Section 1 – Forensic Software Evaluation
Encase by Guidance Software
EnCase by Guidance Software is an industry-standard computer investigation solution. It provides forensic practitioners with useful features to assist them with efficient, forensically sound data collection and investigation using a repeatable process. EnCase provides useful tools for data acquisition, file recovery and indexing/search file parsing.
Two major features that EnCase boasts are the range of operating systems and file systems supported. Each operating system contains a different amount of file systems which the operating system utilises.
It is useful to have this feature available to examiners due to the fact that there are many different electronic devices running these different Operating Systems and file systems. For example, EnCase provides support for Smartphone and Tablets running the following operating systems; Apple iOS, Android OS, Blackberry OS, Palm OS, Symbian and Windows Mobile OS. EnCase also organises files in a sensible and logical order. For example, it creates a directory for evidence files, which contains only the files or folders needed.
Another feature of the data acquisition process is the Cyclical Redundancy Checksum (CRC) hash. Each image created with EnCase will produce both a CRC and a MD5 hash for future integrity. Following this, EnCase also provides the option to encrypt the evidence with a secure SHA
Forensic Examiners will often also need to require evidence off a live machine, so EnCase provides a feature called the ‘WinEN’ utility. This allows them to collect evidence from Random Access Memory (RAM). In other cases, an examiner may need to boot up a system in a ‘live state’ in order to recover evidence. However, doing so has the possibility to contaminate evidence, so EnCase provides another useful utility called the ‘LinEn’ utility which allows the examiner to boot the device in a forensically sound manner.
EnCase provides a series of automation tools which helps speed up the investigation process. One major automation features is the use of ‘EnScripts’ – custom or pre-defined scripts used in data carving to find specific bits of data. These scripts are useful, for example, in a fraud case. The examiner would be able to setup a script to automatically filter out anything related to fraud, credit cards, bank details etc. Another automation feature is the use of Filters and Conditions, which again, helps narrow down data to a specific rule. These can also be bound together in a series of “OR” or “AND” logic to narrow down the search even further. Criminals will often try to remove data from digital evidence, so EnCase can automatically rebuild the structure of formatted NTFS and FAT volumes. Furthermore, it can recover deleted files and folders.
EnCase offers a range of different ‘views’ to examine the recovered evidence in an effective way. For example, EnCase has a built in registry viewer, timeline / calendar viewer and also an integrated Picture Viewer with Gallery View. It also provides Native Viewing for approximately 400 file formats. EnCase also provides a useful inbuilt HEX viewer. This is particularly useful for low-level data processing, where the data content may not be so obvious.
The advanced search features of EnCase can provide useful when trying to find specific bits of data, or even strings of data. EnCase can extract all the strings from documents and organise them in such a way that is easy to read for the examiner. As well as the option to search for strings, binary search is also available. This allows the examiner to search for raw binary data. More advanced search options are available, such as Global Regular Expressions (GREP). It has been known before that evidence is concealed in secret parts of the file system, such as slack and unallocated space. EnCase allows the practitioner to extract data from these hidden areas of the system. Furthermore EnCase allows searching of different types of bytes (big endian and little endian).
A critical feature is the Internet and Email Investigation tools. EnCase allows the recovery and viewing of the browser activity, including; internet artifacts, history and cache. There is also a HTML page reconstruction feature which will re-build HTML code into a user-friendly page for viewing. There are also other tools used in the processing of HTML pages, such as the HTML Carver. Furthermore there are toolkits used to examine applications such as Kazaa (a popular Peer-To-Peer client), as well as Instant Messenger Toolkits. EnCase also has the tools needed to gather evidence from popular email clients such as Yahoo, Hotmail, Netscape and Outlook.
EnCase generates automatic reports which can be used as evidence in a court of law. Some examples of reports that EnCase can generate are as follows; all of the files and folders in a case, detailed listing of all URL’s and corresponding dates and times of websites visited, document incident response reports, log records, registry information, detailed hard drive information about physical and logical partitions, information on the data acquisition, drive geometry, folder structures and bookmarked files and images. Finally, these reports are available in RTF or HTML formats.
