From: John Patzakis (john.patzakis[at]ENCASE.COM) To: FORENSICS[at]SECURITYFOCUS.COM Date: Wed, 3 Jan 2001 16:40:11 -0800 Subject: [FORENSICS] EnCase Evidence File Authentication While we normally do not do so, some members of this listserv have asked us to respond to comments made by Andy Rosen of ASR Data concerning the verification of EnCase images. Evidence File Verification First of all, Andrew Rosen has at last admitted that ASR Data does not currently develop, market, sell or distribute a product named Expert Witness 2000, and has not since November 1999. Mr. Rosen has been actively misleading the entire forensics community for over a year by claiming to be developing this product, even going so far as scheduling phantom trainings for EW 2000 and vaporing the supposed software as recently as October 2000. As such, his record of intentionally misleading the forensics community is now clear and must be taken into consideration. The early versions of EnCase verified the evidence file with CRC blocks in separate 32K segments of data. If the evidence file was damaged or otherwise compromised, EnCase would alert the user where the change occurred within 64 sectors. Persons, such as Andy Rosen, began to theorize and, according to unconfirmed rumors, demonstrate that the CRC could be, with quite some effort, spoofed. This has never been documented or formally brought to our attention. Nonetheless, in 1999 we added an integrated 128-bit MD5 feature to EnCase to verify that the data extracted from the target machine would be identical to the data in the evidence file. The MD5 hash is now an integral part of the verification process and appears in the verification section of the EnCase report. If a person were to spoof the CRC, the hash value would not verify and EnCase would inform the user of the verification error. The most important point is to remember the examiner's credibility is paramount, as always. Anyone could plant evidence at will by altering the original drive before making the evidence file. As far as Rosen's comments, they are both false and a disservice to the law enforcement community. Guidance Software has a strong record of quickly responding to any legitimate concerns raised by our users in the field with rapid and solid product development. The undocumented issue of CRC spoofing raised by Andy Rosen, even if true, was addressed over a year ago with the integrated MD5 hash feature. With literally tens of thousands of criminal investigations currently pending based upon EnCase based evidence, it is shocking that ASR Data would intentionally mislead the computer forensics community in such a manner. Additionally, we note that according to our records Mr. Rosen is not a licensed user of EnCase version 2, and thus he is not in position to comment on the structure of the EnCase Evidence file. The history of EnCase The old software known as "Expert Witness for Windows" was exclusively developed and written by Guidance Software, Inc., (GSI) and GSI retains the right, title and interest to the copyright to the program as well as exclusive possession and access to the program source code. GSI licensed the trademark "Expert Witness" from ASR and GSI used that name for its Windows-based forensics product until September 1998 when the companies parted ways. The only thing ASR Data provided to Guidance Software was the Expert Witness for Windows name. GSI developed EnCase in 1997 and marketed it as Expert Witness for Windows under the assumption that an association with ASR Data would have a positive effect on sales. When this proved not to be the case, GSI formally discontinued its relationship with ASR. Under a November 1999 settlement resolving all disputes between the companies, the version of Expert Witness for Windows developed and owned by Guidance Software has been discontinued and can no longer be sold or promoted. Also, ASR Data is prohibited from selling or promoting any non-Macintosh computer forensic software until July 2002. It is our belief that most people in computer forensics community understand that Mr. Rosen's comments are motivated primarily by his resentment and personal vendetta against Guidance Software and not by some valiant and objective interest in policing the integrity of computer forensic software. John M. Patzakis, Esq. President and General Counsel Guidance Software, Inc. (626) 229-9191 x211 (626) 229-9199 (Fax) ________________________________________________ Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.