Difference between revisions of "EnCase"

From Forensics Wiki
Jump to: navigation, search
(Breaking Encase with FILE0 and Winhex)
 
(16 intermediate revisions by 8 users not shown)
Line 1: Line 1:
{{Wikify}}
+
{{Infobox_Software |
 +
  name = EnCase |
 +
  maintainer = [http://www.guidancesoftware.com Guidance Software] |
 +
  os = [[Windows]] |
 +
  genre = {{Analysis}} |
 +
  license = {{Commercial}} |
 +
  website = [http://www.guidancesoftware.com www.guidancesoftware.com] |
 +
}}
  
Encase is an all-in-one computer forensics suite from Guidance Software Inc.
+
'''EnCase''' is a family of all-in-one computer forensics suites sold by [[Guidance Software]]. These products include EnCase Enterprise, EnCase Forensic Edition, EnCase eDiscovery, and EnCase Lab Edition. These programs use a proprietary image file format that has been reverse engineered. Users can create scripts, called [[EnScripts]], to automate tasks.  
  
=File Format=
+
== History ==
Perhaps the '''de facto''' standard for forensic analyses in law enforcement, Guidance Software's EnCase Forensic encase} uses a proprietary format for images, reportedly based on ASR Data's Expert Witness Compression Format. EnCase's Evidence File .E01) format contains a physical bitstream of an acquired disk, prefixed with a '"Case Info" header, interlaced with CRCs for every block of 64 sectors~(32 KB), and followed by a footer containing an MD5 hash for the entire bitstream. Contained in the header are the date and time of acquisition, an examiner's name, notes on the acquisition, and an optional password; the header concludes with its own CRC.
+
Expert Witness (for Windows) was the original name for EnCase (dating back to 1998). More info about this can be found on the Internet Archive [http://web.archive.org/web/19980504153628/http://guidancesoftware.com/] including a demo of the original software [http://web.archive.org/web/19980504153759/http://guidancesoftware.com/data/ewsetup.exe].
  
Encase can store media dat into multiple evidence files, which are called segment files. Each segment file consist of multiple sections. Each section consist of a section start definition. This contains a section type.
+
== File Format ==
 +
See [[Encase image file format]]
  
At least from Encase 3 the case info header is contained in the "header" section, which is defined twice within the file and contain the same information.
+
== Hash Databases ==
 +
EnCase uses [[MD5]] hashes and stores them in its proprietary [[Encase hash files|Encase hash file format]]; either individually or in a "hash map".
 +
EnCase supports importing hashes from the [[National Software Reference Library|NSRL]], [[Hashkeeper]], and plain MD5 files.
  
With Encase 4 an additional "header2" section was added. The "header" section now appears only once, but the new "header2" section twice.
+
== See Also ==
 +
* [[Encase image file format]]
 +
* [[EnScripts]]
 +
* [[LinEn]]
 +
* WinEn
  
Version 3 of The Encase F introduced an "error2" sections that it uses to record the location and number of bad sector chunks. The way it handles the sections it can't read is that those areas are filled with zero. Then Encase displays to the user the areas that could not be read when the image was acquired. The granularity of unreadable chunks appears to be 32K.
+
== External Links ==
  
Within Encase 5 the amount of sectors per block (chunk) can vary.
+
* [http://www.guidancesoftware.com Guidance Software]
 
+
Encase from at least in version 3, 4 and 5 can hash the data of the media it acquires.
+
It does this by calculating a MD5 hash of the original media data and adds a hash section
+
to the last of the segment files.
+
 
+
=Features=
+
 
+
==File Systems Understood==
+
 
+
==File Search Facilities==
+
 
+
==Historical Reconstruction==
+
 
+
Can it build timelines and search by creation date?
+
 
+
==Searching Abilities==
+
 
+
Can it search? Does it build an index? Can it focus on file types or particular kinds of metadata?
+
 
+
==Hash Databases==
+
 
+
Encase uses [[MD5]] hashes and uses a [[Encase hash files|proprietary file format]] to store them. It can also import hashes from the [[NSRL]], [[Hashkeeper]], and plain MD5 files.
+
 
+
==Evidence Collection Features==
+
 
+
Can it sign files? Does it keep an audit log?
+
 
+
=History=
+
 
+
Originally written in (YEAR), it has now developed into a Forensic Edition and an Enterprise Edition.
+
 
+
==License Notes==
+
 
+
Is it commercial or open source? Are there other licensing options?
+
 
+
= External Links =
+
 
+
* [http://www.guidancesoftware.com/lawenforcement/ef_index.asp EnCase Website]
+
 
* [http://www.safehack.com/Textware/forensic/Anti_Forensic_Break_Encase.pdf Breaking Encase with FILE0 and Winhex]
 
* [http://www.safehack.com/Textware/forensic/Anti_Forensic_Break_Encase.pdf Breaking Encase with FILE0 and Winhex]
 
==External Reviews==
 

Latest revision as of 01:24, 21 July 2012

EnCase
Maintainer: Guidance Software
OS: Windows
Genre: Analysis
License: Commercial
Website: www.guidancesoftware.com

EnCase is a family of all-in-one computer forensics suites sold by Guidance Software. These products include EnCase Enterprise, EnCase Forensic Edition, EnCase eDiscovery, and EnCase Lab Edition. These programs use a proprietary image file format that has been reverse engineered. Users can create scripts, called EnScripts, to automate tasks.

Contents

History

Expert Witness (for Windows) was the original name for EnCase (dating back to 1998). More info about this can be found on the Internet Archive [1] including a demo of the original software [2].

File Format

See Encase image file format

Hash Databases

EnCase uses MD5 hashes and stores them in its proprietary Encase hash file format; either individually or in a "hash map". EnCase supports importing hashes from the NSRL, Hashkeeper, and plain MD5 files.

See Also

External Links

Retrieved from "http://www.forensicswiki.org/w/index.php?title=EnCase&oldid=1151"