Digital Forensic Tool: Encase
Table of Contents
- Digital Forensics
- Introduction of Encase
- Tool Description
- Exercise) Simple Case Image
Forensics science is the scientific method of gathering and examining information about the past. This is especially important in law enforcement where forensics is done in relation to criminal or civil law, but forensics are also carried out in other fields, such as astronomy, archaeology, biology and geology to investigate ancient times.
As digital devices grow rapidly and take part in people¡¯s daily lives, law enforcements found that evidence might exist in digital devices and begin investigating digital devices. We call this kind of forensic science, Digital Forensics.
Like its name, Digital Forensics is to gather, examine, and analyze information about the past in digital devices and has fields for each of investing target. So Digital Forensics consists Disk Forensics, Live Forensics, Network Forensics, Mobile Forensics, Cloud Forensics, etc.
Since digital information is made up of 0s and 1s, it can be modified very easily. Small action could change the data into entirely different information. So investigators are necessary to concern about integrity of the data. They need to be extra careful and use trusted tools for collection and analysis in order to get that data for evidence. FTK(Forensic Tool Kit), Encase, Final Data, etc. are considered as trusted forensic investigation tools.
What is Encase
EnCase is the shared technology within a suite of digital investigations products by Guidance Software. The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. The company also offers EnCase training and certification. Data recovered by EnCase has been used successfully in various court systems around the world, such as in the cases of the BTK Killer and the murder of Danielle van Dam.
In short, Encase is one of the most famous, well-known tool for Computer Forensics investigation & analysis. This Tool has various features like Evidence Collecting(Imaging), Deleted File Browsing & Recovery, Live forensics, and Advanced Forensic Analysis.
o Product Line
- Encase Forensic : Basic analysis tool for hard disks in local computest
- Field Intelligence Model(FIM) : Investigating tool used by investigators which collects evidence images.
- Encase Enterprise : Used for enterprise monitoring. Reduces time for Incident response.
o Supporting File System
- FAT12, FAT16, FAT32 / NTFS / EXT2, EXT3 / CDFS / HFS, HFS+ / PALM / UFS
As figure above, Encase has 3 panes( Tree / Table / View). Tree Pane shows users tree structured directories. Table Pane displays list of files from file selected at Tree Pane. View Pane displays more detail information of file selected from Table Pane.
In Encase, Case is management unit for one investigation. To create a new case, click File->New or New button in toolbar. Then Case Option will appear. Case Option collects Name of Case, Examiner Name, Default Export Folder, and Temporary Folder. Default Export Folder is where your recovered data will be saved. As for Temporary Folder, it saves temporary files as Window¡¯s Temp folder. By not setting Temporary Folder to Window¡¯s Temp folder, influence on target system could be minimized.
After creating case, we need to add target device that we want to analyze. To add a device, click File->AddDevice¡¦ or Add Device button in toolbar.
Make Image File of Device
Select Disk you want to make image and right click the disk -> Acquire.
#1. In Tree Pane, use ¡®¢º¡¯ to search Keywords tab.
#2. Right click to ¡®Keywords¡¯ icon, you can see New Keyword window.
#3. Set up keyword¡¯s expression, name, and options
#4. Check whether the keyword is rightfully registered
Using Keywords in Search
#1. Check the directories that contain files you want to search in Tree Pane
#2. Then select files you want to search through in Table Pane
#3. After selecting files, go to ¡®Tools(from menu) > Search¡¦¡¯. Then Search Window will pop up.
#4. Set up the search options and use Start button to initiate the search feature
#5. Wait for the Search to be finished. There will be process status on the right-bottom corner of the window.
#6. When searching is finished, Searching window will pop up telling you that searching is completed
And you will be able to find results in Search Hits tab in Tree Pane
Gallary & Picture
Pictures can be very useful in some cases. EnCase supports Picture feature which is image viewer that helps users see what picture the file is. Also EnCase provide Gallery feature which displays all image files(jpeg, png, gif, etc.) in checked Folders.
*In some cases, you should run keyword search beforehand to use these features.
Recovering Deleted Files
As you can see, EnCases displays some files that browser doesn¡¯t show.
These files includes Deleted files, Damaged files, Deleted Folders, Hard Link files. With encase, we can recover some of them.
Extracting Normal/Deleted files (Only types of files)
#1. Select Files that you want to unerase. And select Copy/UnErase menu.
#2. And proceed the Copy/UnErase feature.
#3. In the path that you set as extraction destination, you will find the file that you recovered.
¡¤ Encase, https://en.wikipedia.org/wiki/EnCase
¡¤ Forensic Sicence, http://en.wikipedia.org/wiki/Forensic_science
Copyright © 2014 ICS Lab. Ajou Univ. All rights reserved.