| Abstract: |
Good tools are critical to successful examination of digital evidence, yet the quality of
such tools is very often an unknown. Independent testing is currently the only way to assess
the performance and quality of the tools available to digital forensic examiners, and
independent testing is critical in order to know whether tools deliver what they promise,
and to assess the level of trust one can place in them.
This project has aimed to thoroughly assess the quality of the disk imaging functionality
in EnCase 6.8 and LinEn 6.1 under a variety of conditions and with respect to the requirements
of Swedish law enforcement. The project has been conducted in four phases:
survey, requirements, test planning and testing and analysis.
Details of the project results are published in separate reports related to each phase. The
overall conclusions are as follows:
- No independent, public evaluations of EnCase version 6 other than this one exist.
- EnCase 6.8 performs as expected on the Windows platform when using a hardware
write blocker. Operation without a write blocker was not assessed, as this was not a
requirement. Hidden sectors were, as expected, not acquired.
- LinEn 6.1 performs as expected only when operating in “BIOS mode”, but fails
many tests when operating under “direct ATA mode”. Hidden sectors were, as expected,
not acquired in “BIOS mode”.
Based on the test results, we conclude that provided the limitation of not acquiring hidden
sectors is acceptable, EnCase 6.8 is an adequate tool for imaging ATA drives when using
a hardware write blocker, whereas LinEn 6.1 should be avoided if complete and accurate
acquisition is a desired.
All the work was conducted by experienced staff in test labs belonging to the Security
and Networks group within the Division for Database and Information Techniques
(ADIT) at the Department of Computer and Information Science (IDA) at Linköping
University under the supervision of Professor Nahid Shahmehri.
Linköping, March 5, 2008
|
