Thanks for you answers and they all sound good and right to me.
I got those questions in my mind after reading an article in a magazine called “The Hacker Quaterly 2600″ (volume 24, # 4). The article is “Forensics Fear” (page 51) and it talks about a software that “looks and feel” like EnCase. The author said the software can change files but your answers tells me he was completely wrong on this point.

Thanks again for your answers.

Frank

Hi Frank, I’ll try to answer your questions in order.

I wouldn’t characterize EnCase as a rootkit per se as it doesn’t permit you to manipulate data or alter the target machine in any fashion. It provides write-blocked read-only access in order to maintain forensically sound methods.

Enstart.exe is the default name for the servlet portion of the EnCase Enterprise which gets installed on the target machine. As with any service yes, it can be renamed and/or hidden.

EnCase is limited to the operating systems that in can in fact analyze. However, there aren’t any consumer grade operating systems that are immune that I’m aware of. It will work with Windows, *nix (incl Mac) et cetera.

EnCase can perform either a logical or physical disc capture.

Now rootkits are in fact detectable. But I should say that this is an investigative tool as opposed to a proactive defense. So, I’m not sure if you are searching for an antivirus type capability. In the past I have managed to ferret out evidence pertaining to Adore, NTIllusion, Vanquish, FU Rootkit and Hacker Defender to name a few.

I hope this helps.

cheers,
Dave

Is it true to say that EnCase is running as a root kit on a workstation?
Is it true that the process “enstart.exe” may be hidden or renamed in the net start services list?
This forensic software runs underneath the OS?
EnCase is not OS-dependent?
Other rootkits installed on the same workstation will be detectable instantly?

Thanks for your answers.

Frank