WIXLIB

Guidance Software Encasev7.10Only on Encase Evaluation ComputerData GenerationIn order to make the project more fun and engaging, we structured our data generation around thewell-known Casey Anthony trial. We spent a few weeks researching the case and coming up withscenarios we believed would have been on the suspect’s, Casey Anthony, computer. By doing this wecreated specific data sets that actual digital forensic investigators may have been looking for at the timeof the investigation and trial.When we initially began writing our data generation list we encountered an issue with browsingdata affecting search results. When using a specific search engine, such as google, it usuallymonitors your previous searches (i.e. through browser cookies) and learns from that to assist theuser in getting search results he/she might be looking for. Because we were researching on ourResearch systems (each member on their own Research system), all members of the project werereceiving different search results based on what their search history or browser cookies lookedlike. We wanted identical data from multiple web browsers to simulate normal computer usage.Since we would be doing this on a fresh image (no previous activity recorded on the drive) weknew the results would differ when conducting data generation. Because of this, we made oursearches less specific and generic. This allowed each search engine on each web browser toproduce three identical search results which we used for data generation.Once our data generation sheet was complete, we began creating data generation. The actual datageneration took one hour and thirty one minutes to complete. Data generation occurred on itsown computer identical to the computers we performed examination tool evaluations on. SeeAppendix 1 for our completed data generation list and results.AnalysisFor this project, we wanted to compare the newest versions of Access Data’s Forensic Toolkit(FTK), Guidance Software’s EnCase Forensic, and Magnet’s Internet Evidence Finder (IEF).Upon the completion of data generation, each team imaged the hard drive using their perspectiveimagers. When imaging the hard drive, each team used a write blocker to disable writepermissions on the hard drive to prevent destruction, alteration, or contamination of data duringthe acquisition of a hard drive.Once each tool successfully created an image of the hard drive, we proceeded in processing theimage on our respective forensic examination tool to examine the data and begin specific featuretrials.One of the main components of our project was to compare the newest version of each tool’scorresponding imager; Forensic Toolkit (FTK) Imager, EnCase Forensics’ built-in imager, andMagnet’s new imager ACQUIRE, as well as each examination tool’s performance in specificfeatures. We compared the time it took for each imaging tool to create the image of our hardForensic Tool ComparisonPage 6 of 34

drive from data generation. When analyzing these times we also took note of the file size andtype of each image. After analyzing each tools imager performance, we compared each toolsperformance in processing their images into their examination tools (FTK, EnCase Forensic, andIEF).After analyzing each imaging tool’s performance in imaging and each examination tool’sperformance in processing the created image, we proceeded to comparing several differentfeatures for each of these tools, including time and results from various keyword searches, timeand results from exporting different file extensions and directories, the number of popular fileextensions each tool could find, and lastly, each tool’s ability to create an accurate timeline ofevents. The keyword searches we performed included: “chloroform“bury” “ducttape”“c” “duct tape”“zxcvbnm,./”We chose these keywords based on data we knew would be on the image from our datageneration. We included “c” and “zxcvbnm,./” as baseline searches. “c" should create a largeamount of hits in a search and “zxcvbnm,./” should return almost no hits.For the exportation of file extensions and directories part of the project, we compared each tool’sability to export a .pdf, .jpg, .mp3, and the Windows Downloads folder. We chose these fileextensions and the Downloads folder for two reasons. First, .pdf, .jpg, and .mp3 are all popularextensions and every popular operating system has a Downloads folder where it stores itemsdownloaded from the internet in that specific directory. Second, we knew there would be fileswith these extensions based on the files we created during data generation. When performingexportation of file extensions, we also noted how long it took each tool to export specific fileswhich can be seen in Table 11: Exporting results.When determining the number of popular files each tool could find, we found that each tool hada different process for identifying the number of popular file types. This will be elaborated in ourResults Section.Lastly, we examined each tools timeline analysis feature and then compared the number ofartifacts each timeline found in its report and determined whether or not the timeline wasaccurate according to our data generation.Forensic Tool ComparisonPage 7 of 34

ResultsImaging Time ResultsBelow, in Table 3, are the results of our imaging process. We compared how long it took foreach tool to image our data generation hard drive with their respective imager. Below is alsoinformation specific to each tools performance during the imaging process.Table 3: Imaging Time ResultsProgramImaging TimeSize of imageFormat of ImageEnCaseForensic Toolkit ImagerMagnet ACQUIRE0H 55M 00S0H 39M 38S0H 44M 00S74.4GB76.3GB74.5GBE01E01RAWProcessing Time ResultsOnce each tool imaged the data generation hard drive, each team then proceeded to processingtheir image into their respective forensic examination tool. Each team then recorded the amountof time it took to process the image into their tool. You can see these results below in Table 4:Processing Time Results. The detailed results of this process can be found in each tool’s sectionbelow Table 4.Table 4: Processing Time ResultsProgramEnCaseForensic ToolkitInternet Evidence FinderProcessing Time0H 0M 14S0H 22M 22S0H 43M 00SEnCase Forensic ImagerUnlike the other tools showcased in this report, EnCase Forensic has an imager built into thetool. Since the imager and the examination tool are in the same program, EnCase allowsinvestigators to do a live preview of the evidence while it creates the image and processes it. Weused a write blocker to ensure the data on our data generation hard drive did not get corrupted.As you can see from Table 3 and Table 4, EnCase took the longest to image the drive, but hadthe shortest processing time. This is most likely since the software is imaging while you arepreviewing the evidence. This would slow the software down while imaging, but it would takevirtually no time to process the data. EnCase had the smallest file size, however, all of the filesizes were relatively close.Forensic Tool ComparisonPage 8 of 34

Forensic Toolkit Imager (FTK Imager)FTK Imager’s user friendly GUI (Graphical User Interface) allowed us to begin imaging of thehard drive in the matter of minutes and allowed us to actually preview files before and duringimaging of the hard drive. Although AccessData does state that FTK Imager can create perfectforensic copies of computer data without making any changes to the original evidence, wedecided to still use a write blocker to ensure that nothing within the hard drive was destroyed,altered, or contaminated during the acquisition of the hard drive. As you can see on Table 3:Imaging Time Results, FTK Imager was the fastest imaging tool with 39 minutes and 38 secondsfor an EnCase (.E01) Image. Although FTK allows for the creation of multiple image formats,we decided to create an .E01 due to it being the most common image format used by DigitalForensic Investigators.Magnet ACQUIREWe initially ran into a problem when testing out the imaging capabilities of Magnet ACQUIRE.We received the error message half way through the imagine process which would make theprogram crash and terminate the rest of the imaging process, yielding no results. After emailingMagnet Support, we discovered that error was from Magnet ACQUIRE attempting to validatethe available free space from the location that would be populated in the “Folder Destination”field. We had to edit the user.config xml file to repair this problem by inserting new lines of codeinto the file so that ACQUIRE would be able to save the image. After getting the fix, saving the.xml file and relaunching Magnet ACQUIRE, we were able to successfully complete the imagingprocess and produce results without a problem.Figure 1: Magnet ACQUIRE error recovery halfway through imaging processForensic Tool ComparisonPage 9 of 34

