London Heathrow. Even when using the “type destination” option that forces the correct destination airport to be selected, this error still appeared. And hey, where’s the magnifying glass icon on this page?

Frankly, this isn’t the first problem I’ve endured with this particular web-site. It’s virtually impossible to book British Airways flights through it. I ended up buying flights through because it was easier. Here’s the kind of nonsense it presents us with when we endeavour to pay for a flight:


I wouldn’t mind, but there are no items “highlighted below in red”. Clicking on “Get available flights” and changing any or all of the flight combinations makes no difference. Personally, I don’t believe that “the system” should allow us to get this far if there are problems with availability – in fact, I’m sure there’s a conspiracy theory behind this.

Now, you might be thinking that I’m perhaps being a little harsh with this posting. Perhaps you’re right. However, since I went to the effort of writing to this particular flight vendor back in July 2006 when I endured my first failed booking, I got back a pretty nondescript response. Now that I’ve gone through the same pain again tonight, I’m going to be taking the matter up with them once again. However this time, I’ll bypass customer services and write to their top man. Be afraid.

Technorati Tags: , , ,

Vista, ReadyBoost – compability chart

ReadyBoost, one of Vista’s performance enhancing features, allows us to plug in flash memory (USB drives, SD cards, etc.)

The Lexar 512MB 40x Compact Flash card that I purchased for another purpose wasn’t fast enough, even when connected to my internal card reader (which may also be slowing things down a tad). So that led me to wonder just what is “fast enough” for ReadyBoost…and then I discovered that Grant Gibson has a great post covering ReadyBoost compatible devices.

More information can be found here.

Technorati Tags: , ,

WordPress Widgets and Google Adsense

I’ve upgraded my blog to use widgets and in the process upgraded a few other things to use widgets too.

I’m using Otto’s Google Adsense widget, it’s working very well.

Except, as you may recall reading here and here, there is an issue relating to the WordPress post preview and Google Adsense that could result in Google blocking your Adsense account.

I’ve not checked to see if the problem has “gone away”, but to be on the safe side, I’ve hacked Otto’s gadsense.php widget to prevent Google Adsense blocks from appearing in the preview. Here’s the code fragment that includes the hack, lines 10 and 12 are the ones to look out for:

[code lang=”php”]
function widget_adsense($args, $number = 1) {
$options = get_option(‘widget_adsense’);
$title = $options[$number][‘title’];
$text = $options[$number][‘text’];

is_preview): ?>

Technorati Tags: , , ,