Encase Forensic is owned and produced by Guidance Software Inc, and is probably the most widley known, and widely used computer forensics tool. It will perform a variety of different forensics functions, from imaging and preservation, to keyword searching and basic data recovery, to analysis of a hard drive at the byte level
- Video: Recovering Deleted Files with EnCase
- Video: E01 File
- Video: Basic Keyword Searching with EnCase
- Video: Locating MFT from Volume Boot with Encase
- Video: Locating the First Partiton from the MBR with Encase
- Video: The MBR
As Guidance have started to produce more and more tools, e.g, , EnCase Enterprise, EnCase Data Audit & Policy, Enforcement, EnCase E-Discovery, it needed to identify the stand alone forensics tool. However as Encase Forensic is Guidance’s first tool, and still by far their biggest seller, with the vast majority of police forces and corporates using the tool around the world, it is more often than not simply reffered to as “EnCase”.
Encase is often referred to as the “de-facto” tool for analysis for forensics, while good it is only one tool, with has many failings as successes.
Encase, which is now on version 6 has come a long way from its early roots, and there have been many problems with is. In EnCase 4.18 there was a flaw with the keyword searching, which didn’t return all of the results. Other EnCase 4 versions has other bugs and problems, often found within half a day of release, causing version such as 4.21b to be released with hours of 4.21. This can only be put down to a lack of testing, and a poor development cycle – or as many users commented, “the customers were the beta testers of EnCase 4″.
EnCase 5 was launched and was a big improvement from EnCase 4, lots of new features, easier to handle multiple drives and cases, etc – however there were still bugs and problems. As Guidance became bigger and more “corprate” (but also less friendly) there was less of a feel that the customers were the beta testers.
All of the versions of EnCase, upto and including version 5, could not handle emails effectively (if at all). Where as tools such as DTSearch and FTK had been for many years, and had the critical indexing capbility that EnCase still lacked. How can anyone investigate a case without looking at emails?
In December 2006 EnCase 6 was launched, without warning – unlike the build upto EnCase 5.
When EnCase 6 arrived at your door it promised to be everything you ever wanted in a computer forensics tool, it could handle emails, index, and allowed you to do the nitty griity of deailed technical investigations.
This was, of course, not true. The indexing did not work, and its ability to handle emails was not much better, contsantly crashing. Once again EnCase 6 was a beta tool.
If you were dealing with a single users hard drive, with a single DBX or PST file, then it could probably (just) handle the investigation. However, if like many proffesionals, you are handling multiple users/custodians, and high volumes of emails 10s or 100s of PST files, and 100,000s of messages, Encase simple cuold not work. So tools like FTK , Wave, and DTSearch remained, for many, the primary work horses for handling emails and indexing files.
Now, in mid 2008, on version 6.10, Encase is starting to do what it said it would. Its still too early to trust its indexing capability, but no doubt it will be great 2009/2010, and its starting to handle emails much better. Though it still can’t de-dupe emails effectively – but then neither can DTSearch or FTK – that requires a more specialist tool such as Wave, or full on ED processing tool.
When EnCase 7 comes out, it should be very interesting to see what it does.