Keyword Search ResultsAfter processing each tool was complete, we proceeded to conduct keyword searches in eachtool. A keyword search is a common technique used in computer forensics and electronicdiscovery which is usually performed to find and identify specific instances on a computer orother media using a given word or phrase even if the event occurs in unallocated space or indeleted files. Keyword searches can be very beneficial for a forensics investigator to use becauseit allows them to search through files and/or folders for specific terms or phrases without havingto physically parse through all the data individually. For this project, we compared how long ittook for each tool to perform each keyword search as well as the results of each keyword search.Below on Page, in Table 5 through Table 10, are our results for the keyword searches weconducted as well as information specific to each tools performance in keyword searching.Table 5: Keyword search for “chloroform”Keyword Search“chloroform”Number of hitsTime ElapsedEnCaseFTKMagnet IEFLogical: 2,617Indexed: 4,374Logical: 0H 14M 14SIndexed: 0H 0M 0.1S2,4347710H 0M 0.3S0H 0M 48SEnCaseFTKMagnet IEFLogical: 421Indexed: 70Logical: 0H 13M015SIndexed: 0H 0M 0.1S59260H 00M 01S0H 00M 45SEnCaseFTKMagnet IEFLogical: 543Indexed: N/ALogical: 0H 13M 14SIndexed: N/A2,076840H 00M 02S0H 00M 45STable 6: Keyword search for “ducttape”Keyword Search“ducttape”Number of hitsTime ElapsedTable 7: Keyword search for “duct tape”Keyword Search“duct tape”Number of hitsTime ElapsedForensic Tool ComparisonPage 10 of 34

Table 8: Keyword search for “bury”Keyword Search “bury”EnCaseFTKMagnet IEFNumber of hitsLogical: 217Indexed: 9Logical: 0H 13M 00SIndexed: 0H 0M 0.1S8110H 00M 02S0H 00M 45SEnCaseLogical: 125,985,968Indexed: 3,463,989Logical: 1H 00M 20SIndexed: 0H 0M 0.1SFTK1,947,069Magnet IEF38,5640H 01M 06S0H 3M 37SEnCaseFTKMagnet IEFLogical: 9Indexed: N/ALogical: 0H 13M 10SIndexed: N/A2810H 00M 01S0H 1M 10STime ElapsedTable 9: Keyword search for “c”Keyword Search “c”Number of hitsTime ElapsedTable 10: Keyword search for “zxcvbnm,./”Keyword Search“zxcvbnm,./”Number of hitsTime ElapsedEnCase ForensicOur initial research indicated EnCase has the ability to perform two different types of keywordsearches: logical and index. Logical searches look at all logical data of a file regardless of anyphysical characteristic of how it is stored. This means that when you conduct a logical searchevery hit is counted. In EnCase, a logical search is called a “raw search.” For example, a “rawsearch” for the expression “bury” would produce 65 items, or the number of files which containany number of hits for the expression “bury”, but it finds 217 hits, or the number instances theexpression “bury” is found in the 65 items. You can see inTable 8 above that EnCase found 217 hits in the logical search (Widup). The screenshot inFigure 2: Raw Search Results in EnCase v.7 on the next page is from EnCase and shows thisinstance:Forensic Tool ComparisonPage 11 of 34

Figure 2: Raw Search Results in EnCase v.7However, an index search looks at the index table created when the hard drive was imaged andprocessed. It looks for exact matches of the search expression. Therefore, it producessignificantly less results than a “raw search” and is much faster, since the information is alreadyorganized. The screenshot below shows an example of the results from the index search for“bury.” The index table has multiple instances of expressions that meet the search criteria. Theuser can than determine which result they would like to examine further. For our project, weused the first result since it was an exact match to our search expression. The screenshot inFigure 3 shows our index search results:Figure 3: Index Search Results in EnCase v.7For this project, we initially did logical searches. Our research on how to perform keywordsearches in EnCase indicated this was the best type of keyword search to perform. However,EnCase produced significantly more results than the other tools and took a much longer amountof time to complete. After some more research, we found that the other two tools performedindex searches. In order to get results more in-line with the other tools, we started to run indexsearches on EnCase.Due to issues with GREP and string search methods on EnCase, we could not get accurate resultswith the “duct tape” keyword search and the “zxcvbnm,./” keyword search. We tried variousmethods to get results including using various GREP characteristics such as; putting the phrasein quotations, parentheses, adding a period, putting an “and” in between the words, and lastlyputting in the phrase “within two” of tape (duct w/2 tape). Each time the results varied and wereForensic Tool ComparisonPage 12 of 34

