EnCase Portable enables anyone with basic computer skills to collect electronic evidence in the field
Sean Doherty
Law.com
December 03, 2009
Technology is supposed to make things simpler. But when computers become the targets of investigation or litigation, the increasing simplicity of computing is deceptive and requires a forensic expert to gather electronic evidence. Guidance Software aims to change that with EnCase Portable.
EnCase Portable is designed to allow anyone with basic computer skills to collect electronic evidence from x86 and x64 computers and maintain a proper chain of custody. Portable is packaged in a bootable, 4-gigabyte USB device with approximately 2 gigabytes of free storage space to collect evidence in Guidance Software’s Logical Evidence File, a bit-stream image with a checksum using MD5 cryptographic hash function. If an operator needs more space for evidence, the Portable product also includes a 16-gigabyte USB storage device. If even more space is needed, EnCase Portable supports any USB storage device with version 1.2.1.
The Portable product comes with default collection jobs to engage a number of set tasks to collect documents, e-mail, internet history, and files containing Social Security and credit card numbers. These jobs are accomplished by booting the target computer with the USB drive or, if you have an older computer or one that cannot boot from a USB device, a bootable CD-ROM. Portable also works on systems running a Windows OS to collect random access memory.
EnCase Portable also comes with an installation DVD for EnCase Source Processor release 6.14.1 and above. The Source Processor can create more customized jobs if the default jobs are not suitable for a specific collection. These jobs are storedon dedicated USB devices. Once the devices are returned, the Source Processor is used to analyze and report on the collected LEF containers. Since I did not have the Source Processor installed, this review is limited to the default set of collection jobs used in the field.
All of the Portable jobs delivered on the USB ran successfully on my home office computers. In fact, the Portable "Corporate PII Audit" job was so successful in finding files that I seeded with credit card numbers and Social Security numbers, along with temporary files, that I have sworn to do online banking and credit card management from a computer that never physically leaves the home office. Other Portable jobs collected documents and internet history (for Internet Explorer versions 7 and 8 and Mozilla Firefox versions 2 and 3) as well as e-mail and picture files. The Portable product was also able to copy an image of a 60-gigabyte drive in a Dell Inspiron I6400 laptop computer as well as take a snapshot of its 1 gigabyte of physical memory.
I delivered the initial results of my investigation to a Guidance Software engineer for review and analysis. Later, I used GetData Software Mount Image Pro v3 to review test results in my home office.
DATA ACQUISITION TO GO
I booted a Lenovo ThinkPad X24 (Intel Pentium III processor, 1133 MHz, 640 MB RAM) with the Portable CD-Rom and booted a Lenovo ThinkPad T43 (Intel Pentium M processor, 1.86 GHz, 1024 MB RAM) and Dell Inspiron I6400 (Intel T2300, 1.66 GHz, 1024 MB RAM) with the USB device. For each computer, Microsoft Windows PE loaded and detected hardware, built a list of all drives, allowed only Encase Portable drives to run, and created a page file. The boot process also checked for a HASP licensing dongle.
I’m not a big fan of licensing dongles, ever since they required me to plug them into the only parallel port of a PS/2. At least today's computers have more than one available USB port. But even if they didn't, Guidance Software packs a 4-port USB hub with the Portable product.
The licensing dongle contains Aladdin Hasp License Manager (Hasplms.exe) that requires approximately 14 MB of memory to run. But don’t worry about the memory use of the license manager, or any Portable application for that matter. The system under examination will not be doing anything other than getting examined. And you will not need an internet connection to do the collection. The Hasp drivers are included on the USB device.
After the OS loads, EnCase Portable runs with Oracle Outside In to view documents in their native format. The application then presented me with the default jobs that were preloaded on the USB device. See Figure 1.
Figure 1: Click image to enlarge.
I started to collect document files first. Portable searched for files on the laptops that matched the format for MS Office, Open Office, Star Office, PDF and other document formats such as RTF and TXT. When these documents were found, they were collected into an LEF and placed in the \Encase Portable Evidence\Source Processor\FileEvidence folder on the USB drive. On the X24, this job took approximately 38 minutes to complete.
The time it takes to complete any job will depend on the computer hardware (processor speed and physical memory, or RAM) under examination and the number of documents or other items on disk that match the search criteria coded on the default jobs. The amount of physical RAM on the computer under investigation will dictate the size of the page file that EnCase uses to operate, and thus determine how fast the product can write output to a USB device. And remember that, without contention, USB 2.0 transfers data at 480 megabytes per second; 12 megabytes per second for USB 1.1. So don’t keep the car running while waiting for your assistant to collect evidence with Portable.
After I collected documents, I opted to gather internet history information that included cookies, bookmarks, downloads and cached data. Portable collected the internet history for both IE and Firefox. The "Create Internet Artifacts Report" job searched for internet Universal Resource Locator strings contained in data files on all test computers and provided a report of all the internet sites that I traversed before last clearing my history. This report was very, very enlightening, to say the least.
I thought about skipping the collection of e-mail files since I used Outlook In Exchange Server mode and did not keep any local e-mail files. But on a whim, I went ahead. EnCase found a number of e-mail messages from a previous instance of a POP3 mailer. For e-mail collection, Portable supports MS Exchange, MS Outlook, Lotus Notes/Domino and several other mail formats. When these files are found they are acquired and stored in a LEF on the USB. In the same manner, Portable collected picture files by searching for JPG, GIF, IMG, BMP and other picture formats.
When I went to create a copy of RAM, I looked at my server-class machines; however, they both contained 64-bit processors. Encase Portable does not yet have the 64-bit drivers to collect RAM on x64 systems. So I turned my attention to the Dell Inspiron and inserted the Portable USB device and the HASP Licensing Manager into its running copy of Windows XP. After I ran EnCase Portable, the application loaded the Hasp drivers and presented me with a list of jobs to run. I chose to "Create Copy of Drive or Memory"; then EnCase presented me with a list of available drives, one of which was my RAM drive. See Figure 2, below.
Figure 2: Click image to enlarge.
In one click, Portable saved a copy of RAM to an external USB drive that I prepared in advance using Guidance Software’s script "Prepare Portable.vbs." The Visual Basic script creates a directory structure on the target drive similar to the directory structure on the thumb drive: \EnCase Portable Evidence\Source Processor\*. Note that you can simply create the directory structure by yourself as well, but make sure the drive or directory is not write-protected.
Next, I tried collecting the contents of a hard disk. That’s no small matter over a USB connection for any size drive. So I shied away from the 250-gigabyte drives on my servers and turned my attention to the Dell Inspiron I6400 with a 60-gigabyte hard disk (Seagate ST96812A) partitioned into two drives.
I booted the Inspiron with the USB device and Portable gave me options to copy an image of the whole disk or one or both of the partitions. I chose one of the partitions. Toward the end of the collection, Portable alerted me to the fact that my destination disk was too small and prompted me to "Pick another path?" Then I plugged in a 16-gigabyte thumb drive and, without creating the normal directories, Portable started copying the final files of evidence to the root directory of the added drive.
Encase Portable supports decrypting data that was encrypted using PGP Whole Disk Encryption, WinMagic SecureDoc Full-Disk Encryption, McAfee SafeBoot, Ultimaco SafeGuard and PC Guardian Encryption Plus. When Portable encounters an encrypted drive, a dialog box opens to provide decryption options. If the encryption scheme is not supported, you can still take an image of the drive as encrypted for further investigation. Portable also supports the collection of Windows event logs, UNIX wtmp and utmp files that record login information, and Linux system logs.
CONCLUSION
EnCase Portable lets anyone with minimal technical knowledge collect electronic evidence, with a chain of custody, from computers in the field. This will free up time for computer forensic experts and allow them to focus their attention on analysis and reporting, rather than initial collection.
Product: EnCase Portable
Manufacturer: Guidance Software
Licensing: If law enforcement, then $898.50 per license key; otherwise, $999 per license key.
Equipment used in this review:
Hewlett-Packard ML 350 G6
Lenovo Thinkpad T43, X24
Dell Inspiron I6400
Microsoft Windows 2003 R2, XP
GetData Software Mount Image Pro v3
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment