EnCase provides a series of automation tools which helps speed up the investigation process. One major automation features is the use of ‘EnScripts’ – custom or pre-defined scripts used in data carving to find specific bits of data. These scripts are useful, for example, in a fraud case. The examiner would be able to setup a script to automatically filter out anything related to fraud, credit cards, bank details etc. Another automation feature is the use of Filters and Conditions, which again, helps narrow down data to a specific rule. These can also be bound together in a series of “OR” or “AND” logic to narrow down the search even further. Criminals will often try to remove data from digital evidence, so EnCase can automatically rebuild the structure of formatted NTFS and FAT volumes. Furthermore, it can recover deleted files and folders.
EnCase offers a range of different ‘views’ to examine the recovered evidence in an effective way. For example, EnCase has a built in registry viewer, timeline / calendar viewer and also an integrated Picture Viewer with Gallery View. It also provides Native Viewing for approximately 400 file formats. EnCase also provides a useful inbuilt HEX viewer. This is particularly useful for low-level data processing, where the data content may not be so obvious.
The advanced search features of EnCase can provide useful when trying to find specific bits of data, or even strings of data. EnCase can extract all the strings from documents and organise them in such a way that is easy to read for the examiner. As well as the option to search for strings, binary search is also available. This allows the examiner to search for raw binary data. More advanced search options are available, such as Global Regular Expressions (GREP). It has been known before that evidence is concealed in secret parts of the file system, such as slack and unallocated space. EnCase allows the practitioner to extract data from these hidden areas of the system. Furthermore EnCase allows searching of different types of bytes (big endian and little endian).
A critical feature is the Internet and Email Investigation tools. EnCase allows the recovery and viewing of the browser activity, including; internet artifacts, history and cache. There is also a HTML page reconstruction feature which will re-build HTML code into a user-friendly page for viewing. There are also other tools used in the processing of HTML pages, such as the HTML Carver. Furthermore there are toolkits used to examine applications such as Kazaa (a popular Peer-To-Peer client), as well as Instant Messenger Toolkits. EnCase also has the tools needed to gather evidence from popular email clients such as Yahoo, Hotmail, Netscape and Outlook.
EnCase generates automatic reports which can be used as evidence in a court of law. Some examples of reports that EnCase can generate are as follows; all of the files and folders in a case, detailed listing of all URL’s and corresponding dates and times of websites visited, document incident response reports, log records, registry information, detailed hard drive information about physical and logical partitions, information on the data acquisition, drive geometry, folder structures and bookmarked files and images. Finally, these reports are available in RTF or HTML formats.
One major disadvantage of EnCase is the complexity of the software. It would be very hard for an individual with no prior experience or training to use the software effectively. For example, unlike a similar forensic tool, FTK, which creates indexes of the case strings during data acquisition, whereas EnCase requires the user to use a script to do so after the data has been acquired. Although EnCase provides a range of inbuilt ‘viewers’ it still lacks an internal Mail Viewer, which, as a result, means the examiner has to use 3rd party software to view Emails, which may not always be forensically sound.
Another disadvantage of EnCase is its live search feature. FTK uses DTSearch to build full text indices for searching (an option) whereas EnCase performs a "Live Search" every time you want to change your keywords. To explain this, EnCase will search through every document in your selected location every time you execute a search. The Live Search can take hours, depending on the size of the image / drive - even on superior hardware.
To conclude, there is not just one tool that will do the correct job every single time. Each tool has its own individual strengths and weaknesses. One day, or on one drive, FTK will be the best, on another, EnCase. An examiner should choose the most relevant tools at the time.
XRY by Micro Systemation (MSAB)
XRY is another forensic tool which is often used by law enforcement. XRY differs from EnCase in that it is purpose made for mobile phone forensics. An investigator looking to examine a mobile device would choose XRY to do so. XRY allows users to do either a Logical dump or Physical dump of a device. The downside to this is that devices such as iPhones must be jailbroken in order to complete a physical examination. However, jailbreaking is not seen as being forensically sound, and could contaminate evidence on the device.
Furthermore, XRY has a whole host of different hardware that comes with it. There are approximately 100 different connections available to connect the many different mobile devices to an examination computer. XRY also comes with devices to read the Hard Disk Drive of an iPhone to make a physical examination possible.
XRY organises the information extract from the device in a logical, tabbed way to keep it organised. The options are categorised under the following headings; Summary, Case Data, General Information, Contacts, Calls, Calendar, Notes, SMS, MMS, Pictures, Videos, Audio, Documents, Files, and Log. The ‘Genera Information’ tab shows information about the device, such as device name, manufacture, model, OS revision, WiFi Address, MAC Address etc. A lot of this information is unique to the device which can be used to identify it.
XRY also includes an inbuilt gallery view, which makes viewing images on the device much easier. This feature also shows detailed information about the pictures, such as the time it was taken. On modern smartphones, XRY can also include the geographical location of where the photo was taken. As well as being able to view photos, an examiner can retrieve SMS/MMS messages and call logs, which can be critical in an investigation. Deleted call logs and SMS/MMS messages can also be recovered with ease. Furthermore, with smartphones, Voice over IP call logs can be retrieved.
Google Maps has been integrated within XRY, and allows users to plot the geographical locations retrieved from the device on a map (longitude and latitude co-ordinates). This is especially useful as the geo co-ordinates will be a decimal number, which is meaningless without plotting it on a map.
XRY also has a very advanced feature which requires the use of its external hardware. This feature is the SIM Card Cloner. The idea of this feature is not to create an identical, working SIM Card, but just to copy all of the information onto another SIM so that the original is preserved. It is important that the original is not modified in any way, this is the same for Hard Drisk Drives.
To conclude, one of the big advantages of XRY is its simplicity and ease of use. Unlike other forensic tools, XRY provides a very clean user interface with simple button clicks. This lowers the boundaries for errors when recovering data. Another overall very useful feature of XRY is the way it produces reports. It produces reports in a simple and organised way from the push of a button.
Section 2 – Forensic Software Portfolio
Bibliography
Cetratechnology. EnCase ® Forensic Features and Functionality. Available: http://www.cetratechnology.com/documents/datasheets/EnCase_Forensic_Features1.pdf. Last accessed 23 April 2012..
Guidance Software. Available: http://www.guidancesoftware.com. Last accessed 23 April 2012.
MSAB. What is XRY?. Available: http://www.msab.com/xry/what-is-xry. Last accessed 23 April 2012.
viaforensics. MICRO SYSTEMATION XRY. Available: https://viaforensics.com/resources/white-papers/iphone-forensics/micro-systemation-xry/. Last accessed 23 April 2012.
Access Data. FTK Overview. Available: http://accessdata.com/products/computer-forensics/ftk. Last accessed 23 April 2012.
by
tsothcott (student)
