EnCase

Last updated
EnCase
Developer(s) Guidance Software, OpenText
Initial release1998
Stable release
21.1 CE / March 11, 2021;3 years ago (2021-03-11) [1]
Operating system Windows
Available in English
Type Computer forensics
Website www.opentext.com/products/encase-forensic

EnCase is the shared technology within a suite of digital investigations products by Guidance Software (acquired by OpenText in 2017 [2] ). The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. EnCase is traditionally used in forensics to recover evidence from seized hard drives. It allows the investigator to conduct in-depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information.

Contents

The company also offers EnCase training and certification.

Data recovered by EnCase has been used in various court systems, such as in the cases of the BTK Killer and the murder of Danielle van Dam. [3] [4] Additional EnCase forensic work was documented in other cases such as the evidence provided for the Casey Anthony, Unabomber, and Mucko (Wakefield Massacre) cases.

Company and Product Overview

Guidance Software, and the Encase forensic tool, was originally created by Shawn H. McCreight. [5]

In 2002 EnCase Enterprise was released allowing the first network enabled digital forensic tool to be used in forensic, investigative, and security matters.

In 2005 EnCase eDiscovery was released which further enabled the network abilities of EnCase to allow Identification, Collection, Preservation, and Analysis of ESI for Litigation and Investigative purposes.

In 2007 EnCase AIRS (Automated Incident Response Suite) was released (now discontinued and evolved to EnCase Endpoint Security) to automate the scanning, documenting, and remediation abilities of EnCase Enterprise. In 2007, EnCase Information Assurance, EnCase Data Audit and Policy Enforcement (both also effectively integrated into EnCase Endpoint Security) were also released.

In 2008 EnCase Cybersecurity was released which combined many of the tools and automation from previous security functions and streamlined the workflow of incident response.

In 2015 EnCase Endpoint Security was released which was the evolution of Endpoint Security into a more user-friendly web interface as well as further integration with many other security tools to further expedite and shorten the response time from an attack or event.

In 2016 EnCase Enterprise needed a face lift and the distributed agent (formerly referred to as servlet) was given more abilities with the redesign into EnCase Endpoint Investigator. Also in 2016 the release of EnCase Risk Manager for data risk assessment, audit, DLP-like services, and compliance.

In 2017 Guidance Software was acquired by OpenText, and the company name "Guidance Software" is no longer used.

EnCase Product Line

EnCase technology is available within a number of products, currently including: EnCase Forensic, EnCase Endpoint Investigator, EnCase eDiscovery (which includes EnCase Legal Hold), EnCase Endpoint Security and EnCase Portable. [6] Guidance Software also runs training courses from Foundations in Computer Forensics, to several expert series courses to include an EnScripting course to automate various functions within EnCase. Further, certification is offered to train toward and prove knowledge within various fields to include EnCE (EnCase Certified Examiner), EnCEP (EnCase Certified eDiscovery Practitioner), CFSR (Certified Forensic Security Responder). The EnCase training team have trained over 100000 individuals to date. [7]

Features

EnCase contains tools for several areas of the digital forensic process; acquisition, analysis and reporting. The software also includes a scripting facility called EnScript with various API's for interacting with evidence.

Expert Witness File Format

EnCase contains functionality to create forensic images of suspect media. Images are stored in proprietary Expert Witness File format; the compressible file format is prefixed with case data information and consists of a bit-by-bit (i.e. exact) copy of the media inter-spaced with CRC hashes for every 64 sectors of data (by default). [8] The file format also appends an MD5 hash of the entire drive as a footer. [9] The E01 file format was reversed engineered and specifications can be found here.

Mobile forensics

As of EnCase V7, Mobile Phone Analysis is possible with the addition some add-ons available from Guidance Software. [10]

Related Research Articles

<span class="mw-page-title-main">Packet analyzer</span> Computer network equipment or software that analyzes network traffic

A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

A disk image is a snapshot of a storage device's structure and data typically stored in one or more computer files on another storage device.

<span class="mw-page-title-main">Computer forensics</span> Branch of digital forensic science

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

<span class="mw-page-title-main">National Software Reference Library</span>

The National Software Reference Library (NSRL), is a project of the National Institute of Standards and Technology (NIST) which maintains a repository of known software, file profiles and file signatures for use by law enforcement and other organizations involved with computer forensic investigations. The project is supported by the United States Department of Justice's National Institute of Justice, the Federal Bureau of Investigation (FBI), Defense Computer Forensics Laboratory (DCFL), the U.S. Customs Service, software vendors, and state and local law enforcement. It also provides a research environment for computational analysis of large sets of files.

In evidence law, digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required.

<span class="mw-page-title-main">Digital forensics</span> Branch of forensic science

Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime. The term "digital forensics" was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

Electronic discovery refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format. Electronic discovery is subject to rules of civil procedure and agreed-upon processes, often involving review for privilege and relevance before data are turned over to the requesting party.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

BasisTech is a software company specializing in applying artificial intelligence techniques to understanding documents and unstructured data written in different languages. It has headquarters in Somerville, Massachusetts with a subsidiary office in Tokyo. Its legal name is BasisTech LLC.

<span class="mw-page-title-main">Mobile device forensics</span> Recovery of evidence from mobile devices

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

<span class="mw-page-title-main">Digital forensic process</span>

The digital forensic process is a recognized scientific and forensic process used in digital forensics investigations. Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings. The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

Guidance Software, Inc. was a public company founded in 1997. Headquartered in Pasadena, California, the company developed and provided software solutions for digital investigations primarily in the United States, Europe, the Middle East, Africa, and the Asia/Pacific Rim. Guidance Software had offices in Brazil, Chicago, Houston, New York City, San Francisco, Singapore, United Kingdom and Washington, D.C., and employed approximately 371 employees. On September 14, 2017, the company was acquired by OpenText.

<span class="mw-page-title-main">Audio forensics</span>

Audio forensics is the field of forensic science relating to the acquisition, analysis, and evaluation of sound recordings that may ultimately be presented as admissible evidence in a court of law or some other official venue.

Forensic search is an emerging field of computer forensics. Forensic search focuses on user created data such as email files, cell phone records, office documents, PDFs and other files that are easily interpreted by a person.

Stochastic forensics is a method to forensically reconstruct digital activity lacking artifacts, by analyzing emergent properties resulting from the stochastic nature of modern computers. Unlike traditional computer forensics, which relies on digital artifacts, stochastic forensics does not require artifacts and can therefore recreate activity which would otherwise be invisible. Its chief application is the investigation of insider data theft.

Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

Gates Rubber Company v. Bando Chemical Industries, Ltd., et al. is a decision by the U.S. district court for the District of Colorado from May 1, 1996. It is considered a landmark decision in terms of expert witness court testimony in questions of electronic evidence and digital forensics.

<span class="mw-page-title-main">CAINE Linux</span>

CAINE Linux is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti. The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.

References

  1. "Announcing OpenText Security and Protection Cloud CE 21.1 - OpenText Blogs". blogs.opentext.com. 11 March 2021. Retrieved 2021-04-04.
  2. "News and Press Releases (PR)". OpenText. 2017-09-14. Retrieved 2021-10-31.
  3. Taub, Eric A. (2006-04-05). "Deleting may be easy, but your hard drive still tells all". New York Times . Retrieved 2009-01-11.
  4. Dillon, Jeff, and Steve Perez. "Prosecutor hammers away at computer forensic expert; Dad's patron describes Brenda's propositions," Archived 2014-07-14 at the Wayback Machine San Diego Union-Tribune, July 3, 2002.
  5. "Pasadena-Based Guidance Software Founder Writes to Stockholders to Help Improve Company – Pasadena Now". www.pasadenanow.com. Retrieved 2023-09-05.
  6. url=http://www.guidancesoftware.com/"| 11 October 2012
  7. url="https://www.sprintzeal.com/" | 11 October 2012
  8. Bunting, Steve (2012). EnCase computer forensics: the official EnCE: EnCase certified examiner; study guide (3rd ed.). Indianapolis, Ind: Wiley. ISBN   978-1-118-05898-5.
  9. Martin S. Olivier, Sujeet Shenoi, ed. (2006). Advances in digital forensics II. Springer. ISBN   0-387-36890-6 . Retrieved 31 August 2010.
  10. GuidanceSoftware. "EnCase Forensic V7". GuidanceSoftware. Archived from the original on 12 February 2012. Retrieved 13 April 2012.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.