One major disadvantage of EnCase is the complexity of the software. It would be very hard for an individual with no prior experience or training to use the software effectively. For example, unlike a similar forensic tool, FTK, which creates indexes of the case strings during data acquisition, whereas EnCase requires the user to use a script to do so after the data has been acquired. Although EnCase provides a range of inbuilt ‘viewers’ it still lacks an internal Mail Viewer, which, as a result, means the examiner has to use 3rd party software to view Emails, which may not always be forensically sound.
Another disadvantage of EnCase is its live search feature. FTK uses DTSearch to build full text indices for searching (an option) whereas EnCase performs a “Live Search” every time you want to change your keywords. To explain this, EnCase will search through every document in your selected location every time you execute a search. The Live Search can take hours, depending on the size of the image / drive – even on superior hardware.
To conclude, there is not just one tool that will do the correct job every single time. Each tool has its own individual strengths and weaknesses. One day, or on one drive, FTK will be the best, on another, EnCase. An examiner should choose the most relevant tools at the time.
XRY by Micro Systemation (MSAB)
XRY is another forensic tool which is often used by law enforcement. XRY differs from EnCase in that it is purpose made for mobile phone forensics. An investigator looking to examine a mobile device would choose XRY to do so. XRY allows users to do either a Logical dump or Physical dump of a device. The downside to this is that devices such as iPhones must be jailbroken in order to complete a physical examination. However, jailbreaking is not seen as being forensically sound, and could contaminate evidence on the device.
Furthermore, XRY has a whole host of different hardware that comes with it. There are approximately 100 different connections available to connect the many different mobile devices to an examination computer. XRY also comes with devices to read the Hard Disk Drive of an iPhone to make a physical examination possible.
XRY organises the information extract from the device in a logical, tabbed way to keep it organised. The options are categorised under the following headings; Summary, Case Data, General Information, Contacts, Calls, Calendar, Notes, SMS, MMS, Pictures, Videos, Audio, Documents, Files, and Log. The ‘Genera Information’ tab shows information about the device, such as device name, manufacture, model, OS revision, WiFi Address, MAC Address etc. A lot of this information is unique to the device which can be used to identify it.
XRY also includes an inbuilt gallery view, which makes viewing images on the device much easier. This feature also shows detailed information about the pictures, such as the time it was taken. On modern smartphones, XRY can also include the geographical location of where the photo was taken. As well as being able to view photos, an examiner can retrieve SMS/MMS messages and call logs, which can be critical in an investigation. Deleted call logs and SMS/MMS messages can also be recovered with ease. Furthermore, with smartphones, Voice over IP call logs can be retrieved.
Google Maps has been integrated within XRY, and allows users to plot the geographical locations retrieved from the device on a map (longitude and latitude co-ordinates). This is especially useful as the geo co-ordinates will be a decimal number, which is meaningless without plotting it on a map.
XRY also has a very advanced feature which requires the use of its external hardware. This feature is the SIM Card Cloner. The idea of this feature is not to create an identical, working SIM Card, but just to copy all of the information onto another SIM so that the original is preserved. It is important that the original is not modified in any way, this is the same for Hard Drisk Drives.
To conclude, one of the big advantages of XRY is its simplicity and ease of use. Unlike other forensic tools, XRY provides a very clean user interface with simple button clicks. This lowers the boundaries for errors when recovering data. Another overall very useful feature of XRY is the way it produces reports. It produces reports in a simple and organised way from the push of a button.
Cetratechnology. EnCase ® Forensic Features and Functionality. Available: http://www.cetratechnology.com/documents/datasheets/EnCase_Forensic_Features1.pdf. Last accessed 23 April 2012..
Guidance Software. Available: http://www.guidancesoftware.com. Last accessed 23 April 2012.
MSAB. What is XRY?. Available: http://www.msab.com/xry/what-is-xry. Last accessed 23 April 2012.
viaforensics. MICRO SYSTEMATION XRY. Available: https://viaforensics.com/resources/white-papers/iphone-forensics/micro-systemation-xry/. Last accessed 23 April 2012.
Access Data. FTK Overview. Available: http://accessdata.com/products/computer-forensics/ftk. Last accessed 23 April 2012.
Cite this Forensic Tools and Techniques – EnCase & XRY
Forensic Tools and Techniques – EnCase & XRY. (2017, Dec 24). Retrieved from https://graduateway.com/forensic-tools-techniques-encase-xry/