EnCase v7.10

Reviewed by George Karathanasis

After receiving a call to provide an evaluation on EnCase Forensic v7 Software, I started thinking of my case work on computer and mobile forensic analysis and the all tools that I have used over the years. The most commonly used by examiners like myself is one of the industry standards, EnCase. Guidance Software Inc. first presented this software in 1997. Guidance launched the current version (V7) in 2012, which brought a lot of changes to the software’s interface as well as many other well-known features in the software.

The current version of EnCase is V7.10; this tenth release reinforces the manufacturer’s great technical support. My first meeting with it was at Guidance’s training center in Slough, UK in 2012. My interaction with it has continued during many other training sessions of mine. EnCase is usually my primary forensic tool but also serves as an excellent verification tool.As a forensic analysis tool, EnCase recommends a powerful workstation in order to perform quick and credible examination processes. The minimum requirements as described by the manufacturer are the following: four core processor CPU, 16GB Ram, USB and Ethernet connections. After installation, the examiner can find some extra valuable tools, such as software write blocking protection (by FastBlock SE), Virtual File System, EnCase Decryption Suite and Physical Disk Emulator. At the same time, there is a small surprise in the EnCase package. A second dongle is in the box and it is not, of course, a spare. It is the processor dongle. It is Guidance’s solution which saves valuable working time for each professional. When this tool is used in a workstation, evidence can be processed and the main dongle can be used in another machine in order to analyze already processed evidence. This powerful capability could reduce working hours and in combination with quick processing time, could finally reduce case backlog, which is one of the biggest problems in law enforcement and corporate digital forensic labs.

Everyone would like to use a tool which supports many operating systems and many different devices. From this point of view, EnCase could provide a full term solution. Most commonly used operating and file systems (Windows, OSX, Linux distributions, NTFS, Ext, FAT) are supported and can be analyzed well. Moreover, many mobile devices can be acquired in a forensically sound manner. Android, Windows Mobile, Symbian, iOS and Blackberry are the most well-known mobile OS and are all supported by EnCase. Finally, many decryption capabilities are available on V7.10, which enable the user to have access to other potential pieces of data. Encryption such as Credant Mobile Guardian/Dell Data Protection, Check Point, Symantec Endpoint Encryption, GuardianEdge, PGP Whole Disk, McAfee Endpoint Encryption, Microsoft Windows BitLocker, Sophos SafeGuard WinMagic SecureDoc and Apple FileVault1, are supported.

When EnCase starts, the case management pane is the first thing the user sees. Many templates for case metadata are available, and the user can also make their own. Metadata such as the examiner and lab information can also be added. Case and evidence notes can be also added in order to fully describe the scenario. The next step is to add an evidence file. This could be already created by other tools, or EnCase can acquire the data. Acquisition techniques vary with this software. Physical and logical acquisition of hard drives, memory capture of live system, write-blocked devices acquisition, network attached devices and drives in Ethernet tethering mode are all options. By using a cross-over cable, EnCase could acquire in a forensically sound manner the subject’s machine hard drive, without removing it and duplicating it through a forensic disk duplicator. So users can create case scenario files adding many different types of evidence and acquiring data from examined devices. It is worth noting that if big data sets are added to a case file, they can sometimes cause some issues with the software’s functionality and process speed.

As with every forensic analysis tool, EnCase can process evidence reliably and quickly. Processing speed is a feature which has been improved significantly throughout the releases of V7. To be more specific on processing features and benefits, hash values can be computed and deleted files and folders can also be recovered. A tool named File Carver can search through unallocated space, and the user can specify the search in certain file types and extensions in order to reduce processing time, avoiding searching for all deleted content. Moreover, the user’s internet activity such as bookmarks, browser history, saved passwords, socials and chat logs can be analyzed.

Email examination is also an advantage of this software. Many mailbox types, such as outlook files (.pst), iOS files (.MBOX) and Lotus Notes Files (.nsf), are supported and presented in a comprehensive manner. In addition, deep artifacts such as registry keys can be examined in depth, and combined with time artifacts, they can produce valuable conclusions. Besides these features, file signature analysis is also provided. File extensions can be compared to file signatures in order for spoofing artifacts to be found. Finally, evidence processing has a new valuable feature, which is prioritization. Analysts could make a priority list of the most important results and review them while the remainder of the case is processed. If these results make sense to their case, they have the option of stopping the processing, thus saving time. The processor manager pane is an administrative window of all past and ongoing processing jobs and is used in order to start, pause or stop a job.

In every conducted examination, searching activity will usually take place. EnCase provides examiners with powerful searching features. First, keyword searching is available. In this field, users can search through their custom expressions in every readable piece of storage space. They could also create GREP (Global Regular Expression Print) expressions in order to boost their results when searching for specific text patterns such as credit card numbers or IP addresses. A helpful testing option is the dialog box for inserting expressions. Moreover, indexing provides an extra solution in order for requests to be found. Examiners have to process evidence with the option of index search turned off. This will increase processing time, and the outcome is categorizing every text string. After this step, searching will be extremely quick. To conclude: hash libraries, and the ability to search through them, is another potent searching feature. Examiners can create hash libraries with computed values of known files and search for them in the examined evidence.

In my opinion, the most powerful feature for every professional who uses EnCase V7.10 is Case Analyzer. It appears to be the most comprehensive way to present already processed evidence. All the files’ metadata are computed and presented in a manner that is easy to understand. Registry files are also included in the artifacts which the user computes in the Analyzer’s report. Combining these data sets, every examiner could review all evidence findings; bookmark and tag them in order to reuse them in the evidence pane; create links to original evidence; and include all of this in the final report. Evidence of the user’s activity, file transactions, and Windows events are only a few of the possible artifacts which can be analyzed quickly and reliably in Case Analyzer.
An old feature of EnCase, which still remains available, is EnScripts. EnScripts are the key differentiator between EnCase and other similar software. EnScripting is a programming feature that can automate tasks such as searching for certain artifacts or add new capabilities like exporting file hashes. Users can also visit the EnCase portal in order to download scripts which were created by Guidance’s technical stuff or by other examiners. Better yet, they can go to EnCase App Central, where there are over 161 free apps which have been tested and are fully compatible to work with EnCase v7 by Guidance. It is a capability that is not provided by any other similar manufacturer.

Another key reason for EnCase’s usefulness is the reviewing and the presentation of evidence and examination results. Findings are presented in an easy and understandable way. Examiners can easily make tags for their evidence, sort them by many attributes, bookmark them and filter evidence in order to be reviewed in depth. On the other hand, examiners’ evidence and inferences can easily be presented and reviewed by creating reports. Users are able to customize report templates, include files which are present as evidence, and include bookmarked folders. They can also manipulate the HTML-like code of the report template. The report’s output can be extracted in many file types such as text, Adobe Acrobat, Rich Text Format, HTML and XML files.

Summarizing all of the above, EnCase is a proven and trustworthy solution for conducting digital forensic examinations and EnCase v7.10 is clearly the industry standard. In addition, Many highly necessary features, as well as good and fast manufacturer’s support, guarantee a quality experience. To conclude, its total cost ($3,594 – including 1 year SMS) renders this product a cost-effective solution.

About the reviewer

You can contact George via email on gkarathanasis@forensicassociates.gr, or through LinkedIn and Twitter