There's more to gathering evidence than one might first imagine. An investigator must decide how much surveillance to perform, and then decide between seizure and search, or search and seizure. The search warrant must be worded carefully.

Then comes questions of strategy: How many people are necessary to perform the search? Will outside specialists versed in a particular operating system or hardware be required? How will the connection between the suspect drive and the forensic drive be made?

Everything in the forensic investigation must be documented. If an investigator simply connects a forensic computer to a suspect computer, who is to say there is not another hard disk inside the suspect system that is only used for illegal activity?

We learned that for each case it's good practice to begin by creating new Case, Evidence, Temp or Trash, and Export files on a separate logical drive on your forensic computer.

We opened a new case file and imported the contents of the disk to be studied. Guidance Software's EnCase application archives this in the evidence file. To verify integrity, every 64-sector (32-bit) data block receives a CRC value.

When the software acquires a physical or logical volume it calculates an MD5 hash value, which is written into the evidence file and becomes part of the evidence documentation. The hash value can be compared every time an evidence file is added to a case, to verify the evidence file has not changed.

How to deal with erased media is included in the program, as is how to safeguard against inadvertently destroying potential evidence. To demonstrate the recovery power of EnCase, the class wiped floppy disks completely clean and then restored and verified the entire contents. The contents of USB drives, Compact Flash cards, and Palm PDAs were also analyzed. Deleted files can be recovered and deleted partitions rebuilt, provided the data has not been overwritten.

The user interface of EnCase is a series of panes. The right pane includes Table, Gallery, Timeline, and Report views. By gathering and sorting, a Table is composed, images are viewed in Gallery, an evidence Timeline is established, and a Report of the findings generated. Reports are fully customizable. Filters in EnScripts also show up in the right pane. Filters manipulate the view when looking at files or folders.

Forensic investigators don't always have time to decide what is or isn't porn, so they bring up images on a drive into Gallery mode and let a vice-squad investigator decide. Once images are classed as illegal, the forensic technician can print them out and include header and file info.

The left-pane views offer Case, Bookmark, and Keyword. Different case files can be opened at the same time.

In the bottom pane are views for Text, Hex, Report, Picture, Disk, and Evidence. Here, various properties of the disk or subject media are displayed in whatever view the operator decides.

EnCase is a thorough and deep program that requires a lot of study. As EnCase instructor Mike Fowler says, "Now that my focus is on instructing, it hurts me to think of what I missed as an investigator. The functionality was there, I just wasn't using it. I want to make sure every student who leaves this class knows how to use the product to its fullest potential."

Forensic Terms

Case file: EnCase file with ".cas" extension contains information specific to one case, with pointers to evidence, bookmarks, search results, hash, and signature analysis reports.

Checksum: A computed value, stored along with data, to detect corruption of that data.

CRC: Cyclical Redundancy Check: a variation of the checksum that is order sensitive. Data strings 1234 and 4321 will produce the same checksum, but not the same CRC.

EnScript: EnCase files with ".esc" extension: a high-level programming language cross between Java and C that works data from the drive.

Evidence file: Central component of EnCase methodology that contains a header, checksum, and data blocks that work together to provide a secure and self-checking description of the state of a computer disk at time of checking.

GREP: UNIX search utility expression syntax used to describe search terms to produce specific matches.

Hash: A value calculated by algorithm to verify data integrity.

Header: Provides information about the file.

MD5 Hash: Message Digest 5 Hash.

Partition: A portion of a hard drive. Drives must be partitioned before formatting and installing an operating system.

Signature: In EnCase, the combination of a file header, file extension, and file type. All three must match or a file may have been deliberately changed.

Temp or Trash file: Where temporary files used by EnCase during examination are stored.

Copyright © 2002