Thursday 24 September 2009

FORENSIC TOOL: ENCASE OR FTK

Table of Contents
1.1 Introduction
1.2 Methodology
1.3 Phases of Computer Forensic Investigation
1.4 EnCase 6.11.2- Forensic Edition
1.4.1 EnCase Overview
1.4.2 Features of EnCase
1.4.3 Using EnCase
a) Collection
b) Preservation
- Creating/Opening a Case
- Adding Device or a Raw Image to Case
c) Filtering and Searching (Analysing Evidence); Hashing, Searching and using Filters
d) Reporting
1.4.4 Summary: EnCase
1.5 Forensic Toolkit 1.81.0 - FTK
1.5.1 FTK Overview
1.5.2 Features of FTK
1.5.3 Using FTK
a) Collection
b) Preservation
= Creating/Opening a Case
= Adding Device or a Raw Image to Case
c) Filtering and Searching (Analysing Evidence)
- File Handling
- Searching for Files and Folders
- Carving
d) Reporting
1.5.4 Summary: FTK
1.6 EnCase and FTK Updates
1.7 Comparison of EnCase and FTK
1.8 Conclusion
1.9 References
1.10 Bibliography



1.1 Introduction
This report has been compiled in order to accomplish the objective that is to critically compare and evaluate the two popular computer forensic tools, EnCase and Forensic Toolkit (FTK) based on the four distinct phases of a computer forensic investigation.

A detailed background about EnCase, FTK and their features will be specified. The two forensic tools will be discussed and compared thoroughly according to their features which are utilised during a computer forensic investigation.

The report will be valuable in learning how to use the two forensic tools, their features, and analyse the techniques used to gather, search, raid, and inspect digital evidence.

1.2 Methodology
The research methods used for this report include both primary and secondary research methods:
• Primary Research includes screenshots of the tools.
• Secondary Research comprises of websites, online magazines, journals and polls on forums.
The assignment will be approached logically; detailing the phases of computer
forensic investigation, brief of EnCase and FTK, how to use the two tools (including features) and then finally the comparison and evaluation of the two forensic tools.


1.3 Phases of Computer Forensic Investigation
Forensic Computing is the “process of collecting, identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable”
(McKemmish, 1999)

The different and distinct phases of a computer forensic investigation comprise of:
1. Collection – Collection of evidence from the crime scene. The evidence includes hard disks, laptops, books, flash drives and other accessories.

2. Preservation – Preservation of evidence related to the crime scene. This phase includes imaging of hard disks (or other media), labeling the gathered evidence, then to securely store the evidence in a well protected (safe and secure) environment.

3. Filtering – It can also be called “Analysing”. It is the process where the evidence (data) is filtered and only the evidence (data) related to the crime is analysed and rest of the data is not considered for further investigation.

4. Presenting – It is the process which starts from beginning of the crime scene and is most crucial as every step undertaken by the investigator has to be recorded for verification purposes. This phase is most crucial in order to avoid questioning of the integrity of the investigation and investigation in the court of law.

1.4 EnCase 6.11.2 - Forensic Edition

1.4.1 EnCase Overview
EnCase Forensics is a very popular software and is widely accepted in the court of law in forensic investigation. EnCase is bundled with numerous features which aid in all the four phases of forensic investigation.

1.4.2 Features of EnCase
In the following table, EnCase features and supported operating systems are illustrated:
EnCase 6.11.2 – Forensic Edition (Law Enforcement)

• Operating Systems Supported Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and above, Solaris 8/9 both 32 & 64 bit, AIX, OSX

• File Systems Supported FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS, jfs), LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and TiVo® 1 and TiVo 2.
Now supports Novell file system.

