EnCase Forensic 6: Review

Encase Forensic, produced by Guidance, is currently on version 6.11 (at the time of publishing). Version 6 was first released in late 2006.

Version 6 has attempted to gain market share in the areas EnCase 5.x could not handle previously – namely email handing and indexing.

Guidance have done this by adding Stellant at the backend, to try an handle compound files and indexing better. Stellant is used by many other tools, not least of which is FT – the arch rival of Guidance

The first versions of EnCase Forensic 6.x, simply did not do what it said on the tin. Attempting to use the indexing feature was utterly futile, cases crashed, time was wasted and and anyone who paid for the upgrade to EnCase 6.0 no doubt felt cheated, again. To be fair the launch of EnCase 6.0 was better than appalling launch of FTK 2.0 (it could hardly be worse). But even Encase 6.11 still does not have the simplicity of use that FTK 1.x has (in relation to indexing emails)

But, Guidance are nothing if not consistent. Regular users of Guidance Software know that the first few versions of EnCase are never going to be stable, they will have bugs and flaws in them, which we, the customers, are the beta testers for.

By EnCase 6.10 the product had started to become far more stable, emails could be expanded and searched – though not through indexing (I would leave this to EnCase Version 7)

The scripts and case processor is effective and easy to work with, but the registry viewer is still poor compared to “Registry Viewer” by Access Data, which came as standard with FTK 1.0.

The disk view, transcript view, record view, search hit view, book marks view, entries view, etc,  are all individually well presented; however the huge array of views can be confusing.

Overall EnCase 6.x is better than EnCase 5.x, though it isn’t as good as the marketing says it is.

5 Responses to “EnCase Forensic 6: Review”

