SecureArtisan

My Road to Digital Forensics Excellence

Evidence Verification as a Benchmark

Posted by Paul Bobby on March 11, 2009

Now that I have my 60gig Wikipedia evidence set completed, why not take it for a spin.  I chose a basic EnCase operation, Verify File Integrity, as my first benchmark.

As a reminder, Verification occurs automatically when adding evidence to your case that has not yet been verified for that case. Furthermore, the examiner has the ability to initiate a manual verification by right clicking the evidence file in the Tree Pane, and selecting Verify File Integrity.

The file verification function creates a Log Record under bookmarks, as shown in this screenshot:

 Evidence Verification

The verification processes took 155, 155 and 152 seconds respectively in this example.

Before I start benchmarking Encase and my examination environment, I need to establish the baseline of my system configuration.

Run msinfo32.exe and record some basic information. For example,

OS Name                Microsoft® Windows VistaTM Ultimate
Version   6.0.6001 Service Pack 1 Build 6001
System Manufacturer           Dell Inc.
System Model       Precision WorkStation T7400
System Type          x64-based PC
Processor               Intel(R) Xeon(R) CPU X5472  @ 3.00GHz, 2992 Mhz, 4 Core(s), 4 Logical Processor(s)
BIOS Version/Date                Dell Inc. A04, 8/21/2008
SMBIOS Version    2.5Hardware Abstraction Layer               Version = “6.0.6001.18000”
Time Zone              Eastern Standard Time
Installed Physical Memory (RAM)      16.0 GB
Total Physical Memory        4.00 GB
Available Physical Memory 13.5 GB
Total Virtual Memory           32.1 GB
Available Virtual Memory    29.9 GB
Page File Space     16.3 GB
Page File                C:\pagefile.sys

Patch day? Not sure how to reconcile that yet. Any suggestions?

My workstation hard drive configuration comprises the following:

  • 1. 80Gig drive for the OS and the Pagefile (10k SATA) (OS Drive)
  • 2. Two 500Gig drives (7200rpm) at RAID0 (Investigation Drive)
  • 3. 80Gig drive for EnCase and other applications (EnCase Drive)

My Encase configuration is as follows:

a. Version: 6.13.0.43
b. Platform: AMD64
c. Build: EPBLD00000C22 02/20/09 12:23:53PM
d. System Cache
      i. Controlled by Encase
      ii. Minimum 1, Maximum 13104
e. Configuration
      i. Autosave turned off (0 minutes)
      ii. ParseCache folder on the Encase drive
f. New cases
 1) Investigation Drive\Test#
 2) Investigation Drive\Test#\Export
 3) Investigation Drive\Test#\Temp
 4) Investigation Drive\Test#\Index

General test considerations:

  • 1. Have no other applications running
  • 2. Turn off On Access antivirus scanning
  • 3. Ensure patching or other taskbar activities are running
  • 4. Turn off your screen saver

Evidence Verification

  • 1. Create the test case
  • 2. Copy the evidence to the “Investigation Drive\Test#” folder
  • 3. Cancel the automatic verification process
  • 4. Right click the evidence file in Tree pane and select Verify File Integrity
  • 5. Do not use the computer
  • 6. Once verification has completed, note the #second in the Log Record under Bookmarks.

For the above hardware configuration, I loaded Wikipedia-Part1.E0*, and the verification process took 155 seconds.

Possibilities?

This is a great opportunity to test different hardware configurations. Readyboost, RAID0 versus single hard drive, evidence stored on a network share, more RAM.

One test I conducted was to reacquire the evidence. The evidence was acquired using 64k for the block size. Per this post in the Guidance Software forums, Nik indicates that EnCase caches the block of data in the EV file – I guess that means, it caches 64k at a time. With large memory possible on 64bit machines (and with my 16Gig of RAM), I will test out different Block sizes and see if they have an impact on verification.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: