Home
Premium
NEW

Created By

Report as inappropriate Your report has been received
Shared by: 85QDFT
Categories
Tags
-
Stats
views:
12
posted:
11/24/2011
language:
English
pages:
6
Document Sample
scope of work template 
							                                EnCase Forensics Analysis
                                     Chantel Bowie



Introduction

       With technology steadily on the up rise, using computers to handle manual

labored jobs increases. Criminal acts occur every minute of the day. Forensics provides

numerous answers involving every sort of crime. But finding these answers takes time.

Handling and discovering evidence digitally seems quite apparent. Digital (computer)

forensics combines sciences of discovering evidence in a technological way. EnCase is

an infamous, widely used software to accomplish this factor.

Product Description

       EnCase Forensic is the industry standard in computer forensic investigation

technology (4). It has been proven to be extremely simple, especially with the handling

of complex investigations. The ability to analyze and search large amounts of data

quickly and easily is a critical capability of any incident response, computer investigation

or analysis tool (5). EnCase software offers the most advanced, comprehensive and easy-

to-use tool to carry out these complicated and time-consuming tasks, across multiple file

systems and languages (5).

       EnCase also provides a powerful search engine that allows you to search for

specific details within the suspected media. A Proximity Search allows searching for

specific keywords or details. Internet and Email Search allows searching of various
email entities across numerous machines. A number of other options are allowed for

searching through data via EnCase’s Search Options.

       EnCase recently created the EnCase Enterprise Edition (EEE) for major

organizations to prepare themselves for computer incidents that will occur. Encase

Enterprise is a powerful, network-enabled multi-platform enterprise investigation

solution (8). Benefits of utilizing Encase Enterprise are great and seem endless. Five

core components are included in its platform. The Secure Authentication for EnCase

(SAFE) authenticates users, administer access rights, retain EnCase transaction logs,

carry out Snapshot analysis, broker communications and secure data transmission (8).

The Enterprise Examiner allows investigator’s to monitor impromptu incidents. EnCase

Servlets installed on devices, workstations and servers target suspect computers. The

Enterprise Connection allows a secure virtual connection established between the

Examiner and target machines (8). These machines can be analyzed simultaneously.

And the Incident Response Analysis quickly captures volatile data to reveal details about

open files, running processes and other crucial information at any given moment (8).

Without EnCase Enterprise, organizations must resort to cumbersome and inefficient

manual processes using stand-alone utilities that extend the response and investigation

process by days or weeks, and require target systems to be taken out of service (8).

       The EnCase Linen Utility is a version of EnCase that runs on Linux machines. It

permits users limited with the Windows based version to work in a non-windows based

operating system. Linen users are able to handle extremely large hard drives and acquire

data much faster (8).
       EnCase provides an intuitive graphical user interface (4), GUI, that allows easy

navigation. Most of the time, a computer forensics examiner can readily open a

suspicious file in another window without closing the GUI tool (2). The National

Institute of Standards and Technology (NIST) under its Computer Forensics Tools

Testing Project concluded that Examiners utilizing EnCase can be confident in the

reliability of this tool in creating accurate and verifiable bit stream images of the target

media (7).

How it Works

       EnCase has the ability to gather forensic data on a vast array of operating system

platforms. Often cases involving computers, criminals may attempt to delete pertinent

information. EnCase is able to find this information, despite efforts made to hide, cloak

or delete (4). As stated before, EnCase proves to be a simple as flipping a light switch.

       Figure 1 below shows just how simple it is. By using some form of suspect

media, be it a hard drive currently installed, or an external drive that needs to be inserted.

Files are copied from these media devices and stored as images.




                                           Figure 1
       These image copies are authenticated via MD5. The Message Digest (algorithm)

5 is used to check file integrity of computer forensic data. Once the content of the media

file is analyzed, detailed information is presented and documented. Detailed information

can be anything from when a file was hidden or deleted, email information (sender,

receiver, message, etc.) to temporary internet files and cookies.

       The found information can also be generated into a simple report document.

EnCase Enterprise lets users define with detailed granularity what information is

presented and how it is presented on the purpose and target audience of the investigation

(5). Reports can be automatically generated. Automated reports show a wealth of

information depending on the type being generated (5). Certain items to be included in a

report can be bookmarked. These are individual components that drive the information

contained in the EnCase report (5). Different types of bookmarks could be highlighted

data, notes, notable files and more. This information found may be automatically sent to

law enforcement personnel to be used as digital evidence for court backing.

