EnCase Forensic 6: Review

Encase Forensic, produced by Guidance, is currently on version 6.11 (at the time of publishing). Version 6 was first released in late 2006.

Version 6 has attempted to gain market share in the areas EnCase 5.x could not handle previously – namely email handing and indexing.

Guidance have done this by adding Stellant at the backend, to try an handle compound files and indexing better. Stellant is used by many other tools, not least of which is FT – the arch rival of Guidance

The first versions of EnCase Forensic 6.x, simply did not do what it said on the tin. Attempting to use the indexing feature was utterly futile, cases crashed, time was wasted and and anyone who paid for the upgrade to EnCase 6.0 no doubt felt cheated, again. To be fair the launch of EnCase 6.0 was better than appalling launch of FTK 2.0 (it could hardly be worse). But even Encase 6.11 still does not have the simplicity of use that FTK 1.x has (in relation to indexing emails)

But, Guidance are nothing if not consistent. Regular users of Guidance Software know that the first few versions of EnCase are never going to be stable, they will have bugs and flaws in them, which we, the customers, are the beta testers for.

By EnCase 6.10 the product had started to become far more stable, emails could be expanded and searched – though not through indexing (I would leave this to EnCase Version 7)

The scripts and case processor is effective and easy to work with, but the registry viewer is still poor compared to “Registry Viewer” by Access Data, which came as standard with FTK 1.0.

The disk view, transcript view, record view, search hit view, book marks view, entries view, etc,  are all individually well presented; however the huge array of views can be confusing.

Overall EnCase 6.x is better than EnCase 5.x, though it isn’t as good as the marketing says it is.

Tags: ,

5 Responses to “EnCase Forensic 6: Review”

  1. What is File Slack? | ESI Says:

    […] is a video showing file slack, using EnCase 6.10. Encase is better at viewing this type of data than […]

  2. Forensics: Wiping a Drive « Data - Where is it? Says:

    […] is a video, taken with the popular computer forensics tools EnCase.This video shows what happens when a single wipe, not 2, not 8, or 32, or any of the other […]

  3. Forensics: What does “Entry Modified” mean in EnCase? « Data - Where is it? Says:

    […] What does “Entry Modified” mean in EnCase? Posted on April 10, 2009 by Rob EnCase can display a variety of dates, including created, written, and accessed, one date which often […]

  4. How do you get a job in computer forensics? « Data - Where is it? Says:

    […] forensic software, Helix, is a good start as is FTK Imager and DTSearch. Use trial versions of EnCase and FTK and anything else you can get hold […]

  5. Forensics: What is the MFT Mirror? « Data – Where is it? Says:

    […] (which somes viruses have done in the past) then the MFT Mirror can be used to rebuild the MFT. EnCase, which is a forensic tool, rather than a data recovery tool,  even has a function to allow for the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: