There are open source tools out there that will help you do forensic analysis. Two of the more well known CDs are Knoppix-STD and the Penguin Sleuth Kit. Why would someone use EnCase, which costs a few thousand dollars, when they can use freely available software? Millions or possibly billions of dollars are at stake in some of the higher profile cases such as Enron. Attorneys usually demand that a standard and independently recognized software suite be used in all phases of evidence collection, analysis and reporting.

Everyone is concerned about saving money, which may make buying EnCase a backwards decision. This is actually the correct decision to make when you consider that having a unified, graphically-based software can save the investigator time on resolving cases. The courts and investigators are overloaded with cases and having the right tools allows them to clear the backlog.

Are There Countermeasures?

Are there ways that criminals can fool forensic software? Other than physically destroying all the hard-drives, CDs and floppies, there appears to be very little they can do. Notice that we said destroy, as simply hitting your hard-drive with a hammer or throwing into a fire may not be enough. In many cases, you probably have to burn the item into ash.

One way that criminals try to make an investigation more difficult is by changing the file extensions. Word documents end in .DOC and perhaps the criminal will change the extension to something else, hoping that it will escape detection. We were shown how the EnCase software easily thwarts this deception by bypassing extensions and using file signatures to view the true nature of the file. So even if the .JPG file has been renamed to .ABC, EnCase will still view it.

Does encryption make things difficult for forensic software? It depends on the scheme used to encrypt the files. The Windows EFS (Encrypted File System) is easily broken by EnCase. Steganographic hiding of data (hiding data inside pictures or music) is also thwarted by used MD5 Hash sets and comparing them to known file hashes.

"Scrubbers" are software that claim to completely wipe files from the hard-drive. Do they actually work against EnCase? In an upcoming article, we will find out. Ironically, the act of trying to erase your files in order to fool the investigator actually makes the investigation easier. The more you try to hide your data, the easier it is for the investigator to find. In Mr. Colbert's words, "It is the investigators dream when someone tries to hide their tracks."