What Can Forensic Software Do?
What Can Forensic Software Do?
Mike Fowler, Director of Training Operations at Guidance Software showed us what EnCase can do. What we saw was enlightening and downright scary at times. Let's start with what file formats it can understand. EnCase runs on Windows yet can understand data obtained from dozens of file formats. Macintosh, Linux, Unix and Palm are no problem for the software. This relieves a great burden from the investigator as they no longer to have spare Linux boxes or Mac boxes lying around. All analysis can be done from Windows.
EnCase creates a case file that is an exact duplicate of the storage medium. This file can be passed around so that multiple investigators can search for different items. The original, usually a hard-drive, can be safely stored in an evidence locker.
Almost every media type can be recovered and examined. Pictures can be recovered from the flash media of digital cameras. Mr. Fowler formatted a USB pendrive in front of us and recovered all of the data from it.
Email can be recovered from Outlook Express and Outlook PSTs. PST passwords are easily bypassed with EnCase. Deleted emails are also easily recovered.
Full unicode support allows display of foreign language characters such as Cyrillic, Chinese and Arabic in both the body of the file and the title. It has been a common trick of some criminals to put filenames in foreign letters. EnCase doesn't actually translate the document for you, it just display the characters.
MD5 hashing is used to create "Hash Sets". MD5 is formula that will look through a file and then spit out a 128 bit number. The chances of two different files having the same 128-bit number are very remote and you can think of it as a digital fingerprint for a file. Why is this important? MD5 hashing speeds up file comparisons as just the 128 bit number has to be compared rather than a two Gigabyte movie for instance. A library of hashes can be made of known files, such as all the files from a corporate PC image. If the numbers don't match, then you know something has been changed.
In regards to email, EnCase can read and recover from Outlook Express and Outlook PSTs. It can also bypass password protected PST files.
- Previous page Hardware/Software
- Next page Why Use Commercial Forensic Software?
- OvisLink eLive MU-9000VPN Multimedia Server / VPN Router reviewed
- Altec Purports Pro Sound with Lansing FX 6021 Speakers
- Looking ahead to Intel's 925XE chipset and FSB1066
- X-Arcade Joystick
- Your Own Server Part 2: Windows Server 2003 Installation
- ZyXEL ZyAIR G-2000 802.11g Wireless 4-port Router reviewed
- icube Play@TV reviewed
- KD Labs Perimeter
- Archos' AV 400 Nine-Ounce Personal Video Recorder, TV and More
- FarCry Patch v1.2 With Shader Model 3.0
-
COMPUTER HARDWARE JOBS
-
label maker
-
movie maker win 2000
-
software
-
back up software
-
scan software
-
HTPC software
-
Backup Software
-
overclocking software
-
software for P910
-
cpu temperature software
-
best overclocking software
-
best defrag software
-
sony network walkman NW 75 software
-
streaming video capture software
-
siemens sl45 software update
-
software epson smart panel
