Hi
Ok I purchased Encase 7 when it released. Disappointing to say the least.
Now its been a while. so for the users of Encase 7 is it worth me using it. (includes me having to have a word with GS because my 1st years subs are over) and I do not want to pay for the next 12 months as the first 12 was a joke.
Views
I voted yet, but I need to qualify that.
The biggest reason I voted yet is that EnCase 6 is no longer being developed. If you want to continue using EnCase at all and intend to investigate Windows 8 computers, then you have almost no choice but to use EnCase 7.
I do believe that EnCase 7 has the potential to be superior to version 6, but we have a long way to go. It still crashes on me in one case when I run Recover Folders. Of course, it takes about 18 hours before it crashes. (This is on 7.05.03, BTW. Haven't tried it on 7.06 yet.)
Performance is still a big issue. I have followed Guidance's hardware recommendations, and it's not uncommon for processing to take more than a day, depending on the options selected. Once processing is done, the case can be examined quickly, but it's frustrating to wait so long–especially when the computer appears to be doing nothing–i.e. little disk activity and almost no CPU activity at times.
I would upgrade my hardware, but I doubt it would help. I saw a post the other day here (https://
Intel W2600 CR2 Motherboard
2 x Xeon E5 - 2960 (8 core processors) overclocked to 3.25 GHz
256GB DDR3 memory
Storage
OS - Intel 520 SSD raid 0
Page File Environmental variables - Intel 520 SSD Raid 0
Primary Evidence Cache - 12 x Intel 520 SSD Raid 0
Bulk Storage - 10TB 4x4 TB SAS drives in Raid 5
Graphics card - EVGA 690GTX
That's a 12 SSD RAID 0 array for the evidence cache, and it still took 36 hours to process.
If you want to continue to use EnCase, you're pretty much compelled to upgrade to 7 at some point in the not too distant future. If you do, you will need a second computer dedicated to processing so you don't tie up an analysis computer for processing (processor dongles are free with each license, but the hardware is not), and you have to be willing to put up with continued performance issues and the occassional crash that causes you to lose a day or more of processing time. For many, this is not acceptable. For me, I have been able to deal with it. Once processed, EnCase 7 is a good product. It's getting it processed that is such a headache.
Bulldwag
Thanks ever so much for a detailed reply.
I have a monster of a PC however, silly things like I use 4 monitors and last I heard was you cant split the screens.
Processing is a issue, but i think will always be one, and will grow…….
Its the fundamental usage of Encase as a tool i am more interested in, will i use it or end up, shouting at my wife for the next 2 days, then revert back to version 6 to get the job done, after explaining to the client it wll take another 3 days to complete.
Mitch
Thanks for the detailed appraisal, Bulldawg. The fact that it still has serious issues nearly two years down the line is an eye-opener.
Cool rig, btw )
I have a monster of a PC however, silly things like I use 4 monitors and last I heard was you cant split the screens.
Processing is a issue, but i think will always be one, and will grow…….
As far as I know, you could always split the windows in EnCase 7. I only use two monitors though, so I have the View pane split from the Tree and Table panes. Could 6 be split further than that?
By "monster" PC, what do you mean? Anything like the specs in my previous post? My computers are nothing like that. i7-2600K, 32GB, SSD for OS, SATA for evidence files, RAID 5 of spinning disks for evidence cache. I need to switch the RAID 5 to 0, but I don't have a good backup system in place yet, so I don't want to go with 0.
As for your last question–a little background is in order. I started in digital forensics about three years ago. I did my EnCE exam on EnCase 6, but at that time, EnCase 7 was out and it was very clear GSI wasn't going to keep developing 6 with new features slated for 7. I made the choice to stop learning 6 and move to 7. I still jump back to 6 to verify some things, but when I do, I have to look back to my training materials, prep book, or the forums on how to do things in 6.
So, that said, if 6 is second nature to you, you very well may want to tear your hair out if you go to 7. The interface, work flow, techniques, and even core features are all very different. I would recommend the latest edition of the EnCE prep book. It covers 7, and there are several things in the book that you won't find in the documentation or the, frankly inadequate, EnCase Essentials web cast GSI offers for free. The author even covers those switching from 6 to 7 because to write the book, he had to make that switch.
7 is the future of EnCase, like it or not. I think the problems with 7 have driven many people to X-Ways or FTK as the primary tool, but 7 has gotten better. Still needs work though, lots of work.
As an aside–the most telling thing is if you follow the link to the thread at GSI in my post above, you'll notice that no GSI employee has chimed in to offer any explanation. This is what I find most frustrating. GSI claims that performance has improved in 7.0x all the time, but with every new release, you get questions like that one and it's clear that processing times are nowhere near what they should be. After two years, they should have this sorted out. When they are called out on the problem, they simply ignore it on their forums.
I can't still find a reason why they killed the V6 search feature. In V7 the search is a pain in the a$$ (not to mention the fact that there was no refresh button to see live results last time I used V7)
Why do people keep using broken stuff? 18 hours just to crash? Sounds like they contracted out to ftk coders )
Rather than upgrade to 7, try xways. Half th3 cost, twice the features, a million times faster and lighter. You will finish exams before 7 finishes preprocessing.
I have v6 and 7 as well but haven't used em in years
I converted to Xways years ago after using EnCase for a long time and I've never looked back.
BUT
I will qualify that by saying that unless you have an experienced Xways user, or you have the budget to go on the training course at the same time you buy it then it may not be the best option.
Xways is not a piece of software that you can just pick up and run with very easily, even if you are an experienced EnCase user. That's not to say you won't be able to figure out how to acquire an image or even load up an image and start looking at it. But the first (and hardest) change to get use to is the different naming conventions.
I never realised just how many terms were used by EnCase which were actually EnCase specific and not forensics specific as I thought. But that's a whole thread on it's own.
For my money Xways is a far superior tool in almost every way, however unless you get trained or have an experienced user to show you then you won't get your money's worth simply switching over and trying to figure it out.
If you can't/won't convert to Xways then you should upgrade EnCase and push through the pain until they get it working smoothly again…..should be around 2018 😉
adam,
brett shavers and I are writing a book on xways that will change all that. it will be all that is needed to pick up and learn xways from scratch. it wont teach you forensics, but it will teach you everything about xways.
the chapter on the GUI alone is 60 pages!
more info here
http//xwaysforensics.wordpress.com/
along with some cool utilities i wrote for xways.
the chapter on the GUI alone is 60 pages!
more info here
http//xwaysforensics.wordpress.com/
along with some cool utilities i wrote for xways.
+1 on the utilities. +10 on the effort
Not sure that having 60 pages on a UI alone is necessarily a good thing… any forensic tool at its heart inherently reflects the complexity of the system under investigation, and if it doesn't, it is obscuring something that may be relevant. But reading 60 pages about a UI seems more like a draconian punishment in this day and age.
This isnt a commentary on the content as I of course have not read it yet. I am sure it is a useful reference for those wandering in the dark without a guide.