A couple of months ago, one of my clients, an Investigating Officer from a Law Enforcement Agency, had requested me to extract some of the files from an image copy of a hard disk. The total number of files to be copied was 1,030. Sounds easy right? This job of a few clicks turned out to be a nightmare when I found out that I was short of 2 files in my destination folder. I had selected 1,030 files to be copied, but at the end, only 1,028 files were being copied. More surprisingly, I received output from the EnCase Copy operation; ‘Status: Completed’. But where did the other 2 files go? Why had EnCase produced ‘Status: Completed’, when actually, 2 files were missing? Referring back to the image copy, I found out that most of the files had the same filename as each other.

It is very common for an analyst to face evidence files which have the same filename. This circumstance exists when:

1. There are 2 files with same name, but they are put in different folders.
2. There are 2 files with same name, but with different MAC times.

A procedure to be followed before analyzing a case is to recover all files and folders. When you use recover options, the deleted files will be recovered, and sometimes these deleted files have the same file name as the existing files, but with different MAC times.

But is it possible that EnCase can fail to copy all the files under these circumstances? For those readers who are new to EnCase, you may ask, why do you need to copy the evidence file in the first place? Let me try to put it simply, in computer forensic methodology, after the analysis phase, we will present the findings to our clients. So usually what we do is to copy out the evidence files using EnCase so that our clients can access the files in their workstation, without looking at the whole hard disk image. So the real question now is how sure are you that the selected files are properly copied to your designated folder? Is it sufficient to rely on the EnCase notification window after the EnCase copying process has been executed?

INTRODUCTION

EnCase basically provide two functions to copy files;

1. COPY/UNERASE function - allows analyst to copy files from different folders into one designated folder
2. COPY FOLDER function - allows all files and all subfolders to be copied into one designated folder

With every action taken in EnCase, a notification window (Figure 2) will pop up to inform analyst about his/her action. Since this article will be describing about some “misbehavior” of the copying function in EnCase when copying files with the same file name, I will first show you how they normally operates under a normal evidence condition.

For the experiments that I have conducted, I have used EnCase version 6.11.2.2/ 6.15.0.82 running on windows XP SP3/windows 7 home premium platform.

COPY/UNERASE FUNCTION

For the COPY/UNERASE function, first tick on the files, right click and choose the COPY/UNERASE function from the menu. (Figure 1). After it is completed, a notification window will pop up to show the total numbers of files that have been copied, copying time, size and its status (Figure 2).

Figure 1: Copy/Unerase Function

Figure 2: EnCase Notification window

For this experiment, I have created a folder “test1” as my copy destination, and with COPY/UNERASE function, 6 files were being copied into test1 folder. Notice that although each file has the same name originally, numbers will be added behind each file after they were copied. (Figure 3)

Figure 3: All files were successfully copied in test1 folder

COPY FOLDER FUNCTION

In COPY FOLDER function, after selecting the files, instead of right clicking on the selected file itself, you have to go to the root folder (image entries) and right click on it. Select COPY FOLDER function from the menu and wahla! All files together with its folder structure are copied into the designated folder, in this case “test2” folder. (Figure 4 and 5)

Figure 4: COPY FOLDER function

Notice that unlike the COPY/UNERASE function; the name of the files will not be appended with numbers behind. This is because each file will be contained within their folder. The name of the file will change if more than one file with the same name is being copied to the same folder.

Figure 5 : All folder structure are being copied together with the selected file

Figure 6: Target file that contain within the folder structure