New Computer Snooping Tool

From the press release:

Unlike existing computer forensics solutions, EnCase Portable runs on a USB drive, rather than a laptop, and enables the user to easily and rapidly boot a target computer to the USB drive, and run a pre-configured data search and collection job. The ease-of-use and ultra-portability of EnCase Portable creates exciting new possibilities in data acquisition. Even personnel untrained in computer forensics can forensically acquire documents, Internet history and artifacts, images, and other digital evidence, including entire hard drives, with a few simple keyboard clicks.

Posted on June 18, 2009 at 7:08 AM • 37 Comments

Comments

TobyJune 18, 2009 8:03 AM

What about BIOS passwords and boot sequences that prioritise the primary hard disk over removable media?

georgeJune 18, 2009 8:05 AM

"Even personnel untrained in computer forensics can forensically acquire documents,"

Would be highly defendable in any court...

DirkJune 18, 2009 8:10 AM

BIOS-Passwords never have been a problem.
Hard drive passwords could prevent this.
Better: use encrypted disks.

pegrJune 18, 2009 8:18 AM

This is not for acquiring evidence for a court hearing. This is getting enough to fire someone or spawn a larger investigation.

I've always thought that Encase was over priced and over rated. I've been able to do that with various Linux builds for sometime. (Go Autopsy/SleuthKit!)

PhineasJune 18, 2009 8:25 AM

"Even personnel untrained in computer forensics can forensically acquire documents [...] with a few simple keyboard clicks."

Yerrrrsss....

And any personnel who are trained in Computer Forensics would baulk at running any software on a machine where that machine and its contents are to be used as evidence in a court of law - best practice is to extract and clone the hard disk in a laboratory, then work on the clone.

This feels like a snoopers/criminals tool, not a law enforcement tool, and as Toby has noted above, it is trivially defeated by BIOS passwords and a sane boot sequence, not to mention disk encryption.

If you're vulnerable to this tool, you're probably already vulnerable to a whole lot more, anyway.

TreeJune 18, 2009 8:28 AM

I haven't tried it recently, but I've found getting laptops to boot from a USB drive to be a complete pain.

NathanJune 18, 2009 8:36 AM

"This is not for acquiring evidence for a court hearing. This is getting enough to fire someone or spawn a larger investigation."

How do you know you're not acquiring evidence for a court hearing? What happens when your "fire someone" investigation leads to child porn and/or other illegal activity? Is the individual "untrained in computer forensics" able to defend their actions in court and prove the authenticity of the data?

Interesting tool to add to the arsenal but with forensics there has to be much more consideration than just "hey cool" when choosing how to approach a particular situation.

StephanJune 18, 2009 8:40 AM

Computers should ship with encrypted hard drives per default. On your first successful boot you would be prompted to enter a password and a header backup is automatically burned to CD. This would prevent so many accidental data losses. And which burglar would actually skim through your CD collection to find the header backup...

ShawnJune 18, 2009 8:56 AM

Computers should ship with encrypted hard drives per default.
...
And which burglar would actually skim through your CD collection to find the header backup


If this was the default, they all would.

GweihirJune 18, 2009 9:00 AM

This thing feeds an age-old vision some people have: Being the master of a computer without actually understanding it. This vision may come true in the far future, but I doubt it. There is nothing that can realize it in the near future, with the possibility of true AI still being completely unclear. (My take: It will be impossible for the forseeable future.)

Still, people will buy the product, or better, the vision. This type of scam has worked countless times before and in many different areas.

FullDiskEncryptionJune 18, 2009 9:05 AM

I find it interesting what will happen to the computer forensic "industry" when all hard disk drives are encrypted. Is encryption a game ender?

Full disk encryption on all computers is really only a matter of time, and hopefully happens sooner rather than later.

All computers, laptops and desktops should (and will eventually) ship with encrypted hard disk drives, either at the hardware level, in BIOS, or a pre-OS application (what is most prevalent today). When that happens, forensic disk investigation will be (better be!) impossible.

I am not in-tune with the computer forensic industry, but I have to imagine that this is a huge topic (or perhaps the elephant in the room) that is (or isn't) talked about at length at computer forensic conferences, meetings, etc.

RickyJune 18, 2009 9:35 AM

Even if it doesn't hold up in court (which it might, as of late the courts have been more accepting of evidence when you can surround it by techno-speak) you've already lost your reputation, your job, your money, and possibly your family and friends after someone claims they found [bad stuff] on your system.

KashifJune 18, 2009 9:41 AM

Encryption will not hinder Encase or any similar forensic tools if looked from corporate perspective. Why? Because any medium or large sized company with an IT department will encrypt harddisks using some sort of user/master key system, i.e. they will be able to deliver the master key for the specific harddisk on demand. And if you consider that forensic services may be requested by the company itself (e.g. for uncovering any wrongdoings of their employees or just trying to find a reason to fire them) or approved by the company (e.g. criminal investigation of one of their employees), harddisk encryption would only hinder non-authorized access (e.g. laptops stolen or found). Of course this is the best case scenario...

