Forensics

The Case for Encase
While EnCase is definitely a tool computer forensic experts will want to use, my initial question was why would an attorney need a copy of the program? After all, an attorney isn’t going to disqualify him or herself by conducting his or her own forensic investigation.

While it’s true, attorneys don’t want to become witnesses in their own case, it’s wrong to assume litigators would not need the ability to search through computer evidence. Guidance Software’s general counsel, John M. Patzakis, argued the previous generation of computer forensics tools, the high cost of hiring an “expert” to pour through gigabytes of computer data at $300 per hour makes civil discovery of computer data cost prohibitive. In the case Alexander v. Federal Bureau of Investigation 188 F.R.D. 111, 117 (1998 D.C. Cir.), an Internet technology specialist testified in a high-profile investigation of former President Bill Clinton that the examination of a single hard drive required approximately 265 hours. That is almost $80,000 using a $300 per hour expert witness.

Before programs such as EnCase, computer experts would take days to acquire data and even longer to search through it. With EnCase, litigators hire an expert to acquire the data (preserving the evidence against attack) and then the attorney or his or her staff searches through the data, customizing searches on the fly. This recommended technique is really no different than how discovery is traditionally conducted in most civil litigation matters. The “boxes of documents” are acquired by a copy-service and delivered to the firm. Associates and paralegals with knowledge of the case then read through thousands of pages of discovery.

Because most computer forensic professionals use EnCase to acquire computer data, it’s only natural litigators wishing to search through the acquired data would also need a copy of the software.

The Software
EnCase creates a noninvasive sector-by-sector mirror image backup of all data contained on the target computer media, including active, deleted and temporary data; it then allows the attorney to search through the acquired data.

Because the acquisition of evidence isn’t a task most attorneys will use the software for, this review will gloss over important capability of the software. Just know the software is capable of acquiring data in a variety of ways and each method is designed to preserve the evidence for authentication at trial. The software can acquire data from PC, Mac, Linux/UNIX and even handheld devices running on the Palm operating system.

Once the bit-level copy of the media is acquired, it’s stored in a compressed “Evidence File” preserving all information necessary for authentication and verification purposes. EnCase uses both CRC (cyclical redundancy checks) and MD5 hash values, which are 128-bit numbers that uniquely describe the contents of files. According to Guidance Software, the odds that two files with different content have the same hash value is roughly 2128 or 3.4x1038 (i.e., 34 followed by 37 zeros). Thus, if two files contain the same hash value, the “trier of fact” can be reasonably assured “beyond a shadow of doubt” the files are the same and were not altered.

Search Capabilities
Once an “evidence file” (i.e., a copy of a floppy, hard drive, CD-ROM, etc.) is created, it can be searched by using keywords, hash values (for known files), or file types (GIF, JPEG, PNG). EnCase uses a variant of the UNIX grep (global regular expression print) command to structure keyword searches, which is reasonably powerful and allows a great deal of customization. Unfortunately, the search functionality lacks the ability to easily apply Boolean logic operators to the searches. EnCase 3 includes its own “EScript” language designed to automate such tasks, but I didn’t figure it out in the limited amount of time I spent using the EScript feature.

Viewing Files
For most documents, EnCase displays the information in standard ASCII text, which means binary data is simply garbly-gook and text data readable. Unfortunately, the program’s viewers are limited to a picture viewer for the more popular types of files, a Zip viewer (for compressed files) and an Outlook Express 5 DBX viewer. While the program can send an interesting file to an external viewer, the litigator must have a program capable of viewing various files, such as JASC’s QuickView Plus or DataViz’ Conversion Plus.

Book Marking & Reporting
The user can “Bookmark” files to make finding them again easier. EnCase also includes a “Timeline” tab that graphically displays activity within a particular folder. In addition, the reporting capabilities of EnCase provide the user with all pertinent information concerning the tagged directories and files.

EnCase’s sophistication and abilities speak for the program itself. For attorneys wishing to add the ability to search through electronic evidence, EnCase 3.2 is the program to purchase.

Price: $2,500

Windows 98/NT/2000/XP

Reviewed by Michael W. Newcomb, Esq., Mayfield & Associates, Solana Beach, Calif.

Aug/Sept '02 Issue

PROS
Does everything advertised; invaluable tool for the litigator that needs to search through electronic evidence.

CONS
Price (ouch); Boolean logic search capabilities are weak; and built-in file viewers are limited.

VERDICT
If your firm has a need for computer forensics software, this program is worth it.

  | Home  | 

|  Issue Archive  |  Resources  |  About Us  |  Contact Us  |  Subscribe  |

|  Subscribers  |  Advertisers  |

Updated 07/30/02
© Law Office Computing Magazine
www.lawofficecomputing.com
(800) 394-2626