Customize Encase With Enscript Programming

Published Date: 02 Nov 2017

Introduction to Encase

Features

Comparison to other tools

Evolution

Conclusion

Introduction

For part of my course work in computer crime I had to write a report about a digital forensic tool. The tool I chose to write about is encase a tool produced by a company called guidance. In my report I will give an introduction to the tool, some of its features, its evolution and compare it to a competitor’s tool.

Introduction to encase

Encase is a tool used in a digital forensic investigation. Encase is a product of guidance software which is well known globally in the digital forensic world. The software comes in several forms designed for forensic, cyber security and e-discovery use. The company also offers Encase training and certification. Encase is used to make an exact bit for bit copy of a machine during an investigation. This is done has work cannot be carried out on the original machine has it took tamper or destroy evidence.

Features

Digital investigators need a solution that easily captures relevant data to support an investigation

Or compliance requirement and features sophisticated technical analysis capabilities for finding

buried and/or hidden data. Encase® Forensic is a powerful investigation platform that collects

digital data, performs analysis, reports on findings and preserves them in a court validated,

forensically sound format.

1

Encase produces an exact binary duplicate of the original drive or media, then verifies

it by generating MD5 hash values for related image files and assigning CRC values to the data.

These checks and balances reveal when evidence has been tampered with or altered, helping to

keep all digital evidence forensically sound for use in court proceedings.

2

Save Valuable Time with Advanced Productivity Features

Examiners can preview data while drives or other media are being acquired. Once the image files

are created, examiners can search and analyse multiple drives or other media simultaneously.

Encase Forensic also features a case indexer. This powerful tool builds a complete index in

multiple languages, allowing for fast and easy queries. Indices can also be chained together to

find keywords common to other investigations. This Unicode-supported index contains personal

documents, deleted files, file system artifacts, file slack, swap files, unallocated space, emails and

web pages. In addition, Encase has extensive file system support, giving organizations the ability

to analyse all types of data.

3

Customize Encase with EnScript Programming

Encase features Enscript programming capabilities. EnScript, an object-oriented

programming language similar to Java or C++, allows users create to custom programs to help

they automate time-consuming investigative tasks, such as searching and analysing specific

document types or other labour-intensive processes and procedures. This power can be harnessed

by any level of investigator by using one of Forensics tools, such as the "Case Developer" or one

of the numerous built-in filters and conditions.

4) Provide Actionable Data, Report on it, and Move on to the Next Case

Once investigators have bookmarked relevant data, they can create a report suitable for

presentation in court, to management or to another legal authority. Data can also be exported in

multiple file formats for review.

Comparison to others

Guidance compared their tool encase with their competitors new release. several different data sets through EnCase v7.03 and through the new release of a competitor’s product. As you can see from the below table, in addition to being 2 – 3 times faster than Version 7.02, EnCase v7.03 also performed at least 2 times faster than the competitor’s product. 

Test Set

Entries

Device Size (GB)

EnCase

Processing Time (hh:mm)

Items indexed

EvCache

size (GB)

Competitor’s Processing time  (hh:mm)

Items indexed

EvCache

size (GB)

Test Ev 1

10,731

232.83

01:41

31,189

3.82

4:22

28,121

6.85

Test Ev 2

110,069

232.83

02:52

423,741

16.9

77:57

420,450

20.5

Test Ev 3

761,775

298.09

15:12

1,005,015

27.2

29:17

909,448

53

In order to make the comparison as "apples-to-apples" as possible, we used the two products with the same settings (if available), as follows: 

Settings

EnCase

Competitor’s Product

Base Modules

Recover Folders

Enabled

Enabled

File sig

Enabled

Enabled

Protected file analysis

Enabled

No option

Thumbnail creation

Enabled

Enabled

Hash analysis

MD5, SHA1

MD5, SHA1

Compound files processing

Enabled

Enabled

Find email

Enabled

Enabled

Find internet artifacts

Enabled (no Unallocated)

IE Only

Indexing

Slack\Unallocated Clusters enabled

Min word length: 3

Max word length: 64

East Asian support enabled

Unallocated Clusters on

Max word length of 64

No East Asian script support

"Index All"

Additional Modules

System Info Parser

Enabled; default settings

n/a

IM Parser

Enabled; default settings

Yahoo only (via data carver)

File Carver

Enabled; default settings

n/a

Win Event Logs

Enabled; default settings

evt, evtx only

Win Artifact Parser

Enabled; default settings

Link files only

Unix Login

Enabled; default settings

n/a

Linux Syslog parser

Enabled; default settings

n/a

Evolution

With the release of EnCase v7.03, Since the release of Version 7, there a few problesm with the software such has that the processing speeds to slow, there was a new user interface that did not make it easy for investigators to work there cases the way they normally would,. . With EnCase v7.03, we concentrated on several key areas that were either of concern to our users or could advance the product in important ways. 

Evidence Processor Performance

Support for Text Indexing in Slack and Unallocated Space

Compressed review of Search hits

Additional Artifacts including attached USB devices and mounted network shares

In encase v7.03 changes were made like how EnCase handles the vast amount of data that can be generated during processing. Changes were made to how some data was stored, as well as how often EnCase reads from certain data files.

v7.03 processed the same evidence 2 – 3 times faster than v7.02. When you add in that EnCase now also indexes slack and unallocated space, the improvement is even more substantial, and users can now expect processing to complete much faster. 

Although guidance is happy by the improvements of encae they are continuing looking at ways to make the critical step of evidence processing faster, while giving examiners access to even more data

in future months some new features wil be added to encase that will enable more varied workflows, which include:

Hyperlinking to exported files in reports

Adding more fields into reports, including options that were available in v6

Ability to refresh search results during a processing

Allow users to do operations like copy/unerase, export and bookmark based on a tag

Also in Version 7.03 added the ability to create one or more "Review Packages" that can be sent to a case agent, prosecutor, colleague, or anyone who has a vested interest in your case. These Review Packages can be opened in Internet Explorer and enable the reviewer to tag items and add comments that can then be easily assimilated back into the examiner’s case. This feature, which is part of the standard EnCase install, enables users to easily share evidence with those who need to look at it.

Conclusion

After doing this report I have that encase is a well-known toll in the digital forensic world along with the company guidance that produces it. Its main function is to make an exact bit for bit copy of a machine, hard drive that is going to be investigated. From comparing encase to its competitors’ encase has shown to perform better and faster. Encase is always changing and improving from each version.