nowhere near the results from other tools. Our conclusion as to why the index searches behavedthis way for “duct tape” and “zxcvbnm,./” was that it was due to the way EnCase mounts thefiles during the initial imaging of the drive. Due to these issues, we did not include index resultsfor the searches in Table 7: Keyword search for “duct tape” and Table 10: Keyword search for“zxcvbnm,./” since we could not get conclusive results. We believe this problem can be solved infuture updates of the software.Forensic Toolkit (FTK)FTK creates an index of all the data during processing which means that it creates a table of datathat it can reference back to when necessary. This made it the second fastest in processing with22 minutes and 22 seconds. Although FTK does allow for the option to perform a live search,similar to EnCase’s logical search, we decided to perform an index search due to the fact that itwould bring faster results by allowing FTK to refer to a data table during searches instead ofrunning over the data which would have created more but unnecessary hits. This is due to thefact that if it parsed through all the data, it would have definitely referred to the same file morethan once and taken a bit longer to complete. FTK conducts indexed-based searching byincorporating indexed search capabilities provided by dtSearch’s dtSearch Text Index. dtSearchis a third party software vendor that specializes on text retrieval software. FTK yielded the fastestsearch speeds during all of the keyword searches and yielded similar results to EnCase. All of thefiles that were created during data generation process were found counting files that were deletedFigure 4: Index Search on FTK for the term “ducttape”Forensic Tool ComparisonPage 13 of 34

Magnet Internet Evidence Finder (IEF)Internet Evidence Finder yielded the lowest number of results in five out of six of the keywordsearches. This is because IEF performs a common, generalized search instead of focusing onevery detail. When doing searches in IEF, you aren’t searching the image, you are searching theresults that IEF has found from the image. It’s only looking for internet related artifacts. EnCaseand FTK on the other hand allow you to look at the entire image and will perform multiplesearches (EnCase can conduct a logical or physical keyword search and FTK can perform live,indexed, single term and multi terms searches) causing them to get more detailed results. Thesefactors explain why FTK and Encase yielded results similar to each other and IEF did not. This ismost likely why IEF had lower keyword search results yet found a higher number of total hits.Figure 5: Search results for “duct tape” in IEFForensic Tool ComparisonPage 14 of 34

Exporting ResultsOnce keyword searches were complete, we then proceeded to examine each tool’s exportationfeature. Exporting refers to the process of converting a file into a different desired format thatcan be opened and used on a different application. During a forensics investigation, aninvestigator might need to export a file or folder to evaluate on a different tool or to use forevidence presentation of a case. For this project, we compared each tools speed on exportingspecific documents and directories onto our systems desktop. Below, in Table 11: Exportingresults, are our results for the time it took to export specific files and the Downloads folder aswell as information specific to each tools performance in exportation of files and folders.Table 11: Exporting resultsTime to ExportFilesGalaxy.pdfDucttape1.jpgMP3 file1.mp3Downloads folderEnCaseFTKMagnet IEF0H 0M 1S0H 0M1.46S0H 0M1.46S0H 0M5.91S0H 0M 03S0H 0M 06S0H 0M 02S0H 0M 01S0H 0M 04SN/A (Doesn’t look for MP3files)N/A (Can’t see file structure)0H 0M5.30SEnCase ForensicEnCase provided the fastest exporting times. One of the features of EnCase is the ability toexport virt

Forensic Toolkit (FTK) - is a forensic tool made by AccessData. FTK allows users to acquire, process, and verify evidence. FTK supports Raw (DD) .001, SMART .S01, Expert Witness/EnCase .E01 and Advanced Forensic Format .AFF imaging formats. FTK Imager - is a free extension of FTK. This is a powerful imaging and data preview tool that