Computer Forensics: What's Every IT Organization Should Know

Part 2

EnCase® software and certification

EnCase® Forensic, is the industry-standard computer investigation solution from a company called Guidance Software located in Pasadena, California. It is for certified forensic practitioners who need to conduct efficient, forensically sound data collection and investigations using a repeatable and defensible process. It lets examiners acquire data from a wide variety of devices, unearth potential evidence with disk level forensic analysis, and craft comprehensive reports on their findings, all while maintaining the integrity of their evidence. While there are other forensic software options available such as FTK from AcessData in Orem, Utah (which has its own certification process), EnCase® is the most widely used and accepted solution. There is also a tightly controlled two-part certification process managed by Guidance Software. The first part is an on-line examination and the second part involves taking a supplied forensic file, doing a thorough review, and creating a detailed report on the results of the review. Once you have been officially certified you receive a logo that can be displayed on your company's website. This certification is only good for two years and then it has to be renewed. So, make sure you ask when they received their certification. Finally, some websites use the phrase "we have a certificate in EnCase® ". A certificate simply means that someone took the class and does not mean they passed certification. Taking the class is not sufficient!

What computer forensics can do

As with most computer disciplines there are misunderstandings about what they can and cannot do. The same is true with computer forensics. Let's start with some of the benefits of computer forensics when used by certified examiners. First, they can determine the manner and extent of a user's theft of proprietary data. They can establish the timing and extent of file deletion or "anti-forensic" activity. If documents were forged or altered in any way this can also be discovered. The same is true with image manipulation. Many cases involve the recovery of e-mail and other ESI claimed not to exist or to have been deleted. Almost anything that has to do with the computer itself can be revealed like calendar and clock manipulation, even whether and when a thumb drive or external hard drive was connected to a machine.

What computer forensics CAN'T do

Although it may seem like magic sometimes, computer forensics can't do everything. For example nothing can recover information that has been completely overwritten by new data. Most importantly no one can conduct a thorough and legally sound forensic examination without access to the source hard drive or a forensically-sound image of the drive. Forensics cannot recover data from a drive that has suffered severe physical damage and cannot spin up. Likewise there is no guarantee that a drive won't fail during the acquisition process. However, damaged drives can be repaired in many cases so that they can used to retrieve forensic data. It is important to note that you MUST maintain a proper chain of custody for any drive that undergoes repair. So, you need to make sure the company that does the repair understands this process completely. Finally, no matter how good the software or examiner is they cannot conclusively identify the hands on the keyboard if one person logs in as someone else. You need video evidence for that one. Sorry.

Examples of Forensic Techniques

So, how do those forensic surgeons find the data most people can't? Most often forensic examiners are looking for "deleted" files, whether it is by accident or to cover up evidence. There are many tools and techniques available in the forensic arsenal, so I will only mention a couple of them here. One of the most common is data carving (aka file carving). Data carving is typically done on unallocated file system space to extract files that cannot be identified due to missing or corrupt information. Many file formats have what are known as headers, file signatures, or magic numbers. They are specific hexadecimal sequences at the beginning of a file and in a particular format. Some formats also have trailers that indicate the end of a file. For example a JPEG file begins with "FF D8 FF" and ends with "FF D9". Basic data carving assumes that the beginning of file is not overwritten and the file is not fragmented or compressed. Advanced data carving can deal with fragmented files where fragments are not sequential, out of order, or missing. Another common tool used in computer forensics is cryptographic hashing. Cryptographic hash values serve as a unique fingerprint of an arbitrary large input string. In computer forensics hash values are typically computed on the file level. Hence known files can be identified very efficiently. The two most common hash algorithms are MD5 (Message Digest algorithm 5) and SHA-1 (Secure Hash Algorithm 1). The tiniest change in a file will alter that file's hash value. In order to detect known files on the basis of their digital fingerprints, the computer forensic investigator must have access to a reference database, which comprises at least the input file and its hash value. If he finds a match of a hash value of a file within an investigation to a hash value in the database, he is convinced that the referred file is actually present on the storage medium. Depending on the assessment of the file, the forensic examiner will proceed as follows:
    1. If the file is known to be good, the investigator can remove the file from further investigation. The hash database is then referred to be a whitelist. Whitelists are used in computer forensics to get data reduction. Therefore only files which are not on the whitelist, will be inspected manually. We denote the use of a whitelist within computer forensics as whitelisting.
    2. If the file is known to be bad, the investigator looks at the file manually and checks if it actually is illicit (e.g. a child abuse picture). The hash database is then referred to be a blacklist. We denote the use of a blacklist within computer forensics as blacklisting.