EnCase Forensic

EnCase® Forensic, the industry-standard computer investigation solution, is for forensic practitioners who need to conduct efficient, forensically sound data collection and investigations using a repeatable and defensible process. The proven, powerful, and trusted EnCase® Forensic solution, lets examiners acquire data from a wide variety of devices, unearth potential evidence with disk level forensic analysis, and craft comprehensive reports on their findings, all while maintaining the integrity of their evidence.

Features

The powerful and effective features of EnCase® Forensic have made it the trusted standard in corporate and criminal investigation. No other product offers the same degree of functionality, acceptance, and performance.

Acquire from Almost Anywhere
Acquire data from disk or RAM, documents, images, e-mail, webmail, Internet artifacts, Web history and cache, HTML page reconstruction, chat sessions, compressed files, backup files, encrypted files, RAIDs, workstations, servers, and with Version 7: smartphones and tablets.
Forensically Sound Acquisition
EnCase® Forensic produces an exact binary duplicate of the original drive or media, then verifies it by generating MD5 hash values for related image files and assigning CRC values to the data. These checks and balances reveal when evidence has been tampered with or altered, helping to keep all digital evidence forensically sound for use in court proceedings or internal investigations.
Advanced Analysis
Recover files and partitions, detect deleted files by parsing event logs, file signature analysis, and hash analysis, even within compounded files or unallocated disk space.
Improved Productivity
Examiners can preview results while data is being acquired. Once the image files are created, examiners can search and analyze multiple drives or media simultaneously.
Automated de-NISTing Capabilities
The National Software Reference Library (NSRL) is provided in the EnCase hash library format, allowing user to easily de-NIST their evidence, eliminating thousands of known files from their evidence set. This reduces the time and amount of data that needs to be analyzed significantly.
Multiple File Viewer Support
View hundreds of file formats in native form, built-in Registry viewer, integrated photo viewer, see results on a timeline/calendar.
Customizable and Extensible with Apps from EnCase App Central
EnCase® Forensic features EnScript® programming capabilities. EnScript®, an object-oriented programming language similar to Java or C++, allows users create to custom programs to help them automate time-consuming investigative tasks, such as searching and analyzing specific document types or other labor-intensive processes and procedures. Dozens of these productivity enhancing
programs or Apps are available on EnCase App Central.
Automatic Reports
Export reports with lists of all files and folders along with detailed list of URLs, with dates and time of visits. Provide hard drive information and details related to the acquisition, drive geometry, folder structure, etc.
Actionable Data
Once investigators have identified relevant evidence, they can create a comprehensive report for presentation in court, to management or stakeholders in the outcome of the investigation.
Integration to Passware Kit Forensic
Use the Evidence Processor to automate the detection of encrypted files. Once the files are decrypted by Passware Kit Forensic* they can be easily integrated back into EnCase Forensic for further analysis.
*Passware Kit Forensic license sold separately. Contact Sales for more information.

Modules

These integrated modules extend the functionality and reach of EnCase® Forensic.

EnCase® Mobile Investigator
EnCase® Smartphone Examiner is designed for law enforcement, security analysts, and e-discovery specialists who need to review and forensically collect data from smartphone and tablet devices, such as iPhone and iPad. Investigators can process and analyze smartphone device data alongside other types of digital evidence within any OpenText Software EnCase® product.
EnCase® Virtual File System (VFS) Module
Easily mount and review evidence (such as a case, device, volume, or folder) as a read-only from outside the EnCase® Forensic environment. Useful for evidence review by investigators, opposition experts, prosecutors, defense counsel, and other non-EnCase® Forensic users. Supports multiple file systems and easily mounts RAIDS, encrypted, or compressed volumes.
EnCase® Physical Disk Emulator (PDE) Module
Mount an image of a replicated hard drive or CD in read-only mode, allowing the use of 3rd party tools for additional analysis. Also provides a platform for juries to view digital evidence in a familiar format. PDE can mount drives from several file systems, although the content may not be recognized by Windows.
EnCase® Decryption Suite
Tools suitable for decryption of disks, volumes, files, and folders. Capable of decrypting: Microsoft BitLocker, Microsoft BitLocker, GuardianEdge Encryption Plus/Encryption Anywhere/Hard Disk Encryption, Utimaco SafeGuard Easy, McAfee SafeBoot, WinMagic SecureDoc Full Disk Encryption, PGP Whole Disk Encryption, Microsoft Encrypting File System (EFS), CREDANT Mobile Guardian, PST (Microsoft Outlook), S/MIME encrypted email in PST files, NSF (Lotus Notes), Protected storage (ntuser.dat), Security Hive, Active Directory 2003 (ntds.dit), and others.