Forensics: Importing Hashsets into EnCase (Part 2)

Part 2, of the series. Part 1, of how to import hashes into EnCase is available here.


Forensics: Importing Hashsets into EnCase (Part 1)

Forensics: Importing Hashsets into EnCase (Part 1)

Electronic Discovery: E-Disclosure Qualification

Guidance Software, the forensics giant which produces EnCase has announced the release of its e-disclosure qualification “EnCase Certified eDiscovery Practitioner” – EnCEP.

The value of the EnCEP certification will have to be seen, but there are already obvious pros and cons for it.

The Pros

The employers of staff using the EnCase E-Discovery tools and bring their staff to a common standard, and employees and staff can work to a common standard and demonstrate to future employers/clients, their competance levels.

The Cons

E-Discovery is a huge area, collosal. Concept searching, near de-duping, review platforms, data recovery, backup tapes, project management, consultancy, etc. The certification currently being offered is for a very narrow part of electronic discovery, on a single tool, being taught to follow a methodology that is based on the use of the Guidance Software products.

This in itself is not a problem as long as people are aware of what the qualification actually means, but the concern is that the huge PR machine of Guidance can push forward the certification as a requirement, as a standard in the industry, as EnCE is becoming.

Increasingly it is not unusual for clients to ask staff to be EnCE certified. While there are many good people who are EnCE certified, there are those who are not, whose knowledge of forensics is very limited. On the flip side of that there are people who are not EnCE certified and who are fantastically smart, a look at the SANS website and blog will demonstate this.This site has numerous postings by  people who have an incredible technical knowledge, far far above that for the EnCE exam, but their own qualificiaiton may not be accepted by certain employers/clients. Equally there are people with no certifications who are not much use.

So where does this leave us? Currently certification does not prove or disprove a skill set that a client would need, not least because clients needs are generally so varied and vast, even on a single project. The idea of certification, is a good one, but there is a long way to go before the industry has a reliable standard.

The press release by Guidance Software, is below:

The EnCase Certified eDiscovery Practitioner program was created by industry experts to meet the needs of our EnCase eDiscovery users who are handling electronic evidence in both routine and some of the largest and most complex litigations of our day,” said Al Hobbs, Vice President, Professional Development & Training Operations for Guidance Software. “Candidates who complete the EnCEP program, and earn the designation, will have demonstrated their expertise in the leading edge EnCase technology and methodology for the collection and processing of electronically stored information.” “Successful litigation depends on good legal scholarship as well as the appropriate technology infrastructure to support e-discovery. We recommend that legal professionals are screened on their understanding of technology and enterprise computing, as well as their comprehension of how technology is deployed,” said John Bace, a research vice president at Gartner, graduate of the John Marshall Law School in Chicago, and Advisory Board member for the Center for Information Technology & Privacy Law at the School. “Certification programs such as these are a step in the right direction toward ensuring that IT professionals are proficient in eDiscovery.” Over the past eight years, Guidance Software has certified more than 2,100 computer investigative professionals with the globally recognized EnCase(R) Certified Examiner (EnCE(R)) designation. The new EnCEP program will similarly enable eDiscovery practitioners to demonstrate their skills, training and experience in the proper handling of ESI for legal purposes. Information on the requirements for EnCEP candidates, the testing program and certification renewal can be found at

Forensics: Hashes, do they work?

What’s the big deal about hashes?

This article follows on from the previous myths about “verification” in EnCase article.

Hashes are the back bone of computer forensics, they are used to identify and remove junk data with the NSRL/NIST list. They are used to de-duplicate files in computer forensics and electronic discovery, and they can also be used to de-dupe emails in electronic discovery. But, they also form the foundation of evidence security:

  • “If the hash has not been changed the data cannot be changed”
  • “The evidence cannot be tampered with because of the security of hash values”
  • “The evidence is protected by the hash values”

These are just some of the common statements about hash values made by many, if not all forensic investigators, to clients and courts alike.

But is this true?

Subjects such as hash collisions are not relevant for this article and other, far more gifted writers, have already ably demonstrated that, for the purposes of computer forensics, the MD5 and SHA-1 hash are mathematically secure.

It is not the issue of the mathematics and cryptography that is being debated here, but rather the protocol. Can a person stand up in court and state that:

The evidence cannot been tampered with because the hash has not been changed

The imaging process

Very briefly this is what happens to evidence drive during the imaging process, for both criminal and civil offences:

  • A suspect’s hard drive is connect to a computer (a hardware write blocker is normally used, but systems like Linux imaging platforms and software blockers can be used with or without hardware write blockers).
  • A hash value is calculated for the image
  • The hard drive is returned

For the criminal case the hard drive will be returned to a safe/evidence room, until it is required. During the case the defence, in theory, can ask to see the original and check the hash value.

For the civil case the hard drive will normally be returned to the user and, more often than not, the computer will be immediately booted, as the custodian/user/client needs to start working straight away.

This will immediately change the state of the disk; therefore the only evidence of the original hash value is the image. The civil investigator, if challenged, can refer to the original hash value to show the data has not changed since he took the image.

Different Data – Same Hash Value

In both of these scenarios there is one rather obvious problem, the evidence can be tampered with, and the hash remain unchanged.  It just depends on when the data is tampered with.

People debate the pros and cons of hash values and protecting media: SHA-1 v MD5, the software write blockers V hardware write blockers, Linux v Windows, ICS v Tableau, etc, but they never debate the far more common scenario  – bad people.

Note: Before going any further it should be made clear that there is no allegation that this has happened, it is merely a theory.

Let’s take those scenarios again:

  1. Person (A) gets takes possession of a hard drive of a suspect and then connects it to  their forensic computer.
  2. Person (A) then images  the data
  3. The computer calculates the hash value  = ABC123
  4. Person (A) provides evidence to court that the image at the time had the hash value ABC123 and has the same value now.

But, what if Person (A) was corrupt? What if Person (A) wanted to frame the suspect?

What if the sequence of events occurred as follows:

  1. Person (A) gets hold of a hard drive or a suspect and then connects it to their computer
    1. Person (A) runs a script that dumps illicit material into unallocated space.
  2. Person (A) then images  the data
  3. The computer calculates the hash value  = ABD123
  4. Person (A) provides evidence to court that the image at the time had the hash value ABD123 and has the same value now.

Item  1.1 would take minutes, if not seconds to run, and would be undetectable to the naked eye. Once the data was on the computer it could be impossible to prove that is had been added deliberately.

There would be no need for the procedure to change the dates, this means that it’s entirely possible to insert data and just lie about it.  The hash value of the image will not change and for a criminal case the hash value of the hard drive in storage would be the same as the image – because the illicit material was added before the hash value was calculated.

A physical example of this could be a crooked cop planting drugs on an suspect, the drugs would then be found (following the search) and put in sealed bag, and if the bag was opened later and tested it would be found to be drugs.  The evidence of the seals would be used to prove that the drugs had not been tampered with.  But this does not make any difference, the drugs were planted, the seals don’t help the person who has been set up.

Could it happen?

The scenario given has never been reported, there has never been a report of the police or a civil investigator inserting evidence onto a hard drive, nor is there reason to believe it has occurred and been unreported.  But could it happen? It is technically possible, but would people really do this?

Firstly the police have misused data many times in the UK; secondly people have lied on the stand, on more than one occasion – in relation to computer forensics. Thirdly, police officers have been convicted of all sorts of offences, from blackmail through to rape. Why? It’s not because the police are particularly corrupt, it’s just that they are selected from the public, and there are crooks in the public, therefore there will be some criminally minded individuals in the police, though much less than in the public as a whole.  If you’re willing to commit rape and blackmail your probably willing to add a few 1s and 0s to a hard drive. During the 1970s and 1980s certain parts of the police (in the UK)  had a bad reputation when the law was bent and broken, to get convictions of “the bad guys”, inevitably innocent people where caught up in this and innocent people were wrongly convicted.  In fact it was such a problem new laws and procedures were brought into to try and combat this.

But could it really happen now?

But now, in the modern world could the police really fake evidence? Sadly yes, it could still happen. The most obvious example of this is the fingerprint case involving the Scottish police. In this case numerous fingerprint officers in Scotland went to court and testified that the fingerprints they had obtained from a case proved that two people were guilty, one of murder the other of perjury: the latter was a fellow police officer.  But, on appeal the worlds fingerprint officers stated that clearly both fingerprints did not belong to the two people in jail – in short the Scottish police were accused of framing people by lying about fingerprints.

Fingerprints are the closest analogy in the physical world there is to a hash value, and here were criminal investigators lying about fingerprints.  Is it impossible to believe that a person would lie about a hash value, or plant data on a person?

Put it another way, given the nature of human beings – which is more likely:

(a)    A hash collision or

(b)   A forensic investigator doctors evidence to get the result they require, given that the latter has happened throughout human history and the former has never happened  in anything other than a maths paper.

I believe the answer is in the question!


How can forensic investigators combat this? Firstly the concern about hash value security needs to be replaced with concern about procedures and processes that show that a person is being honest. Possibly the best way forward is to follow the example of the traffic police.

The traffic police have their gadgets, lots of gadgets:  Radar, lasers, speedometer, etc, all of which can be used to catch us (me) going slightly (a lot) faster than we should do. But, what do they say when they pull you over?

They say that “We observed you travelling at excess speed because [description of the car and movement], and we can provide additional evidence of this through this device [laser, radar,etc].”

They could have pointed the radar gun at a motorbike doing 110mph and said it was you ; but it is their word in court.

