In this column, the author reviews hardware and software products that could aid the fraud examiner. The author avows that he has no relationship of any type with the companies that represent or manufacture the reviewed products. His opinions are solely his own and aren't necessarily those of Fraud Magazine or its staff. — Ed.
In my September/October 2007 column, I described hardware and software used by the computer forensic specialist to capture a suspect hard drive and create an "image." An image copy differs from a copy made using conventional backup or disk duplication software in that the image is an exact duplicate of every sector of the drive whether it contains active data, which is accessible by the operating system and application program (such as an Excel worksheet that can be seen and opened using Excel) or files that the user never knew resided on the drive (temporary files created during printing, e-mail, and Internet operations) or files that the suspect believes were deleted using the Windows deletion program.
The image copy, referred to as the evidence drive, will be imported into forensic analysis software that will allow the computer forensic specialist to recover the deleted and temporary files as well as analyze and search the entire drive using key word searches and other techniques. The fraud examiner will incorporate the results of this analysis into the final report.
I have always considered EnCase a robust, all-in-one investigative tool, and its new features and increased ease of use have made the pricey product even more appealing. EnCase v6 began shipping in December 2006 and is currently up to Version 6.8, which is an indication of the company's commitment to constantly improving its product.
EnCase is available in three different versions: the Forensic, which is a stand-alone tool; the Field Investigation Module (FIM), which is primarily intended for law enforcement use; and the Enterprise version, which is both a corporate and private sector forensic version intended for a larger installation environment.
THE ENCASE VIEWS
The EnCase desktop has four basic tables in which the file information can be seen in different ways based upon numerous user options such as text, graphic, timeline, and more. See Figure 1.)
[The figures referenced below are no longer available. — Ed.]
Figure 1
When populated with data, the recovered files are viewed in their native format in the VIEW pane. Figure 2 shows an e-mail recovered from a suspect drive.
Figure 2
Notice that the TREE pane resembles Windows Explorer and the TABLE pane details the files with much file-specific information such as the creation date, last used date, modified date, and deleted date (if applicable).
FROM EVIDENCE DRIVE TO EVIDENCE FILE
Of utmost importance in any acquisition and analysis of digital information is the ability to preserve and document the preservation of the original evidence drive. EnCase is used to create an evidence file from the evidence drive without altering the image on the evidence drive. After creating the evidence file, the image on the evidence drive should be securely stored and not used again unless required in court to support the continuity of evidence.
The evidence drive is connected to the investigator's computer with a small, inexpensive piece of hardware called a write blocker, which ensures that the flow of data is unidirectional and the evidence drive can't be altered in any manner. EnCase recognizes the evidence drive and will allow the creation of an evidence file that can be stored in any location connected to the computer being investigated. Prior versions required that the evidence file be stored on the local drive, which I found didn't have sufficient free space in many instances. I've found it extremely useful to use removable USB hard drives to create the evidence drives that I can label and store by case. Since these cases can last for years until they reach conclusion, the ability to easily and quickly attach and remove the evidence file drive has been invaluable.
During the acquisition stage, when the evidence file is created, EnCase will also identify and recover lost files. These are the deleted files (in whole or remnants) and deleted folders and other information detailing what happened on the drive in the past. Much of this might be useful in reconstructing timelines of events and historical alterations to files.
RECOVERED E-MAILS AND ATTACHMENTS
History has shown that e-mails have formed the core of many major cases. Witness the now infamous Nancy Temple e-mail in the Arthur Andersen case and the Bill Gates' e-mails in the Microsoft trials.
Encase uses small programs, called scripts, that will perform specific analyses on the evidence files. One of these scripts will recover e-mails and attachments that might still exist on the drive.
KEY WORD SEARCHES
Searching for text strings is one of the main ways to find evidence with EnCase. At this point, the fraud examiner creates a list of "key words" that are pertinent to a specific investigation. EnCase searches the entire drive for matches including the unallocated clusters and slack space. The results include every instance of the key word whether it's in a current file, deleted file, graphic file, or any other document or part of a document that remains on the drive. Version 6 is able to index an entire case thus enabling faster searching. However, the time to index the case can be excessive. Estimates are that an 80GB file could take up to two weeks to create the index. (As we go to press, with the release of v6.8, the case-indexing engine has been redesigned to improve memory management, increase indexing speed, and improve indexing stability.)
VIEW THE FILE DIRECTLY IN ENCASE
Probably one of the most convenient improvements in Version 6 is the ability to view a file in its native format directly in EnCase using its built-in viewer capability. Previously, the file had to be exported and then viewed using the application that created the file. This enhancement saves time, eliminates the need to export files that aren't required, and provides a much faster review of numerous e-mails. Figure 3 shows an Excel file that has been recovered from the evidence file; the file detail is identified in the highlighted row in the TABLE pane.
[Figure 3 referenced below is no longer available. — Ed.]
Figure 3
If you intend to perform electronic data recovery in a forensic investigation, you must have the equipment and the skill set to do the job. There are no shortcuts and there are no second chances. Generally, the capture of the evidence disk is done during a court-ordered seizure or access to the suspect computer granted by the company. In either case, the data will be changing as the suspect computer is being used; the more it is used following the suspected irregularities, the more likelihood that evidence will be destroyed.
Another important point is that you must be able to demonstrate your ability, skills, and qualifications to perform these seizures so you can adequately testify in court about the integrity of the evidence drive and the continuity of the evidence itself. It's not possible to rely solely on a single tool to complete the task. EnCase is part of the toolkit but not the solution itself. Its results will assist the expert witness testimony, but it isn't the expert testimony itself.
Philip C. Levi, CMC, CFE, FCA, CPA, CA-IFA, is the technology editor for Fraud Magazine, and a member of the ACFE Editorial Advisory Committee. He is the partner in charge of the litigation dispute and resolution services division of the Montreal accounting firm, Levi & Sinclair, LLP. Levi is also a member of the ACFE's teaching faculty, past vice-chairman of the ACFE Board of Regents, recipient of the 2007 CFE of the Year Award and a member of the Fraud Advisory Committee of the American Institute of Certified Public Accountants.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.
