EnCase Forensic is the industry standard in computer forensic investigation technology

EnCase Forensic is the industry standard in computer forensic investigation technology.

• EnCase Forensic is the industry standard in computer forensic investigation technology.

• Encase is a single tool, capable of conducting large-scale and complex investigations from beginning to end.

• By Guidance Software, Inc.

• Version 6.10

Law enforcement officers

• Law enforcement officers

• Government investigators

• Corporate investigators

• Consultants

Acquire data in a forensically sound manner using software with an unparalleled record in courts worldwide.

• Acquire data in a forensically sound manner using software with an unparalleled record in courts worldwide.

• Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool.

• Save days, if not weeks, of analysis time by automating complex and routine tasks with prebuilt EnScript® modules, such as Initialized Case and Event Log analysis.

• Find information despite efforts to hide, cloak or delete.

Easily manage large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack and unallocated space.

• Easily manage large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack and unallocated space.

• Transfer evidence files directly to law enforcement or legal representatives as necessary.

• Review options allow non-investigators, such as attorneys, to review evidence with ease.

• Reporting options enable quick report preparation

FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, ad TiVo® 1 and TiVo 2 file systems

• FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, ad TiVo® 1 and TiVo 2 file systems

System menu

• System menu

• Toolbar

• Window containing panes

• Status line

• An evidence case includes:

• an evidence file

• a case file

• EnCase® program configuration files

The case file contains :

• The case file contains :

• pointers to one or more evidence files or previewed devices

• bookmarks

• search results

• sorts

• hash analysis results

• signature analysis reports

EnCase applications support:

• EnCase applications support:

• EnCase Evidence Files (E01): includes contents of an acquired device, investigative metadata and the device-level hash value.

• Logical Evidence Files (LEF/L01): created from files seen in a preview or existing evidence file.

• Raw images

• Single files, including directories

Preview a device

• Preview a device

• Add a device

• Acquire a device

• Hashing a device

• Restore: physical or logical

Encase Supports viewing the following files:

• Encase Supports viewing the following files:

• Text (ASCII and Unicode)

• Hexadecimal

• Doc, native formats for Oracle Outside In 8.2.2 technology supported formats

• Transcript, extracted content with formatting and noise suppressed

• Various image file formats

Outlook Express (DBX)

• Outlook Express (DBX)

• Outlook (PST)

• Exchange 2000/2003 (EDB)

• Lotus Notes (NSF) for versions 4, 5, and 6

• Mac DMG Format

• Mac PAX Format

• JungUm and Hangul 97 and 2000 Korean Office documents

• Zip files such as ZIP, GZIP, and TAR files

• Thumbs.db files

• Others not specified

Project:

• Project:

• Analyze one of evidence files and write an report.

• Choose one evidence file in C:\EvidenceFiles folder.

• Find User Manual in C:\Encase folder

• Lab

• Location: 4.101
• Time: Make an appointment with TA by email to na061000@utdallas.edu

Question?

• Question?