Choman Saleem
Guidance Software EnCase Forensics v 7.0
Every day, unprecedented steps in computing technology continue to transform our world and help push the boundaries of information sharing. During the 20th century, computing technology has improved millions of lives meanwhile changing the landscape of our economy and society. However, criminals often misuse digital devices and use them to aid their nefarious activities. The field of digital forensics grew exponentially with the personal computing revolution of the late 1980’s. Since then, numerous laws, government agencies, and private organizations have stepped up to provide resources and improve the landscape of digital forensics. Additionally, a variety of digital forensics software has been released to aid the preservation, identification, extraction, interpretation, and documentation of digital evidence. One of the leading streamlined products in the ever-growing field of digital forensics is Guidance Software’s EnCase Forensics V7.0.
Guidance Software EnCase Forensics v 7.0
Every day, unprecedented steps in computing technology continue to transform our world and help push the boundaries of information sharing. During the 20th century, computing technology has improved millions of lives meanwhile changing the landscape of our economy and society. However, criminals often misuse digital devices and use them to aid their nefarious activities. The field of digital forensics grew exponentially with the personal computing revolution of the late 1980’s. Since then, numerous laws, government agencies, and private organizations have stepped up to provide resources and improve the landscape of digital forensics. Additionally, a variety of digital forensics software has been released to aid the preservation, identification, extraction, interpretation, and documentation of digital evidence. One of the leading streamlined products in the ever-growing field of digital forensics is Guidance Software’s EnCase Forensics V7.0.
Computer
forensics currently does not have a lot of standardization across the industry
because it’s still at it’s infancy, compared to other forms of forensics.
However, EnCase Forensics has been highly regarded as a top software suite time
and time again and has become the unofficial standard in digital investigation
technology. The software allows users to create images and examine data from an
array of sources such as hard disks, removable media such as CD’s and USB’s, RAIDS,
RAM, and even Personal Digital Assistants (PDA’s). (Digital Intelligence) Smartphones and tablets
have flooded the market and serve as personal data repositories. EnCase
Forensics also allows investigators to acquire data from Androids, iPhones, and
most popular smartphones and tablets. The flexibility of EnCase Forensics is
one of its reasons for global success. EnCase can be used to complete the most
mundane tasks or perform extremely sophisticated operations. Among it’s features
are it’s multiple acquisition modes, powerful searches, automatic reports, unmatched
support, bookmark features, Internet and Email investigations, and multiple
views. Additionally, EnCase Forensics comes with automation tools and lets
investigators write custom scripts with EnScript. (http://www.digitalintelligence.com/software/guidancesoftware/encase7/)
Every digital forensics software comes with search capabilities. Encase Forensic can uncover critical evidence on physical and logical media which would be irretrievable with other tools. The search options include proximity search ,Unicode index search, binary search, , case sensitive, right to left reading, Big Endian/Little Endian, UTF-8/UTF-7, and the ability to search file slack and unallocated space. Users can also install active code pages which can be used for finding keywords in numerous languages. EnCase Forensic can search all allocated files, other forensic utilities often times can not logically search across data clusters.
Every digital forensics software comes with search capabilities. Encase Forensic can uncover critical evidence on physical and logical media which would be irretrievable with other tools. The search options include proximity search ,Unicode index search, binary search, , case sensitive, right to left reading, Big Endian/Little Endian, UTF-8/UTF-7, and the ability to search file slack and unallocated space. Users can also install active code pages which can be used for finding keywords in numerous languages. EnCase Forensic can search all allocated files, other forensic utilities often times can not logically search across data clusters.
When
beginning an investigation and going along the acquisition process, EnCase
gives investigators an array of options. Investigators can create a bitstream
image that gets verified by Cyclical Redundancy Checksum (CRC) blocks followed
by multiple hashing validation checks. Additionally, If a user needs to
interrupt a target acquisition on a large drive, EnCase has the ability to
pause the process and continue at a later time without any problems. After the
acquisition, users get a wealth of additional information, such as file name,
file extension, last accessed , file creation date, last written, entry
modified, logical size, physical size, Message Digest 5 (MD5) hash value,
permissions, starting extend and original path of the file.
Successful
software is often available on multiple platforms, EnCase Forensics does not
fall short of that feature. EnCase Forensics supports Windows
95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 +, Solaris 8/9, AIX, and Apple
OSX. EnCase also supports multiple file systems, such as FAT12/16/32, NTFS,
EXT2/3 (Linux), UFS, AIX Journaling File System, LVM8, FFS, NetBSD/FreeBSD,
Palm, HFS, HFS+, CDFS, DVD, CDFS, ISO 9660, UDF, and TiVo 1 and 2. EnCase
Forensics supports corporate environments by uniquely supporting the imaging
and analysis of RAID arrays, Windows Servers, and virtual environments like
VMware and Microsoft Virtual PC.
Being
able to analyze and search a vast collection of data is paramount for forensics
and analysis tools. Once evidence is collected and archived, EnCase Forensics
offers powerful, analytical functions. Automated Analysis uses SweepCase which
gives investigators the ability to perform different types of analysis without
having to use different tools. Investigators can sort files by 30 different
fields, including file names, file signatures, hash value, permissions, time
stamps, extensions, and file paths. There are more than 150 filters provided with
EnCase,such as deleted files to password protected and encrypted files (“Guidance
Software – Transforming Your Investigations” ).Other analytical functions
include a variety of queries, international language support, encrypted volumes
and hard drive encryption, link file examination, active directory information
extractor, hardware analysis, recover folders, log and even files, symbolic
links, compound documents, and even has a build-in registry viewer. Reporting
and documenting is an integral part of a digital investigator’s job. EnCase
Forensic has a number of automatic reports that can be created with ease. The
reports also contain bookmarks, timeline of files, intellitype, and time zone settings.
EnCase
Forensics has been a key player in the world of digital forensic products and
it is here to stay (“SC Magazine”). Amongst the users are law enforcement,
government agencies, private businesses, and corporations. EnCase Forensics is
a crucial tool in handling evidence in a format that courts can trust. There are more than 50,000 digital
investigation professionals who have been trained by experts at Guidance
Software Training centers. Amongst those are law-enforcement agents and legal
associates. December of 2012, the United States Department of Treasury
publically recognized EnCase as the only suite that could meet all of it’s
needs when it comes to internal investigations and forensically sound,
court-validated discovery (“David”). While EnCase Forensics holds a dominant
corner of the digital evidence investigation market, Guidance Software does
have competitors. Amongst the competitors are AccessData Group, E-Fense,
F-Response, and MANDIANT. While these other competitors offer great products,
none of them come with the polish, support, and flexibility of EnCase
Forensics. One of the weaknesses of EnCase Forensics is the hefty price tag
that it comes with. The latest version, version v7.0 is $2,995.00 USD. While
EnCase has a proprietary file format that is very widely accepted, it is able
to work with other common file types. Their scripting language, EnScript, is
also a proprietary language. Finally, EnCase Forensics does not target amateurs
and students who want to tinker with forensics tools, but well
established, serious digital
investigators and law enforcement agents who are already in the field.
References
Digital Intelligence, . N.p.. Web. 15 Nov 2013. <http://www.digitalintelligence.com/software/guidancesoftware/encase7/>.
"SC Magazine." Guidance Software EnCase Forensic v7. SC Magazine, 01 05 2013. Web. 15 Nov 2013. <http://www.scmagazine.com/guidance-software-encase-forensic-v7/review/3872/>.
Bennit, David. " The Challenges Facing Computer Forensics Investigators in Obtaining Information from Mobile Devices for Use in Criminal Investigations." Forensic Focus. 20 08 2011. Web. 09 Nov 2013. http://articles.forensicfocus.com/2011/08/22/the-challenges-facing-computer-forensics-investigators-in-obtaining-information-from-mobile-devices-for-use-in-criminal-investigations/.
"Guidance Software Forensics-
Transform Your Investigations." Guidance Software. Guidance
Software. Web. 15 Nov 2013.
<http://www.cits.co.za/uploads/3/0/5/1/3051645/encase_forensic_features.pdf.>.
No comments:
Post a Comment