#OXYGEN FORENSICS UNALLOCATED SPACE CODE#
This is similar to certain code systems which use patterns to hide meaningful messages within apparently random text. Storing keywords in this way is a tactic used by some sophisticated criminals who want to communicate in code with colleagues. blocks that are not next to one another). However, this depends on the keyword actually being contained within a discrete file or files in the first place.Ĭonsequently, this method will miss any keywords which have been split between files or that are stored in meta data fields or non-contiguous blocks on the disk (i.e. Physical search programs will use the drive's file system to identify discrete files and search within them for the keywords of interest. The above process uses EnCase 7.10 and the steps may vary in other versions of the program.Īlthough the search function in EnCase can be time consuming, it does have specific advantages that can make a huge difference in a case.Īll digital forensics tools have the ability to hunt for keywords within files but many use a physical keyword search mechanism which can miss important keywords, especially those which have been deliberately hidden.ĮnCase uses what is termed 'logical raw keyword searches' and this differs from physical keyword search programs in a couple of very important ways. These folders can then be added to an examination report for use in your case. Once you have recovered all the images you need, you can select them and save them in one or more folders using the 'bookmark' function. (although not by date as this information is not preserved outside of a file table). All images can be sorted by name and size etc. Once processing has been completed, the recovered images can be viewed under the records menu (look at the Carver entries in the Evidence Processor and the images will be in the unallocated clusters folder). This will always begin with an identifying header 'FFD8FFE0' and trailer 'FFD9.' By locating these hex values, EnCase can retrieve deleted images and, by searching within unallocated space, this even includes images within corrupted or reformatted drives.
But what exactly is it looking for? Take for example a simple JPEG image. By checking the 'search unallocated' option, EnCase will search for these images without referring to the file system of the drive. You will find every type of image file under the sun under the 'picture' option and you can even import your own file type. The more options you select, the slower the process so try to reduce these to the likely sources of the information you are looking for. You can then select from a host of file types including documents, spreadsheets, charts, presentations, emails and pictures. To try this out using the EnCase Evidence Processor, select the 'File Carver' module. This is especially important in cases involving visual evidence (e.g. While EnCase is not normally valued for its carving abilities (in fact, it is often criticised for its performance with this function), it does often outperform many competing tools on carving image files. This is done via the identification of the header and trailer/footer codes associated with certain file types and is a core skill that should be mastered by digital forensic specialists. This article picks out three areas where EnCase can claim an advantage over its rivals and contributes to its strong reputation in both digital forensics and proactive cyber security.Ĭarving is the process by which discrete files are separated from other information in unallocated disc space.
#OXYGEN FORENSICS UNALLOCATED SPACE SOFTWARE#
It is often one of the first pieces of software employed when digital documents need to be thoroughly investigated.īut what is so special about EnCase? Wouldn't other, less well known tools uncover the same types of information EnCase has been able to? After all, there are plenty of alternatives (FTK, Oxygen, X-Ways, Helix, Winhex, Logicube Talon, Replica, etc.) and most forensic specialists will use a number of different tools depending on the use case.
If you are a digital forensics specialist or enthusiast, you will no doubt have come across the EnCase tool. What Can EnCase Identify That Other Digital Forensics Tools Can't?