From: John Patzakis (john.patzakis[at]ENCASE.COM)
To: FORENSICS[at]SECURITYFOCUS.COM
Date: Wed, 3 Jan 2001 16:40:11 -0800
Subject: [FORENSICS] EnCase Evidence File Authentication

While we normally do not do so, some members of this listserv have asked us
to respond to comments made by Andy Rosen of ASR Data concerning the
verification of EnCase images.
Evidence File Verification
First of all, Andrew Rosen has at last admitted that ASR Data does not
currently develop, market, sell or distribute a product named Expert Witness
2000, and has not since November 1999.  Mr. Rosen has been actively
misleading the entire forensics community for over a year by claiming to be
developing this product, even going so far as scheduling phantom trainings
for EW 2000 and vaporing the supposed software as recently as October 2000.
As such, his record of intentionally misleading the forensics community is
now clear and must be taken into consideration.
The early versions of EnCase verified the evidence file with CRC blocks in
separate 32K segments of data.  If the evidence file was damaged or
otherwise compromised, EnCase would alert the user where the change occurred
within 64 sectors.  Persons, such as Andy Rosen, began to theorize and,
according to unconfirmed rumors, demonstrate that the CRC could be, with
quite some effort, spoofed. This has never been documented or formally
brought to our attention. Nonetheless, in 1999 we added an integrated
128-bit MD5 feature to EnCase to verify that the data extracted from the
target machine would be identical to the data in the evidence file.  The MD5
hash is now an integral part of the verification process and appears in the
verification section of the EnCase report.  If a person were to spoof the
CRC, the hash value would not verify and EnCase would inform the user of the
verification error.
The most important point is to remember the examiner's credibility is
paramount, as always.  Anyone could plant evidence at will by altering the
original drive before making the evidence file.  As far as Rosen's comments,
they are both false and a disservice to the law enforcement community.
Guidance Software has a strong record of quickly responding to any
legitimate concerns raised by our users in the field with rapid and solid
product development.  The undocumented issue of CRC spoofing raised by Andy
Rosen, even if true, was addressed over a year ago with the integrated MD5
hash feature.  With literally tens of thousands of criminal investigations
currently pending based upon EnCase based evidence, it is shocking that ASR
Data would intentionally mislead the computer forensics community in such a
manner.
Additionally, we note that according to our records Mr. Rosen is not a
licensed user of EnCase version 2, and thus he is not in position to comment
on the structure of the EnCase Evidence file.
 The history of EnCase
The old software known as "Expert Witness for Windows" was exclusively
developed and written by Guidance Software, Inc., (GSI) and GSI retains the
right, title and interest to the copyright to the program as well as
exclusive possession and access to the program source code.  GSI licensed
the trademark "Expert Witness" from ASR and GSI used that name for its
Windows-based forensics product until September 1998 when the companies
parted ways.  The only thing ASR Data provided to Guidance Software was the
Expert Witness for Windows name.  GSI developed EnCase in 1997 and marketed
it as Expert Witness for Windows under the assumption that an association
with ASR Data would have a positive effect on sales.  When this proved not
to be the case, GSI formally discontinued its relationship with ASR.
Under a November 1999 settlement resolving all disputes between the
companies, the version of Expert Witness for Windows developed and owned by
Guidance Software has been discontinued and can no longer be sold or
promoted. Also, ASR Data is prohibited from selling or promoting any
non-Macintosh computer forensic software until July 2002.
It is our belief that most people in computer forensics community understand
that Mr. Rosen's comments are motivated primarily by his resentment and
personal vendetta against Guidance Software and not by some valiant and
objective interest in policing the integrity of computer forensic software.

John M. Patzakis, Esq.
President and General Counsel
Guidance Software, Inc.
(626) 229-9191 x211
(626) 229-9199 (Fax)
________________________________________________
Note: The information contained in this message may be privileged and
confidential and thus protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent responsible
for delivering this message to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.  Thank you.