Uses

       Computer forensics involves preserving, identifying, extracting, documenting and

interpreting computer data. Computers play the role of committing the actual crime,

being the victim of the crime and or being the storage of the crime. Computer forensics

investigations include email, windows registry files, internet web browsing activity, live

system forensics and incident response, static and dynamic analysis of unknown

executables investigations.

       Law enforcement officers, government/corporate investigators, and consultants

around the world benefit from the power of EnCase Forensic in a way that far exceeds
any other forensic solution (4). Organizations are using digital technology to trace

electronic trails of information to analyze and use as supporting documentation. Tools

such as this are now finding their way into more organizations so that companies can

respond effectively to security incidents, internal HR investigations and litigation

requiring e-discovery (6). EnCase supply evidence for both civil and criminal crimes and

can be used to detect and possibly prevent these types of crimes from happening.

        Most uses of EnCase involve imaging of regular computer files and media.

Despite this fact, two of the most critical areas of any investigation typically involve the

analysis of artifacts related to the Internet and email (5).

        Though the EnCase Enterprise Edition is based upon the same technology as the

stand alone forensic edition, it is modified to run in a live enterprise environment (9).

The EEE version also has uses other than forensics. Incident responses provides spotlight

when new things come into play. An investigator can connect to suspect machines and

analyze local drives for new files, check for new processes and identify all listening ports

(6).

References

1. Berghel Hal. The Discipline of Internet Forensics. 2003. New York, NY: ACM
Press.

2. Fernandez, John D., Smith, Stephen, Garcia, Mario, Kar Dulal. Computer Forensics:
A Critical Need in Computer Science Programs. 2005. Consortium for Computing
Sciences in Colleges.

3. Francia, Guillermo A., Clinton Keion. Computer Forensics Laboratory and Tools.
2005. Consortium for Computing Sciences in Colleges.

4. Guidance Software: EnCase Forensics.
http://www.guidancesoftware.com/products/ef_index.asp. September 15, 2007.
5. Guidance Software. EnCase Forensic Detailed Product Description. 2006: Pasadena,
California.

6. Sawyer, John H. Rollout: Guidance Software EnCase Enterprise 6. March 1, 2007.
http://www.darkreading.com/document.asp?doc_id=126009. Accessed September 16,
2007.

7. Guidance Software. Comments on NIST Test Results for Disk Imaging Tools:
EnCase 3.20. June 2003.

8. Guidance Software. EnCase Enterprise Detailed Product Description. April 2005.

9. Guidance Software. Evidentiary Authentication within the EnCase Enterpise Process.
June 2003.
Related docs
Created on
Views: 0  |  Downloads: 0
Created on - DOC
Views: 2  |  Downloads: 0
Created on
Views: 0  |  Downloads: 0
Template created by
Views: 2  |  Downloads: 0
bab1 Created
Views: 16  |  Downloads: 0
Date Created:
Views: 12  |  Downloads: 0
created-week-1-bulletin
Views: 0  |  Downloads: 0
Created Date
Views: 0  |  Downloads: 0
THE CREATED LEGEND
Views: 9  |  Downloads: 0
Document to be created:
Views: 0  |  Downloads: 0
Created by - DOC
Views: 21  |  Downloads: 0
???? Created Date
Views: 4  |  Downloads: 0
_created pre-1988 by
Views: 5  |  Downloads: 0
Created by Nabriz 1
Views: 3  |  Downloads: 0
ar11_76_value_created_divisions
Views: 0  |  Downloads: 0
Other docs by 85QDFT
calmtrip world heritage 20110629
Views: 79  |  Downloads: 0
Number Systems: Negative Integers and Floating Point - PowerPoint - PowerPoint
Views: 3  |  Downloads: 0
CENTRO NACIONAL DE MEDICINA NATURAL Y TRADICIONAL
Views: 99  |  Downloads: 0
AKT�V
Views: 879  |  Downloads: 0
Full name: Bui Thanh Huy
Views: 8  |  Downloads: 0
AN�LISIS NUTRICIONAL DE LA DIETA VEGETARIANA
Views: 19  |  Downloads: 0
III - DOC
Views: 48  |  Downloads: 0
vazeilles
Views: 0  |  Downloads: 0
Impressionistic Landscape
Views: 1  |  Downloads: 0
Sheet1
Views: 3  |  Downloads: 0