EnCase is widely seen as the yardstick against which
to measure other forensic software. It continues to develop, and version 4.19 brings new and improved features.
The new Physical Disk Emulator (PDE) module allows an image from a disk drive or CD-Rom to be mounted as if it was a local disk
and examined using Windows Explorer. This feature has a number of possible applications, and is particularly useful for scanning a drive with programs that do not integrate with EnCase, but do integrate with Windows Explorer.
Virus scanners and viewers such as QuickView Plus, as well as standard Windows applications, can be used without compromising the data or the forensic system.
The EnCase Decryption Suite works on Microsoft's Encrypting File System (EFS), Outlook archive files and the Windows Registry to retrieve encrypted data.
Access to Outlook Express files has been improved, and includes automatic examination of deleted emails. The EnScript language has been extended with support for arrays, inheritance and virtual functions, and a number of existing scripts and filters have been updated with new functionality.
Installation was simple, although this system also requires a dongle before it will run in anything other than "acquisition mode."
This ties in with the licensing system, allowing data collection to be run on several machines while the forensic examination is carried out on another system equipped with the full software. This allows less skilled staff to be used in the field, while those with the forensic expertise conduct the investigations back at base.
Although there are some minor inconsistencies and omissions in the documentation, it is of a generally high standard and plentiful.
EnCase enjoys considerable third-party support in the shape of file viewers, password crackers, and mail viewers, among others, that help to extend its range and capabilities to provide a comprehensive forensic system.