Clive RobinsonJune 18, 2009 9:44 AM

If encase had bothered just a little bit harder they could have used U3 to remove even the need for keyboard typing ;)

Oh and unless the people doing hard drive encryption are a bit brighter than appears average then there is going to be a big pile of "in depths" to work with, which should make some people happy.

However even hard drive encryption is not always going to save you if you put/let your machine heibernate. It's not going to be to hard to get the encryption key with a scanning tool...

karrdeJune 18, 2009 9:46 AM

Sounds like another iteration of "if you have physical access to the machine, you have control of the machine."

vedaalJune 18, 2009 10:09 AM

use truecrypt whole disk encryption

there is an option to have the opening truecrypt boot screen display a user generated message, followed by a blinking cursor, which will continue to blinking and ignore all input until the correct passphrase is entered, at which time it will boot

so,

laptop users anticipating an encase attack, can generate creative truecrypt boot messages like:

Boot Error: no OS found

or

Intruder! drivewipe.bat

or
[suggestions please ;-) ]

unfortunately,
the above is the maximum length of message truecrypt allows ;-(((


vedaal

Mortals chiefest enemyJune 18, 2009 10:15 AM

@Ricky

"Even if it doesn't hold up in court (which it might, as of late the courts have been more accepting of evidence when you can surround it by techno-speak) you've already lost your reputation, your job, your money, and possibly your family and friends after someone claims they found [bad stuff] on your system."

Both parts very true. And the claims of bad stuff don't even have to be true.

Alain Job has just lost a case against the Halifax Bank over a phantom credit card withdrawal.
See http://www.which.co.uk/news/2009/06/...
The judge seems (but IANAL) to have tossed it for two reasons.
- Although Cambridge (UK) dons have cracked Chip and Pin, there was no evidence that this had happened elsewhere
- There was no evidence of systems failure
There was an incomplete chain of Bank evidence but that did not convince the judge.
If this blog knows of helpful evidence, Barrister Stephen Mason would like to know
http://www.stephenmason.eu/e-signatures/pin/

@FullDiskEncryption
In passing: the UK Computer Forensics Science Service says it is going to cut about eight hundred jobs.
http://news.bbc.co.uk/1/hi/uk/8089922.stm

Pete AustinJune 18, 2009 11:15 AM

@Mortals chiefest enemy. Don't believe everything you read on the Web. The Alain Job judgment is online at:
http://www.alikelman.com/jobhbos.pdf

(iv) The 2 ATM's concerned were close to the Claimant's house and ones which he used regularly
(v) The Claimant is in fact careless with his cards. In the few years he had an account he seems to have lost 7 cards. In addition 2 cards were sent to him, including a credit card, that he says he did not receive
(vi) Mr Job had already in 2005 obtained a refund after reporting non receipt of a credit card and PIN

anonymousJune 18, 2009 11:25 AM

>This feels like a snoopers/criminals tool, not a law enforcement tool,

Sometimes there is no difference.

JimmyJune 18, 2009 11:30 AM

It mentions also that they can do data collection "without an on-site forensics expert"... what if the computer is running? You won't always want to shut it down and reboot to a USB drive. Seems like this may be a great tool for the "personnel untrained in computer forensics" to place false confidence in and leave out crucial pieces of information.

With regard to all computers being shipped with disk encryption, I'm not so sure end-users are willing to take the risk of losing all their data if a password is forgotten, or if for some reason the mechanism breaks. In fact just the other day, I had a friend using TrueCrypt, it crashed and his hard drive was an unrecoverable brick.

CJune 18, 2009 11:54 AM

Its a moot point to me, if an attacker has physical access to a machine than the sky is the limit anyway. Sure you could run the tool... or you could use knopix w/ dd and pull a clone for extended pen testing. Or run ERD commander and reset a loacl account off the network.

As others have said, this seems more like a tool for a quick run, shits and giggles, or for more nefarious people than for forensics.

Archon ZyroJune 18, 2009 12:48 PM

I am familiar with the company and I can assure you that they are the most reputable firm in the real computer forensics business both here and through their Canadian reseller. I have been onsite and have personally seen many many law enforcement professionals taking training courses for EnCase.

kashmarekJune 18, 2009 12:55 PM

...transfer...an entire hard drive...

Gee, there are some big drives out there (1/2 terabyte, full terabyte, or larger). Will that fit on a USB stick?

