EnCase Forensic v7 Packs More Forensic Punch
You not only get EnCase Forensic but also the functionality of the v6 modules. There will no longer be any charge for these capabilities. EnCase Forensic v7 will include the capabilities of the following modules:
- EnCase Decryption Suite (EDS)
- Physical Disk Emulator (PDE)
- Virtual File System (VFS)
- FastBloc SE
In addition, there is added ability to acquire from Smartphones and Tablets to EnCase Forensic v7 at no additional charge.
Operating System and File System Support
Two major attributes that make EnCase® software unique are the breadth of operating systems and file
systems supported. For each operating system that exists there are a number of different file systems
which the host operating system could utilize. The operating system and file system are separate but do
have a deep relationship on how information is stored and how the host operating system operates with
the file system. The ability to deeply analyze a broad range of operating system and file system artifacts is
a critical component of enterprise investigations. EnCase software has the ability to interpret all of the file
systems, over the network, for which a Servlet has been developed (currently Windows, Linux, Solaris,
AIX and OSX operating systems; support for additional file systems is on the way). In addition, EnCase
software can also interpret a number of file systems for which there is currently no Servlet developed.
- Operating system Support: Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and
above, Solaris 8/9 both 32 & 64 bit, AIX, OSX.
- File systems supported by EnCase software: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser
(Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD,
NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and
TiVo® 1 and TiVo 2 file systems.
- EnCase software uniquely supports the imaging and analysis of RAID arrays, including hardware
and software RAIDs. Forensic analysis of RAID sets is nearly impossible outside of the EnCase
- Dynamic Disk Support for Windows 2000/XP/2003 Server.
- Ability to preview and acquire select Palm devices.
- Ability to interpret and analyze VMware, Microsoft Virtual PC, DD and SafeBack v2 image
The EnCase® acquisition process begins with the creation of a complete, physical bitstream image of a
subject drive or drives in a completely noninvasive manner. The EnCase evidence file is an exact
duplicate of the data as it existed during the time of acquisition. Throughout the acquisition process, the
bitstream image is continually verified by Cyclical Redundancy Checksum (CRC) blocks, which are
calculated concurrent to the acquisition. At the completion of the acquisition process, a second validation
check, called a Message Digest 5 (MD5) hash, is performed over the entire data set acquired, and it is
embedded as part of the evidence file for validation of the acquired media.
- Acquisition Granularity: Examiners have more control over the way hard drive data is acquired.
- Errors: Historically, when a read error is found on a hard disk, the entire block of data
containing the read error is zeroed out. With EnCase Forensic, you have the flexibility to
specify the number of sectors that get zeroed when an error is found.
- Acquisition Blocks: Examiners can define the amount of data to acquire during an
acquisition operation, ensuring the fastest acquisition rates possible.
- Acquisition Restart: Examiners can continue a Windows-based acquisition from its point of
interruption, and not have to reacquire the entire device from the beginning.
- Logical Evidence Files: These let you selectively choose exactly which files or folders you want
to preserve, instead of acquiring the entire drive. Unlike copying files from a device and altering
critical metadata, logical evidence preserves the original files as they existed on the media and
include a wealth of additional information such as file name, file extension, last accessed, file
created, last written, entry modified, logical size, physical size, MD5 hash value, permissions,
starting extent and original path of the file.
EnCase LinEn Utility: The LinEn utility is a Linux version of the industry-standard DOS-based EnCase
acquisition tool. While it performs the same basic function as the DOS version, it overcomes a number of
Linux limitations, such as non-Windows operating systems, extremely large hard drives and acquisition
EnCase Evidence File (Preservation)
The EnCase® Evidence File is a proprietary file created by EnCase to compress and preserve bitstream
images of acquired media. The EnCase Evidence File is widely known throughout the law enforcement
and computer security industries. It has been accepted by courts to the federal appellate level and around
the world. For court decisions related to EnCase software, please visit the Legal Resources page.
START HERE Powerful Analytical Functionality
The ability to analyze and search large amounts of data quickly and easily is a critical capability of any
incident response, computer investigation or analysis tool. EnCase software offers the most advanced,
comprehensive and easy-to-use tool to carry out these complicated and time-consuming tasks, across
multiple file systems and languages.
Automated Analysis: SweepCase lets examiners automatically choose the types of analysis they want to
perform on a set of media instead of having to initiate each tool separately.
Multiple Sorting Fields: Examiners can sort files according to 30 different fields, including all four time
stamps (File Created, Last Accessed, Last Written and Entry Modified), file names, file signatures and
extensions, hash value, full path, permissions.
Filters and Filter Conditions: Filters let the examiner reduce the amount of information displayed, based
on user-specified criteria. More than 150 filters are provided with EnCase software, ranging from deleted
files to password-protected Word documents.
Queries: Examiners can combine filters to create complex queries using simple "OR" or "AND" logic.
View "Deleted" Files and Other Unallocated Data in Context: EnCase offers a Windows-Explorertype
view of deleted and unallocated data. This includes file slack, swap files, print spooler data and all
other unallocated data files.
International Language Support: EnCase supports Unicode data decoding and can search and display
any language that Unicode supports. This allows examiners to search and view data in its native format
such as German, Arabic or Kanji.
Encrypted Volumes and Hard Drive Encryption: EnCase can analyze and acquire mounted encrypted
volumes, such as PGP and DriveCrypt, and give examiners full access to data on hard drives that are
wrapped with encryption technology, such as SafeBoot.
Link File Examination: This automated process reads all forms of link (.lnk) files — both allocated and
unallocated — and decodes the results for quick and easy analysis. Being able to quickly discover and
interpret link files gives the examiner valuable information, such as learning that a suspect is transporting
company data onto a thumb drive or external media, or what files, applications and shares the suspect
Active Directory Information Extractor: The Active Directory Information Extractor forensically
analyzes the Active Directory database (NTDS.DIT) and extracts the username, SID, home directory,
email address, last login, last failed login and next password change.
Hardware Analysis: Automatically culls through the registry and configuration files to quickly identify
the types of hardware installed on a target machine, including NIC cards, FireWire devices, thumb drives,
IDE devices and other hardware information.
Recover Folders: Automatically rebuilds the structure of formatted NTFS and FAT volumes.
Log and Event File Analysis: EnCase provides a single means by which to analyze, search and
document log and event file data.
Symbolic Link Analysis: EnCase gives access to and analysis of symbolic link information to simplify
analysis of UNIX-based file systems.
Compound Document and File Analysis: Many files — such as Microsoft Office documents, Outlook
PSTs, TAR, GZ, thumbs.db and ZIP files — store internal files and metadata that contain valuable
information once exposed. EnCase automatically displays these internal files, file structures, data and
metadata. Once these files have been virtually mounted within EnCase, they can be searched, documented
and extracted in a number of different ways.
File Signature Analysis: EnCase can automatically verify the signature of every file it searches and
identify those modified extensions.
Hash Analysis: EnCase can automatically create hash values for all of the files in a case.
Built-in Registry Viewer: The integrated registry viewer organizes the registry data file into folders,
giving examiners an expedient and efficient way to view the Windows registry and determine values.
The powerful EnCase® search engine can locate information anywhere on physical or logical media.
Proximity Search: This feature searches through all files in a case for a specific keyword and returns the
responsive documents with the keyword and a specified number of bytes surrounding it. This is a critical
function when trying to add context around the information you are searching for.
Internet and Email Search: This feature will find, parse, analyze and display various types of Internet
and email artifacts across machines. The Internet and email search finds mail formats (such as Hotmail,
Outlook, Lotus Notes, Yahoo, AOL, Netscape, mbox and Outlook Express) and Internet artifacts from
Internet Explorer, Mozilla, Opera and Safari.
Search Options: In addition to the standard search feature, EnCase software offers a number of options
that can be used to search through data:
- Case Sensitive: The keyword will be searched for, but only in the exact case specified in the text
- GREP: The keyword is a regular expression to search, using the Global Regular Expressions Post
(GREP) advanced searching syntax.
- RTL Reading: This will search for the keyword in a right-to-left sequence for international
- Active Code Page: This lets you enter keywords in many different languages.
- Big Endian/Little Endian Unicode/UTF-8/UTF-7: EnCase software allows examiners to search
using multiple Unicode standards as opposed to ASCII. This enables investigators to search for
keywords with international language characters.
