Re: Encase Forensic

David Rush <kumoyuki@xxxxxxxxx> wrote:
I'm sure that this is almost an FAQ, but is using an encrypted file
system the only defense against this company's software?

Using encryption properly is the only way to prevent people with physical
access to your computer from reading those files. The software in question
is not special in this regard, it seems merely like a convenient tool.

I have just
become aware of them through an article on wired.com where,
apparently, law-enforcement officials used this <http://
www.digitalintelligence.com/software/guidancesoftware/encase/>
software to acquire evidence from a normally password protected
Windows box without the owner's knowledge or permission (it was a
warrantless search that was allowed by the subject's father).

There are numerous ways to do this. If you read the web page you cited,
you will learn more about how one piece of software does this.

Please note: I have no idea how good this software is at what it does,
nor do I know how good the alternatives are. But a brief look at the
web page you cite does not reveal any surprising technical capabilities.

Supposedly, they gained access without rebooting or otherwise even
seeing a password prompt.

If you read the wired article, you'll learn more about what happened.
Also, it seems to be about some US legal decision, not about the
technicalities of digital forensics.

Personally I find all this very worrying,
and am curious about the methods used by Encase to attack the system
and how to defend against it.

If you knew more about how computers work, you would not be surprised.
Nor would you be worried by this particular piece of software.

--
Kristian Gjøsteen
.

Relevant Pages