The EnCase Portable v2.2
The EnCase Portable v2.2 software enables non-technically trained field investigators to triage computers, determine if data of investigative value exists & acquire specific data or the entire hard drive for subsequent examination.
FEATURED IN INVESTIGATION
Evaluating the viability of digital evidence in the field has long been a challenge to law enforcement. Often, potentionally valuable, volatile data was lost in the digital evidence collection process when the running computer was unplugged. At the other extreme, dozens of computers were seized that required examination of highly skilled technicians only to find that there was nothing of value on those machines.
The National Institute of Justice’s (NIJ) Electronic Crime Technology Center of Excellence conducts electronic crime and digital evidence tool and technology testing, and produces evaluation reports, to help criminal justice agencies make informed technology purchasing decisions. Center staff conducted evaluation testing of Guidance Software’s EnCase Portable v2.2.
Guidance Software is a well-established software developer in the computer forensic software field. Expert Witness, the predecessor to EnCase Forensic Software, was an automated tool that marked a turning point in this field in the late 1990s. At that time, all-in-one computer forensic software solutions such as EnCase Forensic made examiners more efficient and productive. The introduction of computer triage tools, such as Encase Portable v2.2, represents another significant turning point in the electronic crime and digital evidence field.
Triage tools expand the role of the field investigator, and EnCase Portable gives them the ability to triage a computer and capture volatile digital evidence at a scene. By expanding the role of the first responder or field investigator in performing these tasks, computer forensic examiners are relieved of that responsibility and are therefore better able to concentrate on computer forensic examinations. Triage and data collection tools have been identified as high-priority criminal justice technology needs by the NIJ Electronic Crime Technical Working Group.
Digital evidence triage tools, such as EnCase Portable v2.2, address two of the five high-priority criminal justice technology needs, which were identified by the NIJ in its March 2009 publications, “Improving the Efficiency of Justice” and “Enabling Informed Decision Making.”1
No Advanced Training Required
EnCase Portable v2.2 enables law enforcement personnel without advanced computer forensic training to access information on a computer to determine if it contains evidence of criminal activity and requires data collection. Triage tools enable informed decision making by field detectives and patrol officers to assess the value of a computer to an investigation, thus reducing or eliminating the need for computer forensic examiners to respond to an electronic crime scene to perform these tasks. The examiner’s skills can be dedicated to conducting computer forensic examinations, reducing the backlog of cases pending forensic analysis and improving the efficiency of justice.
Law enforcement must identify and collect only the computers and data that are of evidential value to an investigation. In a school or business environment, where many computers are present and actively used, law enforcement must triage to collect only relevant evidence. A configurable triage tool like EnCase Portable v2.2 can be used to assess the investigative value of the information on each computer and identify and seize only those that contain evidence.
In court-ordered monitoring or parole assessments and evaluations, field investigators can quickly triage computers in the field to determine if contraband is present and collect the data if a violation has occurred.
The sturdy EnCase Portable v2.2 case includes a bootable USB security key, which contains the product licensing information, the software to boot a computer and approximately 2.5 GB of storage for data collection; a 16-GB USB data storage device; a bootable CD, which is used to boot computers that can’t be booted from a USB device; an EnCase Portable software installation DVD; a four-port USB hub and power supply; and a quick reference field guide.
EnCase Portable can be used to triage or preview data on a running computer or boot a powered off computer to a Microsoft Windows PE Operating System. EnCase Portable supports a variety of operating systems (OS), including Windows 2000 SP4, Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 2008, Linux and Mac OSX.
Volatile data collection can be performed from a running personal computer and a user account with administrator privileges. This feature enables the capture of data from memory and accessible password protected or encrypted drives or devices on the target computer that would otherwise be lost. However, EnCase Portable v2.2 works on Apple computers only in boot mode, and thus can be used to do triage, but it can’t collect data from a running Apple computer.
The forensic implications of this method—registry key changes, drive letter change, file access date and time changes, and files or drivers added to the OS—are being compiled through file hash comparison as of this writing. Identification of the files with altered hash values after the EnCase Portable Security Key is inserted will reveal the files that are changed by inserting the security key. Confirmation and scope of hash changes are being assessed through this current test.
Alternatively, data collection from a non-running computer can be performed using the EnCase Portable USB boot key or the EnCase Portable boot CD. This method doesn’t require logging onto the computer with an administrator account; however, no useful volatile memory data capture is available.
In either situation, data can be collected from a running computer, a computer booted with the EnCase Portable boot key or a CD. Custom data collection jobs can also be performed. EnCase users can create jobs using the EnCase Forensic software on a forensic examination computer to define the types of data to be collected from the target computer and export those “jobs” to the EnCase Portable USB bootable security key.
For data collections that exceed the available 2.5 GB of storage space on the EnCase Portable USB bootable security key, the 16-GB USB data storage device included with EnCase Portable can be used to store the data collected. Although other USB data storage devices can be used, they must first be prepared with the EnCase Portable installation DVD “prepare storage devices” option or by following the instructions in the user manual.
EnCase Portable v2.2 successfully performed each of the preconfigured tests as described in the EnCase Portable user guide and product information material. The performance, speed and display quality were directly related to the configuration of the test computer. The boot process and tests performed significantly better on the faster notebook computers and the quality of the computer display and the responsiveness of the user interface were significantly improved over the older technology tower computer.
Additional tests included booting a MacBook computer with the EnCase Portable v2.2 boot CD and performing preconfigured data collection jobs. The testing and evaluation results revealed that the unit collected all the data in each test as expected and stored this acquired data as forensically sound evidence files for further examination.
EnCase Portable V2.2
Default jobs that come preconfigured with the EnCase Portable Software:
• Collect document, mail and picture files
• Collect copy of drive or memory
• Create Internet artifacts report
• Create PII report
• Triage pictures
Testing & Evaluation
NIJ ECTCoE staff testing and evaluation of EnCase Portable V2.2 was conducted on a tower computer with a 1.2 GHz processor, 512 MB of RAM and a 20-GB hard drive running 32-bit Microsoft Windows XP Home, a notebook PC with a dual-core 2.10 GHz processor, 4 GB RAM and a 320-GB hard drive running a 64-bit Microsoft Windows 7 and a MacBook computer running OSX. All tests performed and the results of the tests are documented in the complete report available through the ECTCoE website at www.ECTCOE.net.
• Captures digital evidence at a scene
• Enables non-technical investigators to triage computers
• Isn’t as effective on older computers
1. U.S. Department of Justice, Office of Justice Programs, National Institute of Justice High-Priority Criminal Justice Technology Needs, NCJ 225375, p.13, published March 2009.