• File Types Support - Supports over 400 different file formats with Stellent's Outside In Viewer Technology
- Now supports Microsoft Office 2007 documents and the mbox format which is quite common among mail user agents

• Image Formats VMware, dd, and Safeback v2 image formats, also supports CD/DVD.
Now supports LinEn utility for Linux systems.
• RAID Supports imaging and analysis of RAID sets
• Dynamic Disk Configurations Support Spanned, Mirrored, Striped, RAID 5, and Basic.
• Search and Analysis Text extraction, Global keyword searches, hash analysis, file signature analysis, file-specific filters and multiple filters to quickly analyze target media.
• Hashing Message Digest 5 (MD5)
• Internet and Email Support Hotmail, Outlook, Lotus Notes, Yahoo, AOL, Netscape, mbox and Outlook Express) and supports Internet Explorer, Mozilla, Opera and Safari.
• Gallery View Displays images of BMPs, JPGs, GIFs, & TIFFs.
• Timeline View Displays a calendar-style graphic of all file activity, and file attributes such files created,
last written or accessed. It scales from days to years, serving as a valuable tool for looking at patterns of file activity.
• Report View Reports can be generated on any file, folder, volume, physical disk or the entire case. Supports reports in RTF or HTML format.
 (Guidance Software, 2008)

According to Guidance Software, 2008 EnCase also supports features such as:
• EnCase Encrypting File System (EFS) Module (for file encryption and decryption)
• EnCase Virtual File System (VFS) Module – to mount computer evidence as a read-only off-line network drive, which allows further examination of the evidence using Windows Explorer and 3rd party tools.
• Network Authentication Server (NAS) Module - provides complete flexibility in EnCase software licensing. NAS enables EnCase software licenses to be utilized in three ways; local on the Examiner computer, remotely with Terminal Services, and across the network using the License Manager.

1.4.3 Using EnCase
a) Collection - With EnCase, investigators can acquire (collect) data from various sources including- hard Disks, floppy disks, CD ROMs, flash drives, digital cameras and other media.
b) Preservation - Guidance Software, 2008 states that the image produced by EnCase is an exact binary duplicate of data on the original media. EnCase verifies the image by generating Message Digest 5 (MD5) hash values of both the original media and the resulting image file (now, an "evidence file"). The 64 sectors of the evidence file are assigned a Cyclical Redundancy Checksum (CRC) value. These CRC values are checked each time the image (“an evidence file”) is accessed.
- Creating/ Opening a Case – To create a case in EnCase, the user has to click on New at the top left of screen, then fill in Name of Case, Examiner Name and click Finish.
- Adding Device or Raw Image to a Case – To add device to case, user should click File>Add Device>Select Device. To add a raw image, user should click File>Add Raw Image/Drag and drop from Image Location (Step 1) or Right click and click Insert (Step 2) and select location of Image.
After this step, in order to acquire the image, the user needs to right click on the media added and click Acquire, then follow the instructions and specified fields to be filled (see circles and arrows in the figure below) and the image is acquired which is an exact binary duplicate of data on the original media.

c) Filtering and Searching
It includes locating, hashing, analyzing and recovering files and folders. The search engine of Encase v6.7 is faster and more efficient than older versions.
EnCase supports EnScript analysis, signature analysis, hashing (MD5), keyword searches, indexing, searching for all email types, application descriptors, bookmarking items, verify evidence files, wipe drive. A diagram has been provided to illustrate different ways of viewing files in EnCase.

-Hashing, Searching and using filters
• EnCase uses MD5 hashing verify the evidence file with the original.
• EnCase v5 features two dialogues for search- one for keyword searching and signature/hash analysis, and one for e-mail and Internet history/cache data. EnCase v6 features a single dialogue box for searching.
• EnCase uses filters which allow examiner to quickly sort relevant evidence files.


d) Reporting
• EnCase supports report in HTML and RTF format.
• The reports are generated automatically as well as manually.