GrymoireJune 18, 2009 2:46 PM

File System encryption? I would assume the USB version of EnCase can capture passwords from memory. If the system is alive when captured, game over. And Phineas - EnCase is used in courts world wide. It's an accepted standard for forensic gathering. You would find it hard to prove that the evidence gathering procedure is flawed.

As for hard disk encryption, I thought many vendors have a build-in password backdoor.

And then there is the BIOS keyboard buffer. Some full disk encryption systems forget to flush the part of memory.

As for people who say EnCase is more useful for nefarious activities, I would guess none of you have had to be in court as a forensic expert.

Mark RJune 18, 2009 3:13 PM

Aren't most of those consumer-grade encrypted drives protected by passwords anyway?

Poor password choice should keep those forensic analysts in business for the foreseeable future.

pegrJune 18, 2009 4:05 PM

Thanks for making my point, Nathan! Bonus points for doing so in an obnoxious and argumentative manner!

Again, this is for internal investigations, not law enforcement. So what happens when you run into "illegal" instead of the "inappropriate" you were looking for? You didn't necessarily contaminate the evidence. It's still admissible if you follow a few rules.

1) Don't do it alone. You want a witness to back up what you say happened. Have a video camera running.

2) If you run into "illegal" stuff, shut everything down, bag it and tag it. Call a pro.

HamatomaJune 18, 2009 6:53 PM

My computer won't boot from USB. I know this well; I've tried many times!

Any FishJune 18, 2009 7:28 PM

that usb stick must have zener diodes from upstream, downstream and power to ground otherwise it might get damaged when someone has modified his computer hardware and firmware to grill such things.

Rick DamianiJune 19, 2009 1:49 AM

Somebody watches too many movies, I think. Transferring the contents of a hard drive is something that takes hours, not minutes.

Clive RobinsonJune 19, 2009 3:52 AM

@ Rick Damiani,

"Transferring the contents of a hard drive is something that takes hours, not minutes."

Yes and no.

If you are talking about the whole drive then it takes between 10&20% longer than doing a full format.

However depending on what you are doing copying the whole disk may be a waste of time.

A number of forensic products have a filter to ignore files that are part of the operating system etc.

Simplisiticaly what it does is to hash the file and compare it to a list of valid hashes, if it matches then there is little point in copying it (some virus scanners work in a similar way, and it makes me wonder why somebody has not started selling a virus/malware detecter system on a USB thumb drive).

On a lot of peoples computers this filter would reduce the amount of files that need to be transfered down to less than a few gigs possibly less than 50 megs.

Likewise you could (also) be using a filter that is looking specificaly for something like a name or other data item.

It realy depends on what you are doing, when and for what reason.

This sort of tool does have legitamate uses both in forensics and in more general policing activities as well as the more "sneaky beaky" activities some people are sugesting.

Clive RobinsonJune 19, 2009 5:40 AM

@ pegr, Nathan,

"this is for internal investigations, not law enforcement."

You are both right and wrong.

Encase is a world wide organisation, which means they sell into many different juresdictions.

What is and is not permisable or legal in any juresdiction is up to the leglisiture and judiciary in those places.

For instance in some places (Switzerland) crypto is not just legal, it is looked upon as being a valid business sector in which all may participate without let or hinderance.

Other European Nations (France / UK) have had different views at different times as to what does and does not constitute a criminal or adverse national security act.

In other places they simply make you unavailable, some permanently so.

Likewise the "[bad stuff]" Ricky aluded to, depending on what it is might or might not be illegal or even questionable depending in which juresdiction you are in.

For instance at one time or another various countries have decided out of national interest to make such things as "chewing gum" and "Coke/Cola" not just unavailable but illegal to import.

Clive RobinsonJune 19, 2009 6:05 AM

For those who want to become better aquainted with "cyber forensics" have a look at,

http://www.forensics.nl/links/

You will find links to papers and books by "all the usual suspects".

With regards to hard drives and RAM etc have a search there for "Brian D. Carrier" he is acknowledged as being one of the better informed in these areas.

BF skinnerJune 19, 2009 9:55 AM

Isn't the first rule of evidence collection not to change the computer's state? The usb drive will alter windows registry.

or is it bootable.

NelsonJune 19, 2009 10:04 AM

BF skinner - it would be bootable, starting up its own OS and there by not altering the existing windows reg.

FrankJune 20, 2009 12:30 PM

The only exciting opportunity I see there is the opportunity to scan everyone's computer hard disk without a court order.

I can easily see those USB pen drives with Encase given to cops with no computer forensics background so that any suspect interviewed can have his/her computer hard disk scanned. A great fishing expedition tool indeed.

bf skinnerJune 20, 2009 5:12 PM

@nelson "It would be bootable"

So in order to boot from USB don't you have to modify the bios if it's not already set to boot from bios? And again modifying the state of your evidence (though admitedly the state of the bios has less probitive value than the the data on the HD.)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..