Friday, July 2, 2010

Forensic File Formats – A Primer for Attorneys

Nintendo DS Leet SpeakImage by Myles! via Flickr
I was reading some blogs this morning and happened onto a post by Susan Brenner, on her cyb3rcrim3 blog. (Not sure why a law prof uses leet speak for her blog title, lol.)

The title of the post was Ghost v. EnCase, so naturally I had to read it.

Here are a couple of relevant clips from the post.  I encourage you to read the whole post as it presents a real issue with properly defending cases involving digital forensic evidence.

Ghost v. EnCase

“I could have entitled this post “battling computer forensic software programs.” It’s about a discovery dispute in a criminal case that centered around two such programs: EnCase and Ghost.
The case is State v. Dingman, 149 Wash.App. 648, 202 P.3d 388 (Washington Court of Appeals 2009), and it arose when Robert Dingman was charged with 21 counts of theft and 33 counts of money laundering in violation of Washington state law. I’m not going to summarize the facts that supported each count, because they’re redundant."
At argument on the motion, Dingman asserted that neither his computer forensic expert nor defense counsel had access to the EnCase program. His expert, Larry Karstetter, testified that a copy of the program cost $3,607. Karstetter said that he did not use the program because it was created for use by law enforcement, and he expressed concern that its search function could contain inherent bias against the defense. He added that in all other cases in which he needed hard drive copies, the State provided the copies to him in a readable (non-EnCase) format.

A Primer on Forensic Formats for Attorneys
A great many law enforcement agencies use Encase.  It is by far the most popular computer forensic software out there.  In the over 300 cases I have done, I have had two agencies submit forensic copies in a different format: Once in FTK and once in RAW format.

Here are the different kinds of formats you can expect to see in cases and how to deal with them.
  1. Encase format or as it is also known, Expert Witness format or E01 format.  Encase  by Guidance Software, Inc.
    1. This is the “native” format for creating copies of digital evidence when the copies are made using Encase Forensic software.  The file extension for these files begin with .e01 and are numbered .e02, .e03 and so on.
  2. FTK format.  FTK, which stands for Forensic Tool Kit, is a forensic software by Access Data Corporation.  It is the second most popular forensic software in use by law enforcement in the US.
  3. DD aka RAW format.  DD format can be created by several different programs and hardware devices used to create forensic copies of hard drives and other digital media.  It is an open source format and is commonly created using the Linux dd command.
Ghost images are not included in this list because, while it is possible to create an exact copy of a hard drive using Ghost, improper use of Ghost will not create an exact copy of the hard drive.  If you don’t use exactly the right combination of command line switches, Ghost cannot create an exact copy of a hard drive.  It is not recommended for use in computer forensics when there are plenty of free tools out there that can make verifiable forensic copies of hard drives.


If your expert does not know about these various formats and how to convert them for use in his or her forensic analysis tools, your best solution is to hire a qualified expert immediately.

There are free tools available to all experts to convert between various forensic images. (In the forensic community we refer to forensic copies of hard drives or other evidence as “images”, referring to the process of creating a mirror image of the evidence.  A mirror image is an exact copy of the physical evidence medium that includes everything on the hard drive, including deleted data and the “stuff” no one can see without forensic tools in an area of the physical hard drive called unallocated space and file slack.

It is a simple process to convert EnCase .e01 images into RAW format, or to convert FTK images into EnCase or RAW format for use in other tools and vice versa.

No comments:

Post a Comment

I have moderated my comments due to spam.