Review: EnCase Forensic v. 6

By on
Review: EnCase Forensic v. 6

Of the straight (i.e., not over-the-network) computer forensic tools we examined, EnCase has made the most noticeable changes since last year.

However, a few changes simply are cosmetic. That said, we liked EnCase better this year than last for one important reason: it has kept pace well with the needs of users.

There are some familiar things missing in this release. For example, the DOS version no longer is supported, but imaging a computer can now use a Linux boot disk that you must create by downloading a Linux distribution and creating a bootable CD.

However, in a production computer forensics lab, we usually see direct disk acquisition, and that is supported in EnCase using the recommended Fast Block write blocker. This approach clearly is targeted at supporting the way computer forensics is being done in today’s labs. Field imaging, computer-to-computer, is slow and cumbersome. Most forensic analysts prefer the controlled conditions of the lab.

Among the useful new capabilities in this release are additional content extractors, indexing and the ability to parse Microsoft Exchange files. A useful piece of evidence management, documentation of the hard drive serial number for acquired drives, also is new. Generally, we see EnCase returning to its roots.

While the new features largely track such things as supported file systems, there are a few new features that have some sizzle for the forensic examiner in the lab. The EnScript functionality, with its C++ and Java roots, is a staple of EnCase, and it continues to be a solid capability in this release.

The documentation is one of the primary strengths of all Guidance Software products. This manual is no exception. Full-size and a couple of hundred pages thick, this user documentation is first rate. Add the quick start guide, and you will have trouble going wrong.

For all of that, we find, as usual, that the product is overpriced in its field. At US$3,000 for a corporate license, plus support, this product is, in our view, way too expensive for what it does. While Guidance has its roots in law enforcement, in recent years we have seen a significant shift to satisfying the corporate market.

Support packages are available at extra cost, and the manual is not shy about pitching other Guidance Software services, such as training and consulting.

For: The gold standard of computer forensic products; documentation vastly superior to most products of its type.
Against: Way too expensive.
Verdict: This is a solid, well-proven product, if you can afford it.

Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?