British Computer Society Logo British Computer Society Coventry Branch
Computer Forensics


Computer Forensics and the EnCase Forensic Analysis Tool

N.B. The Coventry branch have had two lively talks about computer forensics. This is the second talk and demonstrates how the field has moved on.



Summary: So  
The Four Princ
How these are
The EnCase F
How to prevent


what are you leaving behind?
applied in practice
orensic Analysis Tool
 yourself from leaving anything behind



So, what are you leaving behind?

The answer is: everything. With the forensic tools now available to the Police force, you cannot hide anything. The *only* way to prevent anyone reading your hard disk is to
  • remove it from the case
  • drop it from the top of a very tall building
  • finish it with a sledge-hammer
We saw demonstrated, just how easy it is for the law enforcement agencies to recover information from a "deleted" hard drive. FDISK, FORMAT and defrag do not remove anything except the root directories. Everything else is left on your hard drive. Russell and his collegues are well experienced, and now train internationally in the arts of identifying and recovering complete file systems from supposedly deleted systems.

You have been warned.

Basic Principles of Forensic Analysis

3 years ago the Association of Chief Police Officers (ACPO) set four simple guidelines on Computer Evidence. These establish the basic principles of acquiring evidence from computer systems and are now accepted by the courts in the United Kingdom (and elsewhere).
  • Principle 1
    • No action taken by the Police or their agents should change the data held on a computer or other media.
      • Where possible computer data must be ‘copied’ and that version examined.
  • Principle 2
    • In exceptional circumstances it maybe necessary to access the original data held on a target computer.
      • However it is imperative that the person doing so is competent and can account for their actions
  • Principle 3
    • An audit trail must exist to show all the processes undertaken when examining computer data.
  • Principle 4
    • The onus rests with the person in charge of the case to show that a computer has been correctly examined in accordance with the law and accepted practice.

How these are applied in practice

  • A bit wise image of the contents of all the digital media is made (in chunks of upto 640Mbyte which can be burned onto a CD):
    • Hard Drives
    • Floppy disks
    • CD-ROMs (etc.)
    • ZIP drives
    • Flash cards
  • The original media is stored and the forensic analysis is carried out using the copy image. This avoids polution of the originals.
  • If it is necessary to switch on the suspect's machine, then an image is restored to a new, clean, drive and that is installed in the suspect's machine.
  • The evidence is retrieve and produced in a readable form for the police and courts, producing an audit trail along the way to show what has been done.

Bitwise Image

  • In order to provide a bitwise image of ALL the relevant data, the following steps are taken:
  • The suspect's machine(s) are physically opened to expose the hardware. Of special interest are hard-drives included in the case but not connected up. (These often have lots of evidence on them!)
  • Disconnect the hard drive(s) and connect them up via a write blocker. This caches and discards all writes to the hard drives. This is important to prevent the OS from updating anything on the hard drive(s).
  • A copy is made (using Windows because this is faster than a DOS copy) to a new, clean (previously wiped and formatted) hard drive in a "laboratory machine". This obviously has to be larger than all the media being copied!

Evidence Retreival

  • Once all the media are imaged, it is possible to load it all into the forensic analysis tool, so that disparate data can be correlated.
  • The Analyst marks and retrieves data of evidential value, this may take several days.
  • The evidence is presented in a readable form for court or tribunal (i.e. in a form that laymen can understand. This may include interpreting directory files back into a file tree etc. , and data back into images)

The EnCase Forensic Analysis Tool

Russell gave us a demonstration of this very powerful tool. It is a single executable and occupies 800K on a floppy disk.....
Some of its features are:
  • It is accepted by the courts and validated in case law
  • It is a non-invasive computer forensic investigative tool
  • It caters for large volumes of data
  • It reads FAT, NTFS, Apple, UNIX and LINUX file systems
  • It has an integrated environment which allows users to perform all functions of forensic analysis
  • It has a powerful programming language allowing users to create their own scripts
  • It uses the UNIX 'grep' facility for pattern matching as this is the best
  • Any data can be analysed, and where it is found to be an image, the tool can be used to retreive that image from the source (albeit embedded, deleted or zipped).
  • EnCase can show data as data or in a picture gallery. The tool keeps all pictures together so the complete set of images discovered can be viewed.
  • It can show a histogram type display of the whole drive by date and time, showing where adjacent activity occurred (e.g. losts of files hitting a web-cache in a browser session).

Some other gotchas

  • Links on the desktop (shortcuts) need space to store the information about the link. The rest of that cluster is "empty", EnCase can show what was there before!
  • Registry entries have a user number in them. System admin is always 500, users are numbered upwards from 1000. This makes it possible to see which users did what.
  • Likewise for the recyle bin.
  • FDISK does not delete much. It writes 64 bytes to "zero-out" the directory.... all the rest of the data is left intact. EnCase enables the operator to recover the file system (OK, it looses the top-level folder names, but intelligent operators can soon guess what those were).
  • FORMAT destroys the root directory only....all the rest of the file system is left intact.
  • Defrag operates on the file system. moving stuff around. On a disk with the root directory zerod out it thinks it has nothing to do....all the rest...
  • USB "thumb" drives and flash cards - have a FAT file system...which can be recovered...
  • Images are often "hidden" in containers (doc, xls, ppt files). JPG images have a header in them which is a give-away. By a simple search, all JPG headers in all data in the case can be searched. Then all the operator has to do is save the container as the original file type, open it in the relevant tool and show how the image has been hidden.

Some simple (and not-so-simple) hiding techniques

(N.B. just because your idea is not in this list, doesn't mean they don't know about it!!)
  • Hide image in
    • but save a white square over the top of it
    • but wind brightness and contrast up to 100%
  • Hide image in word (etc.) document
    • but hide it behind another image
    • but format it to 0% by 0% and use it as a full-stop (hi-tech micro-dot!)
    • but use stenography to encrypt a small image into a larger one
  • How to make the latter harder to spot:
    • Encrypt the evidential image
    • Zip it
    • Encrypt it into a larger bitmap/tif/gif image
      • There are tools to show it is there, but they are not yet good enough to show what is there. (Encription scrambles the image header, making it harder to find in the first place).
      • If the Police sieze the machine on which the stenographic encryption has been done, they often get the "before" and "after" but not the image that has been encrypted into the picture.
      • However, they do detect that something dodgy is going on, because laymen don't use stenographic encryption because they don't assume they are being watched!
      • (JPG is a lossy method of storing images, and is therefore not suitable for stenographic encryption)

With several hours use of the EnCase tool, most operators become adept at using it. With proper training (as offered by the speaker's organisation) the vagaries of the different file systems soon become familiar and operators soon find their way around the different file systems, recognising key data.

So, how do you prevent yourself from leaving anything behind?

Don't put it there on the first place!

The meeting closed around 8:15 pm with thanks to Russell May for a lively and interesting talk. There were a number of freebies handed out... if you'd been there you would have got some.


Source date 20th January 2003, Last updated 2nd October 2009 © Copyright British Computer Society