Logical File Recognition: Files often span noncontiguous clusters and EnCase software can search all
such allocated files. Without EnCase software, if you search Windows text files using a forensic utility
that cannot logically search across data clusters, you'll often miss search hits or receive inaccurate search
Documentation and Reporting
EnCase® Enterprise lets users define with detailed granularity what information is presented and how it is
presented, depending on the purpose and target audience of the investigation. Almost all information
revealed by EnCase software can be exported into various file formats for external reporting and analysis
Automatic Reports: Since the requirement to generate reports is so critical, EnCase has a number of
automatically generated reports that can be created. These automated reports show a wealth of
information depending on the type being generated. Here are some examples:
- Listing of all files and folders in a case
- Detailed listing of all URLs and corresponding dates and times that websites were visited
- Document incident report that helps create the required documentation relevant during the
incident response process
- Detailed hard drive information about physical and logical partitions
Bookmarks: These are the individual components that drive the information contained in the EnCase
report. During analysis, an examiner can use bookmarks in various ways to identify and document
specific clues. There are seven different types of bookmarks:
- Highlighted Data: Created when highlighting specific text
- Notes: Allows the user to write additional comments into the report
- Folder Information: Used to bookmark the tree structure of a folder or device information of
- Notable File: A file documented by itself
- File Group: Indicates that the bookmark was made as part of a group of selected files
- Log Record: Contains the results of log parsing activity
- Registry: Contains the results of Windows registry parsing activity
Instant Decoding of Nontext Data: Within the reporting section of EnCase, an examiner may "decode"
nontext data, so it can be presented in a more recognizable format.
Integrated Picture Viewer with Gallery View: A fully integrated picture viewer automatically locates
and displays many known graphical image types, including Microsoft thumbs.db files.
Timeline: This integrated viewer allows an examiner to see all relevant time attributes of all the files in
the case (or selected group of files) in a powerful graphical environment.
Intellitype: A quick way for an examiner to jump to files of relevance, instead of having to sort by a
particular file attribute and scroll through the data.
Time Zone Settings: Examiners can set the time zone for each piece of media in a case, enabling simple
comparison of media from different time zones.
Built-in Help: Quick and easy access to relevant information in the user manual, with topics pertaining to
almost every feature of the software. The user manual is a wealth of rich product-related information that
can help even the most senior examiners.
Internet and Email investigation
Two of the most critical areas of any investigation typically involve the analysis of artifacts related to the
Internet and email. EnCase® software has a number of powerful features that facilitate efficient
examinations, including recognition of the various files typically associated with Internet and email
- Analysis: EnCase software has the ability to find, parse, analyze, display and document various
types of email formats, including Outlook PSTs/OSTs ('97-'03), Outlook® Express DBXs, Lotus
Notes NFS, webmail such as Hotmail, Netscape and Yahoo; UNIX mbox files like those used by
Mac OS X; Netscape; Firefox; UNIX email applications; and AOL 6, 7, 8, 9. In some cases,
EnCase can recover deleted files and depending on the email format, the status of the machine.
- Presentation: Email analysis results are placed in a common EnCase format — which is
easy to navigate to — where examiners can find information necessary to support the
most complex investigations.
- Browser History Analysis: EnCase has powerful and selective search capabilities for Internet
artifacts that can be done by device, browser type or user. EnCase can automatically parse,
analyze and display various types of Internet and Windows history artifacts logged when websites
or file directories are accessed through supported browsers, including Internet Explorer, Mozilla,
Opera and Safari.
- Internet artifact search: The Internet history keyword search searches out all Internet
Explorer history information (in allocated space) and writes it out in HTML format,
allowing the examiner to quickly and easily investigate the same sites that the subject
- WEB cache analysis: Most browsers automatically save a copy of each Web page that is
viewed, including the pictures, text and multimedia elements. EnCase software can find,
parse, analyze, display and document this information.
- HTML carver: The HTML carver is a powerful search and export function that looks for
HTML files independent of the browser or Internet-enabled application and allows the
examiner to search those files by keyword or other criteria.
- HTML page reconstruction: EnCase software can render HTML Web pages from
within the Examiner for easy viewing and quick analysis.
- Kazaa toolkit: Searches through a case looking for various Kazaa artifacts.
- Instant Messenger toolkit: Searches through a case looking for various Instant
- Presentation: As with email, Internet history information is placed in a common
interface — which is easy to navigate to — where examiners can quickly find
information necessary to support the investigation
EnScript® Searching Tools
Many of the powerful automated features and toolsets in EnCase are driven by the EnScript technology.
The powerful EnScript programming language follows standards consistent with C++ and Java. It enables
the automation of complex repetitive operations and enables communication with external systems, such
as intrusion detection systems and Windows systems through WMI. EnScript programming allows an
investigator to build custom-designed scripts for specific investigative needs and can save investigators
days or weeks of analysis time by automating almost any investigative task. They can also be compiled
and shared with other investigators in the larger community and with teammates.