EnCase Logo
   HOME

TheInfoList



Click Here for Items Related To - EnCase Logo
OR:
EnCase Logo on:   [Wikipedia]   [Google]   [Amazon]

EnCase is the shared technology within a suite of digital investigations products by
Guidance Software Guidance Software, Inc. was a publicly traded company founded in 1997 by Shawn McCreight. Headquartered in Pasadena, California, the company developed and provided software solutions for digital investigations primarily in the United States, Euro ...
(acquired by
OpenText OpenText Corporation (styled as opentext) is a global software company that develops and sells information management software. OpenText, headquartered in Waterloo, Ontario, Canada, is Canada's fourth-largest software company as of 2022, and r ...
in 2017). The software comes in several products designed for
forensic Forensic science combines principles of law and science to investigate criminal activity. Through crime scene investigations and laboratory analysis, forensic scientists are able to link suspects to evidence. An example is determining the time and ...
,
cyber security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and networks from thr ...
,
security analytics Analytics is the systematic computational analysis of data or statistics. It is used for the discovery, interpretation, and communication of meaningful patterns in data, which also falls under and directly relates to the umbrella term, data sci ...
, and
e-discovery Electronic discovery (also ediscovery or e-discovery) refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format (often re ...
use. EnCase is traditionally used in forensics to recover evidence from seized
hard drives A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnet ...
. It allows the investigator to conduct in-depth analysis of user files to collect evidence such as documents, pictures, internet history and
Windows Registry The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, a ...
information. The company also offers EnCase training and certification. Data recovered by EnCase has been used in various court systems, such as in the cases of the BTK Killer and the murder of Danielle van Dam. Additional EnCase forensic work was documented in other cases such as the evidence provided for the Casey Anthony, Unabomber, and Mucko ( Wakefield Massacre) cases.


Company and Product Overview

Guidance Software, and the Encase forensic tool, was originally created by Shawn H. McCreight. In 2002 EnCase Enterprise was released allowing the first network enabled digital forensic tool to be used in forensic, investigative, and security matters. In 2005 EnCase eDiscovery was released which further enabled the network abilities of EnCase to allow Identification, Collection, Preservation, and Analysis of ESI for Litigation and Investigative purposes. In 2007 EnCase AIRS (Automated Incident Response Suite) was released (now discontinued and evolved to EnCase Endpoint Security) to automate the scanning, documenting, and remediation abilities of EnCase Enterprise. In 2007, EnCase Information Assurance, EnCase Data Audit and Policy Enforcement (both also effectively integrated into EnCase Endpoint Security) were also released. In 2008 EnCase Cybersecurity was released which combined many of the tools and automation from previous security functions and streamlined the workflow of incident response. In 2015 EnCase Endpoint Security was released which was the evolution of Endpoint Security into a more user-friendly web interface as well as further integration with many other security tools to further expedite and shorten the response time from an attack or event. In 2016 EnCase Enterprise needed a face lift and the distributed agent (formerly referred to as servlet) was given more abilities with the redesign into EnCase Endpoint Investigator. Also in 2016 the release of EnCase Risk Manager for data risk assessment, audit, DLP-like services, and compliance. In 2017 Guidance Software was acquired by OpenText, and the company name "Guidance Software" is no longer used.


EnCase Product Line

EnCase technology is available within a number of products, currently including: EnCase Forensic, EnCase Endpoint Investigator, EnCase eDiscovery (which includes EnCase Legal Hold), EnCase Endpoint Security and EnCase Portable. Guidance Software also runs training courses from Foundations in Computer Forensics, to several expert series courses to include an EnScripting course to automate various functions within EnCase. Further, certification is offered to train toward and prove knowledge within various fields to include EnCE (EnCase Certified Examiner), EnCEP (EnCase Certified eDiscovery Practitioner), CFSR (Certified Forensic Security Responder). The EnCase training team have trained over 100000 individuals to date.


Features

EnCase contains tools for several areas of the digital forensic process; acquisition, analysis and reporting. The software also includes a scripting facility called EnScript with various API's for interacting with evidence.


Expert Witness File Format

EnCase contains functionality to create forensic images of suspect media. Images are stored in proprietary ''Expert Witness File'' format; the compressible file format is prefixed with case data information and consists of a
bit The bit is the most basic unit of information in computing and digital communication. The name is a portmanteau of binary digit. The bit represents a logical state with one of two possible values. These values are most commonly represented as ...
-by-bit (i.e. exact) copy of the media inter-spaced with CRC hashes for every 64 sectors of data (by default). The file format also appends an
MD5 The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function MD4, and was specified in 1992 as Request for Comments, RFC 1321. MD5 ...
hash Hash, hashes, hash mark, or hashing may refer to: Substances * Hash (food), a coarse mixture of ingredients, often based on minced meat * Hash (stew), a pork and onion-based gravy found in South Carolina * Hash, a nickname for hashish, a canna ...
of the entire drive as a footer. The E01 file format was reversed engineered and specifications can be foun
here


Mobile forensics

As of EnCase V7, Mobile Phone Analysis is possible with the addition some add-ons available from Guidance Software.


References


Further reading

* {{Digital forensics Law enforcement equipment Hard disk software Computer forensics Digital forensics software