1.4.4 Summary: EnCase
EnCase supports:
• Almost all operating systems (including Microsoft Vista), and File Systems (including Ext2/3 and Novell).
• Most popular image formats for Imaging purpose.
• Imaging and analysis of RAID sets.
• Over 400 different file formats with Stellent's Outside In Viewer Technology.
• Integrated Timeline View - Displays a calendar-style graphic of all file activity, and file attributes last written or accessed.
• Reports in RTF and HTML format

1.5 Forensic Toolkit 1.81.0 – FTK

1.5.1 FTK Overview
The Forensic Toolkit is another very powerful tool used by a good number of forensic investigators. It comes with essential features including powerful file filtering, full text indexing, advanced searching, deleted file recovery, data-carving, email and graphics analysis, hashing, advanced search functionality and many more. A package of FTK includes FTK Imager; Hash Library- Known File Filter (KFF); and Registry Viewer; it may also include Password Recovery Toolkit (PRTK).

1.5.2 Features of FTK
In the following table, FTK features and supported operating systems are illustrated: (AccessData, 2008)

FTK v1.81.0

• Operating Systems Supported Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and above, Solaris 8/9 both 32 & 64 bit, AIX, OSX
• File Systems Supported FAT 12/16/32, NTFS and EXT2/3
• File Types Support Supports over 270 different file formats with Stellent's Outside In Viewer Technology
• Hard Disk Image Formats Support Encase, SnapBack, Safeback 2.0 and under Expert Witness, Linux DD, ICS, Ghost (forensic images only) and SMART
• CD and DVD Image Formats Alcohol (*.mds), CloneCD (*.ccd), ISO IsoBuster, CUE, Nero (*.nrg), Pinnacle (*.pdi), PlexTools (*.pxi), Roxio (*.cif), Virtual CD (*.vc4)
• Searching Live and Indexed Search supported
Uses dtSearch as index search engine which uses two types of search - natural language and Boolean.
• Hashing Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1)
• Email Support


• Zip File support - Outlook, Outlook Express, AOL, Netscape, Yahoo, Earthlink, Eudora, Hotmail, and MSN.

- PKZIP, WinZip, WinRAR, GZIP, and TAR
• Graphics Tab Displays most images formats
• Reporting Only HTML format.

1.5.3 Using FTK
a) Collection - With FTK, investigators can acquire (collect) data from various sources including- hard disks, floppy disks, flash drives, digital cameras and other media, and almost all CD/DVD image formats.
b) Preservation – FTK creates a replica of the original media and uses MD5 and SHA-1 hashing to verify the image to original media.
- Creating/ Opening a Case – Start FTK, a screen will appear with dialogue box, asking to create or open a Case. Click “Create a Case”, and follow the figure given below.

- Adding Device or Raw Image to a Case –
To add device or image to a case, user should follow the figure 2.0 below. To add another evidence (in place of raw image) choose any option from Step 7 and follow the instructions.

c) Filtering and Searching (Analysing Evidence)
- File Handling: FTK displays files in a professional and user friendly manner. An investigator can navigate through files by switching different tabs provided – Overview (which gives details- Evidence Items, File Status, and Category), Explore, Graphics, E-Mail, Search, Bookmark. With FTK, files can be viewed in a number of ways including – hex, decimal, picture view as shown in the figure below.
- Searching for Files and Folders
• FTK uses dtSearch engine for powerful search results.
• It also features indexed search as well as Live search as shown below.

- Carving
Recovering files in FTK is also very simple, the user has to click Tools>Data Carving and follow the figure below to recover the different types of files supported by FTK.




d) Reporting
FTK offers a reporting wizard to generate a report in HTML format. The report includes Case Information, File Overview, Evidence List and Case Log.

A diagram has been provided below to demonstrate the reporting feature of FTK. (See Appendix (i) for a sample report of FTK)

1.5.4 Summary of FTK
• Data Duplication, 2008 states that FTK is the most user friendly forensic tool in the market.
• Supports numerous number of image formats.
• Uses dtSearch engine for searching and has excellent features as Live and Indexed Search.
• Supports SHA-1 as well as MD5 hashing
• Reports are in HTML format
• The old version (FTK 1.7) is half the price of EnCase 6.
• Overall, FTK is a very good tool for its features and price.

