Review: EnCase Forensic

Guidance Software's EnCase product is the undisputed heavyweight of the forensic software market, and version 5.0 introduces a slew of new features that will keep its opposition firmly on the ropes.

The most immediate change is the improved GUI. Menus have been rearranged and some panes improved. It took a little time to get used to the new arrangement, but it definitely felt faster and more polished to use, and all our acquisition and analysis tasks were accomplished with ease.

Other new features include much better support for decoding web caches from many different web browsers, reading common mailbox formats and acquiring data from live Linux systems. EnCase already supported the broadest set of file systems in the industry, but now it can read TiVos too and, more practically, resolve symbolic links in Unix file systems.

The complexity of the software is considerable. Because of its vast armory of tools, getting to grips with the product is no mean feat. You really do need Guidance's excellent training. Going off half-cocked would be dangerous, as defense attorneys are also familiar with the product now and will attack any perceived flaw in its use.

A major advantage of EnCase is not a software feature at all, but its active user community who contribute scripts, assist fellow forensic examiners with problems and discuss best practice in user forums. In any market space, this can be a decisive factor in setting the leaders apart from the rest of the field, and Guidance has done well in fostering this community.

Widely used by forensic investigators in police forces and the private sector, EnCase could suffer from its own popularity. Just as exploit writers aim at widely-used targets, criminals seeking to hide data might hope to fox most investigations simply by ensuring they do so in a manner EnCase cannot currently handle – we were able to hide data by manipulating file headers in an unexpected way.

Guidance controls its licensing with an iron hand, so the criminal community would hopefully not have this degree of access, but that is no guarantee.

Overall, we can find no fault with EnCase. Previous versions have performed solidly, and version 5.0 is a worthy upgrade.

For:

Massive feature set and active user community.

Complex with a steep learning curve.

Still way out ahead of the pack.