With the recent proliferation of storage mediums, users are less likely to keep important data locked away in a file cabinet. While this is good news for the trees, there is always the risk that a hard drive or data disk could become corrupted. When data is lost, it’s the IT professional’s job to discover documents or files buried on a hard drive or data disk.
The task might include helping users who have lost their data due to a system failure, or it could be as important as discovering data crucial to a complex court case. This burgeoning field is collectively called computer forensics. Computer forensics tools are ideal for solving cybercrimes, revealing accounting fraud, and more commonly, for the retrieval of accidentally deleted important data files. To help you better understand this type of computer sleuthing, I will share my experience with Guidance Software’s computer forensics tool, EnCase.
EnCaseruns on Windows 98, Me, NT 4.0, 2000, and XP operating systems. The software can acquire and analyze evidence on the following types of file systems: FAT12, FAT16, FAT32, NTFS, HFS, HFS+, CD, EXT2 (Linux), and UFS (UNIX) hard disks and removable media.
I installed and tested the software on a Windows 98 laptop. The installation was very straightforward, requiring just a few clicks of the Next button when the installation wizard presented it. When the installation was complete, I rebooted the system and looked for the icon in the Start menu. However, the icon or text file typically placed on the desktop and Start menu was not visible. I tried installing EnCase again, this time powering down the system completely using Shutdown. Still the icon or text file in the Start menu did not show up. However, when I double-clicked on the program’s executable file (encase3.exe) in the C:\Program Files\EnCase directory, the program launched as expected.
To test the software, I created a document called SEC_Revenue_Statement using Microsoft Word, and entered the following text:
SEC Revenue Statement
In the event of an SEC investigation, please destroy this very important accounting statement regarding our financial operations. 1234567890-=\][';
Big Bad CFO
I saved the Word document to a floppy disk and then proceeded to delete it from the disk. (I did not save it to my hard drive because acquiring the evidence from a 40 GB hard drive is more time-consuming.) Next, I went into EnCase's menu system and selected File | Acquire Evidence. I was prompted to select from the following locations to search for the evidence:
- · Local devices
- · Parallel port
- · Network port
- · Floppy drives
- · Volumes
- · Physical disks
- · Palm pilots
I checked the options for Local Devices and Floppy Disks. Next, I was prompted to select my drive letter. I selected floppy drive A:. The date and time were automatically entered by the system. I named the case Fake SEC Investigation, and I typed Test Case 1 in the Evidence Number field. Then I entered Looking for SEC_Revenue_Statement in the Notes field (see Figure A).
Next, the Analysis Options screen prompted me with the following options for analyzing the data:
- · No
- · Add And Verify
I selected Add And Verify to do a full analysis of the disk and clicked Next. The wizard took me to the Output File screen, which offered the following compression choices:
- · None (Fastest, Largest)
- · Good (Slower, Smaller)
- · Best (Slowest, Smallest)
The Output File screen also prompts you to enter a password. Located on the same screen, the program automatically put in C:\Program Files\Encase\Test Case 1.E01 in the Evidence File Path field. In the File Segment Size field, the program defaulted to 640. I clicked on the Finish button, and the pop up screen disappeared. The disk and CPU started cranking away with the EnCase screen flashing the words Creating Evidence File A.
When it finished, I was prompted for my password. After supplying my password, I was asked if I wanted to acquire any more data. I answered No andselected Preview to open the case file. The resulting menus looked interesting. I selected the Keywords tab and typed SEC Revenue Statement. Next, I selected Search from the Tools drop-down menu. The program searched for a few minutes and came back with eight Search Hit bookmarks. I clicked on some of them and selected Text from the lower tab menu. Lo and behold, I found the contents of my suspicious (and deleted) Word document (see Figure B).
After you acquire the evidence, you need to know how to navigate through the remaining EnCase menus. To create a new case, select New on the menu. You'll then be prompted with the screen shown in Figure C.
|On the File tab, enter the paths for Default Export Folder and Temporary Folder, which already exist on your forensics computer.|
When you select the Global tab (see Figure D), you will be prompted for date and time formats, and you’ll be asked if you want to show numbers in hex. By default, the Picture Viewer is enabled.
The Script Security tab (see Figure E) is for selecting read, write, create, and delete options for the evidence case. These options are important because once you create the case, you’ll want to make sure that it has not been tampered with. By default, all three are selected. Click OK.
As you acquire more data, you can add more evidence to your case by clicking Add on the top menu. EnCase performs an Acquisition Hash (see Figure F) of the evidence so you can go back and verify that it hasn't been tampered with. You can also see the Last Accessed dates, which might be relevant to your investigation.
Lastly, the TimeLine feature (see Figure G) lets you build a sequence of events so you can see what files were accessed and in what order during the time leading up to the loss of data.
Good enough for the feds
Guidance Software’s customers include the U.S. Treasury Department, the Secret Service, the Immigration and Naturalization Service, and the Bureau of Alcohol Tobacco and Firearms. EnCase's efficiency and capability are obvious reasons why this tool appeals to forensic investigators and law enforcement. If you need to perform computer forensics for your user base, whether you’re investigating accounting fraud, hacking, or just trying to recover from a user's document disaster, EnCase is a solid bet for full data recovery.