1.6 EnCase and FTK updates
EnCase (updates from v5 to v6.11) FTK (updates from v1.7 to 1.8 and 2.0)
• EnCase 6.6 now supports Microsoft 2007 documents and mbox formats • Registry viewer for Microsoft Vista updated
• $EFS stream has been added internally to resolve the issue of LEF EFS Encryption Enhancement
• FTK 2.0 is based on integrated Oracle database
• EnCase now supports 64-bit versions of Windows XP, 2003, and Vista operating systems.

• True multi- core processor support
• Support for IPv6 and CIDR notation
• Now provides hard drive serial number
 (Schuster, A. 2007)


1.7 Comparison of EnCase and FTK
The two forensic tools – EnCase and FTK, have been compared (See Appendix (ii) for full comparison details) based on the following criteria:
  • GUI - FTK has been rated the most user friendly forensic tool.
  • VIEW PANES (TABLE PANE) - EnCase supports Timeline view of files which is not supported by FTK.
  • IMAGING OF DEVICES - FTK supports more image formats than encase. But, EnCase has its own image format while FTK does not have its own image format. FTK cannot handle compressed drives like – DoubleSpace
  • FILE SYSTEMS SUPPORTED – EnCase supports more file systems than FTK.
  • SEARCHING - FTK search takes longer, has good features as Live and Indexed Search. EnCase uses its own search engine.
  • RAID - EnCase supports several Dynamic Disk Configuration as compared to FTK.
  • HASHING - FTK supports SHA-1 hashing which is not supported by EnCase.
  • DELETED FILES, BAD SIGNATURE – FTK has a very good feature which highlights if a file contains Bad Signature, it also shows a symbol (x) next to a file which is deleted. EnCase does not highlight a file with Bad signature, it just displays it.
  • CARVING - FTK cannot recover deleted files and filenames on Ext 2/3 File Systems, which are supported by EnCase.
  • SCRIPTING - EnCase uses its own script – EnScript, whereas FTK does not support Scripting
  • REPORTING - FTK includes Report Wizard to create a report. EnCase reports are automatic and supports RTF format which is not supported by FTK.
  • HELP OR USER MANUAL - FTK has a very good help feature and includes user manual. EnCase has very descriptive User Manual.
  • PRICE - Both have almost the same price (the updated versions). Older versions of these tools- FTK 1.7 is less than half price of EnCase 4. (SC Magazine, 2007)

1.8 CONCLUSION
Taking into account the features provided by the two tools, both the tools are essential for a thorough and complete forensic investigation. As both the tools, have some common and some unique special features which aid in the investigation, it is suggested to use both the tools for investigation. In conclusion, if finances are of not primary concern, both EnCase and FTK are recommended.

  • If budget is a concern, Forensic toolkit (v1.7) is economically sound as compared to EnCase v6 which is almost double the price of FTK v1.7. FTK v1.7 provides almost all the features that facilitate in the smooth running and completion of a forensic investigation.
  • If only one tool is to be chosen, EnCase leads FTK due to its advanced features (discussed in the main report) which give EnCase competitive advantage over FTK or any other forensic tool in the market.


1.9 REFERENCES
• AccessData. 2008. FTK v1.81.0. Lindon: AccessData Corp.
• Data Duplication. 2008. [WWW] http://www.dataduplication.co.uk/pdfs/FTK2.0_DataDup.pdf (24th October 2008)
• Guidance Software. 2008. EnCase Forensic. California: Guidance Software Inc.
• Forensic Focus. 2006. [WWW] http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=722 (22nd October 2008)
• Forensic Focus. 2008. [WWW] http://www.forensicfocus.com/index.php?name=Surveys (24th October 2008)
• McKemmish, R. (1999). What is Forensic Computing? Trends and Issues in Crime and Criminal Justice (118).
• Schuster, A. (2007). [WWW] http://computer.forensikblog.de/en/2007/07/updates_to_encase_and_utk.html (27th October 2008)
• SC Magazine, 2007. [WWW]. http://www.scmagazineus.com/Guidance-Software-EnCase-Forensic-v-6/Review/159/ (27th October 2008)

1.10 BIBLIOGRAPHY
• Digital Forensics, 2008. [WWW]. http://www.h11-digital-forensics.com/forensic-toolkit-computer-evidence.php (25th October 2008)
• BROWN, C.L.T. 20005. Computer Evidence: Collection and Preservation. Charles River Media.
• CASEY, E. 2004. Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Academic Press Inc (London) Ltd.
• SLADE, R.M. 2004. Software Forensics: Collecting Evidence from the Scene of a Digital Crime. McGraw-Hill Education.





1.11 APPENDICES

a) Appendix (i) – Sample Report of FTK

b) Appendix (ii) - Comparison of EnCase and FTK
FEATURES SUPPORTED ENCASE V6.11.2 FTK V1.81.0 CONCLUSION
 GRAPHICAL USER INTERFACE (GUI) Very intuitive, but confusing for new user Very user friendly GUI. Includes tabs – Overview, Explore, Graphics, Search, Email and Bookmarks. FTK has been rated the most user friendly forensic tool.
 VIEW PANES
TABLE PANE • Text
• Hex
• Doc
• Transcript
• Picture
• It also supports Timeline View (to view files in calendar view) • Native View
• Filtered Text
• Text
• Hex
• Internet Explorer EnCase supports Timeline view of files which is not supported by FTK.
 IMAGING OF DEVICES VMware, dd, and Safeback v2 image formats, also supports CD/DVD, EnCase. Encase, SnapBack, Safeback 2.0 and under Expert Witness, Linux DD, ICS, Ghost (forensic images only) and SMART.
Alcohol (*.mds), CloneCD (*.ccd), ISO IsoBuster, CUE, Nero (*.nrg), Pinnacle (*.pdi), PlexTools (*.pxi), Roxio (*.cif), Virtual CD (*.vc4) FTK supports more image formats than encase.

But,
EnCase has its own image format while FTK does not have its own image format.

FTK cannot handle compressed drives like - DoubleSpace

FILE SYSTEMS SUPPORTED FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS, jfs), LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and TiVo® 1 and TiVo 2.
Now supports Novell.

 FAT 12/16/32, NTFS and EXT2/3 EnCase supports more file systems than FTK.


SEARCHING
• Text extraction
• Global keyword
• Hash analysis
• File signature analysis
• File-specific filters
• Multiple filters to quickly analyze target media.
• Uses EnCase search engine
• Live and Indexed Search supported
• Uses dtSearch as index search engine which uses two types of search - natural language and Boolean. FTK search takes longer, has good features as Live and Indexed Search. EnCase uses its own search engine.
RAID • Supports imaging and analysis of RAID sets
• Does not support RAID EnCase supports several Dynamic Disk Configuration as compared to FTK.
 HASHING Message Digest 5 (MD5) Message Digest 5 (MD5) and Secure Hash Algorithm (SHA-1) FTK supports SHA-1 hashing which is not supported by EnCase.

CARVING • Recovers deleted files from file slack, unallocated space and other areas.
• Can also recover deleted files on Ext 2 and Ext 3 File Systems
• FTK does not recover the filenames for files deleted on ext2 systems.
• FTK does not support recovering deleted files from ext3 volumes because ext3 zeroes out a file's indirect block pointers when it is deleted.
FTK cannot recover deleted files and filenames on Ext 2/3 File Systems, which EnCase supports.
SCRIPTING EnCase uses its own script – EnScript. Does not support Scripting EnCase has an advantage at Scripting



3 comments:

  1. very good comparison, very well described and has helped me very much!

    ReplyDelete
  2. Excellent Work

    ReplyDelete
  3. Thank you, now even you can give your input regarding more advanced features of the tools and their updated versions! Cheers :)

    ReplyDelete