Nowhere To Hide

EnCase unearths hidden data

At the end of the movie Deliverance, the three main characters return from a hellish camping trip, having killed one of their tormentors and thrown his body in a river. The last camera shot is a look at the placid river, which is broken by the sudden emergence of the dead man’s hand. One of the campers awakes in terror. Guidance Software’s EnCase Version 3 ($2,495; www.en is that kind of wake-up call for businesses.

EnCase is a computer forensics application that can read an entire drive sector by sector no matter where information is stored. You can even search a disk by keywords. When we tested EnCase, the only way to prevent the application from getting nearly all the information from files that had been overwritten with a shredding utility was to first shred the files, then run another utility to overwrite all unused space on the drive.

The software lets you get to a drive and create an unchangeable image file without changing a single byte on the machine it images. EnCase makes a bootable floppy disk for use on another machine, using different system boot files that point back to the floppy disk, so that small changes made to the hard drive of the machine being booted aren’t made there.

EnCase is copy-protected through the use of a dongle that plugs into the USB or parallel port (you can pass your printer cable through the parallel version so it won’t interfere with printing). The examiner’s software can be used on only one machine at a time, but the software license travels with the dongle, so you can move it to any machine you want. EnCase can acquire and read images from Windows, Windows NT, Linux, Unix, Mac, and other operating systems. It also reads floppy disk, Zip, Jaz, MO, IDE, and SCSI drives. At $2,495, EnCase sounds expensive until you learn the wealth of information the software can unearth.

Leave a Reply

Your email address will not be published. Required fields are marked *