The primary evidence is their word, supported by technology.

Therefore, when in court, the primary evidence that the data has not changed should be the word of the person presenting the evidence, supported hash values, and not the other way around.

It is the word of the investigator that we are all counting on, from the data collection through to the final analysis; investigators should not shy away from this.

Forensics: Computer Forensics – Police or Civil?

Historically computer forensics has always been lead by law enforcement. The technology, the methods, and the cases; all driven by criminal cases.

Who in the 1990’s would be able to afford, or even find, a computer specialist to investigate a HR issue within company? If the sales guy left, and took a the company contact list with him, then computer forensics would never be considered. In the police, things were different. In 1999 the now defunct National High Tech Crime Unit was created (now replaced by SOCA), police forces got funding for high tech crime units of their own and laws (in the UK) were created and amended to help the prosecution of those looking at child pornography on a computer. Not just those taking the pictures but those viewing the images.

These laws meant that thousands of new criminals were created and, combined with Operation Ore, more and more computer forensics work was created. The police were overwhelmed, so got bigger budgets. More people reported incidents of crime involving computers. The police were overwhelmed. The internet grew, and so did the offences, and so the police forensics units continued to grow.

In the UK as the police forces grew so did the industry of computer forensics dedicated to supporting the police. Many reputable companies make a huge proportion of their income from police work – which is outsourced. People many not be ware of this but, in the UK, the police regularly out source computer forensics work, including the child abuse investigations.

In addition to this, for every criminal case there is a defense lawyer, and therefore a defense expert witness.  This means that another industry of computer forensics specialists, defending people against prosecution, was created.

So from the police, to the companies conducting police work and those defending police work, there was an entire industry of forensics created, much of it from child abuse images.

This meant the software industry responded, and anybody attending an EnCase or FTK course would know this. The courses were heavily focused on recovering images and police work, with the vast majority of those attending courses working in law enforcement – this was a sensible decision by Guidance and AccessData.

Over the years computer forensics companies have expanded and moved into the areas of electronic discovery, civil investigations, and data theft investigations. But, because their original technology, training and staff, had a police basis these companies are often entrenched in law enforcement methodology and technology.

Even today, as we are hurtling towards 2010, many employers actively seek “ex-law enforcement” for computer forensics employment. It’s seen as the gold standard to measure the industry by.

But is it?

There is no doubt that the police standard of evidence handling are as high as they need to be, because they work in a criminal environment, rather than a civil. But are they the most effective? Are governments known for efficiency or bureaucracy?

What about technology? The police, as a standard use EnCase and FTK, and a few widgets. Civil companies can recover deleted files, keyword search, match hash values and all that good stuff. But while the civil sector has all of this, they also have a lot more.

  • Civil companies are able to cluster together similar documents, to help find the key files.
  • They can de-duplicate emails (which Encase or FTK cannot), therefore reducing the data set massively.
  • Civil companies are able to have hundreds of people reviewing and marking documents, around the world, on the same case, securely, in a live environment.
  • Technology is now deployed, in civil companies, to keyword search audio files and tape recordings, on the fly.
  • Near de-duplicates can be identified, by civil companies, to further reduce the size of data sets.
  • Concept searching is on the increase, and indexing is a de rigueur.

Most of these terms would never be used within law enforcement; so much so that the UK government states that they need 90 days to look at couple of computers and change the laws to detain people for that long. Law firms do that in a matter of days, and go to court on the results, because they are using far more advanced technology.

Civil companies are able to collect huge volumes of data. On the SANS twitter today there was the following statement:

  • Chris discusses the largest seizure by police: 14 locations; 50 investigators; 33 computers; 44 mobile devices; 400 media #forensicsummit

That is not a lot of computers. The largest collection this author has been involved with had over 5,000 pieces of media, a couple of hundred, for one case, is certainly not unique. With others doing many many more  Some firms have imaged over a petabyte of data, for one case.

The big investigations, the really big ones, the Madrid bombing, the Madoff investigation, Enron, WorldCom, etc – these all have a major civil investigation technical component, if not entirely civil.


There is a change on the EnCase courses, they are more “civil” friendly, but the course are still run, and dominated, by law enforcement demands. But with technology being led by the civil side, and the economics dominating the civil industry, is it not time to change our perspective on what the “gold standard” is?

Note: The author has worked on both sides of the argument.

Forensics: FAT Quiz – Practice for EnCE & CCE Exams

A new computer forensics quiz FAT  has been released.

This quiz, as with the others, is designed to help those going for their EnCE or CCE exams.  This practice set of questions all about about the FAT32 file system

Forensics: Disk and Disk Geometry Quiz: EnCE & CCE Practice

A new computer forensics quiz has been released, this one is based on disks and disk geometry.  The questions are designed to help people practice for their EnCE and CCE style theory exams.