Sunday, March 21, 2010

EnCase Portable device - Review

This blog post is a review of the EnCase portable device. I have had the chance to use the EnCase portable device for several months now, starting with the initial version that was released, but I finally got a chance to sit down and write a review. The current EnCase Portable version that is publicly available is v1.2.1, which was released November 2009.

The EnCase Portable kit consists of a small carrying kit, a HASP security key, the EnCase portable USB device (black) and a 16gb flash device that is used for the collected data (blue) and a IOGear USB hub:

The EnCase Portable device was released about a year ago and is designed to be deployed on a subject's computer to collect a predetermined set or types of files. The device works in one of two ways:

1. You can use the source processor EnScript to chose a predefined collection job (i.e. collect all documents) and then load the USB with this job. When the USB device is run on the target computer, the job is executed and the predetermined type of files are collected.

2. The second method is to insert the USB device on the target computer and choose the pre-determined job at the time of triage.

Method one would be for giving the device to someone who does not know much about EnCase or does not need to interact with the collection process whatsoever. Method two would be for someone with average knowledge of EnCase and could decide what types of files need to be collected at the time of collection in the field.

In addition to the two collection methods described above, the USB device can be used in one of three ways to perform the collection:

1. For computers that support booting from a USB device, you can insert the black USB EnCase portable device and boot directly to an operating system installed on the USB (BartPE-ish).

2. For computers that don't support booting to USB devices (older computers or BIOS is locked down), then you can boot from an included CD-ROM that contains a stand alone operating system and the necessary EnCase program.

3. You can insert the USB on a running device and execute the EnCase portable process directly from the USB while the computer is running.

The EnCase security key must also be connected to the target machine during the time of the collection. There are also three choices for storing the collected data:

1. You can store the collected data on the actual EnCase portable device itself. It is a 4GB flash device, so space is somewhat limited if your collection may contain a large number of files or large amounts of data.

2. You can use the included Kingston 16GB flash device (these devices are horribly slow).

3. You can use your own external USB device such as an external USB hard drive.

If you chose option #3, there is aVB script that is included on the Encase portable device that is intended to be used to prepare your own external USB storage device. There is nothing special about the preperation process, other than a certain folder path must be present. If it is not present. The EnCase portable program will ignore the external storage device and attempt to store the collected data on the EnCase portable device itself.  There is no limitation to the file system of the external storage device and it can be anything Windows can read & write to.

I highly recommend using option #3. If you have this device and are going to be doing collections, get yourself a high-quality large external USB storage device that is USB bus powered, i.e. 7200rpm Tri-Interface (USB/1394a/194b) hard drive (The EnCase portable kit does come with a power supply for the USB hub, which is not pictured above).

When you run the portable EnScript (EnPack), the following menu is displayed:

The lower portion of the window lists the pre-defined collection jobs. The only job not shown is "Create PII Report" which is available if you scroll down. Highlighting a job and clicking "Run Job" starts the collection of those types of files.

Unfortunately, there is no way to see what "Collect Documents Files" entails from here. You either have to know what kind of files that collection job includes from some type of external documentation or have run the job before to know what kinds of files it will collect. The same is true ofr all these jobs types. There is no way to see what "Picture files" entails. I can assure you, all the jobs are comprehensive in the types of files it collects, but there is no way to focus only on certain types of files, such as only .JPG or only .DOCX extensions. These jobs are statically defined and cannot be edited or changed.

Having experience in writing EnScripts, I see many ways to write some custom EnScripts that can be used on this device to collect or filter on any type of criteria. In other words, it would be simple to create a condition type interface that would let you select the types of files to be collected based on metadata, i.e. name, path, size, dates, etc. You could also include the ability to perform keyword searches to define which files to collect, which is not available in this version. The above described functionality is supposed to be available in the next release (v2.0), but I have not yet seen it.

I will mention that the EnCase security key is somewhat limited in that it is designed to only be used with the EnCase portable process. You cannot use this dongle to perform analysis of the collected data. Using EnCase with this security key will report "EnCase Forensic" on the Window title, but it will not display the structure of a loaded local devices and will report "None of the selected devices are available" if you try to load a standard evidence file. It is designed to be for collection only. I assume you could buy this product and get a cert file that is associated with your current EnCase dongle, but I don't really see an advantage.

If you have one of these devices, please feel free to comment below with your experience in using EnCase portable .

If you have one of these devices and want to try a custom built EnScript to collect data, please feel free to email me.


Anonymous Tuesday, 30 March, 2010  


Have I understood this correctly - if you're plugging the USB stick into a target machine to take live data, do you also have to have their security dongle plugged in?

Lance Mueller Tuesday, 30 March, 2010  

Yes, that is correct. The drivers are installed and loaded on the fly.

martclau Thursday, 01 April, 2010  

I found the tool to be fairly slow and very memory consuming (not so cool if you want to e.g. image physical memory etc. and avoid paging on live systems). But using custom EnScripts on a dead system could be very powerful.

Phil Rodokanakis Thursday, 01 April, 2010  

Saw it demoed at CEIC last year. In my opinion, EnCase Portable might be of limited use to PDs and other Agencies that need to make field collections by personnel who are not fully qualified in forensics. But it is of no use to digital forensic examiners, even if the collection is to be made in the field since a forensic examiner will have access to the full version of EnCase.

Lance Mueller Thursday, 01 April, 2010  

Spaceman - I agree it can be very slow. Especially with the included USB devices, which are not very high-speed. You can speed it up significantly if you use a higher speed USB device or fast external USB drive.

Phil - I agree that its use is limited to a certain group of people doing forensics, but I disagree that its of no use to digital forensic examiners. I have found several ways to use it, especially when faces with collected from several machines quickly or surreptitiously.

merls Tuesday, 13 April, 2010  

Hi Lance and co

I have just receieved version 2 of Portable(Dongle and USB portable are the same key now).

I have tested it with a Seagate external USB drive and it seems very fast.

Full testing to go, but it is much better than the first version.


Anonymous Thursday, 15 April, 2010  

There is a training event hosted by Guidance this coming Tuesday re: encase portable. I am attending and will see how their newest version addresses the concerns you had.

littleiskender Thursday, 06 May, 2010  

for its new version, the EnCase portable USB device contains hasp key in-built.

laptop toshiba Monday, 24 May, 2010  

I have just receieved version 2 of Portable(Dongle and USB portable are the same key now).

Linux Tutorials Thursday, 21 October, 2010  

Yes, that is correct. The drivers are installed and loaded on the fly.

Business Advertising Friday, 05 November, 2010  

What do you mean by the drivers are installed on the fly?

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles