EnCase Forensic v7.09.02
Strengths: Solid product in the EnCase tradition. While the new UI is challenging at first, there are lots of capabilities and new features, including decryption, mobile device analysis and prioritized processing.
Weaknesses: A bit rough over the network when evidence is not at the processing computer.
Verdict: Pretty much what one would expect from Guidance – solid performance, excepting the network issue – and loads of features to make the forensic analyst’s job easier and faster.
EnCase has been around a long time and, by most accounts, created the definition of how a computer forensic product should look. EnCase Forensic v7 is the latest incarnation of the EnCase computer forensic tradition. It has a lot of innovation and is continuing that tradition. However, v7 is a real departure from earlier years in terms of its user interface. Rather than the expected Windows Explorer-like presentation, the current one is largely reminiscent of browsing the web. There are those old-timers who may not like this. We found it interesting, albeit a bit cluttered.
Decryption of several encryption schemes now is part of the package. This is an important step forward for the product. This capability covers both whole disk encryption, such as PGP Whole Disk Encryption and McAfee Endpoint Encryption for Files and Folders. Additionally, this version of EnCase Forensic addresses mobile devices, something we were quite pleased to see.
The evidence disks for the case we processed resided on our case server in the server room in another part of the building. The connection is a local area network that has few connections beyond the switch in the server room and the switch in our lab. It consistently runs reliably with a network load of around two or three percent. Even so, EnCase dropped the connection repeatedly and we had a lot of trouble processing the case, which consisted of two disks of under a terabyte each, both with e01 images. The amount of time taken by EnCase to verify the disks was nearly seven hours on a FRED fully loaded.
Once the case was created, analysis of the images required that we become comfortable with the new UI. While that was not a show-stopper by any means, it slowed us down, and we imagine that for those grown comfortable with years of the earlier interface there will be a learning curve. Guidance acknowledges this in a back-handed sort of way by offering classes in transitioning from version 6 to 7. However, don't let this deter you from taking a close look at this excellent update of the EnCase story. EnCase Forensic is a solid product and can provide a lot of power and flexibility.
Documentation, as usual, is excellent. We always have liked EnCase documentation, and this new release is no exception. Another interesting capability - not directly part of Forensic v7 - is the EnCase App Store. We suppose that it is inevitable that developers of products will start making the fruits of their developer community available online, but this is so directly tied to v7 that it is worth mentioning.
Guidance Software does not offer a no-cost basic support option. However, numerous technical resources, documents and webinars are available on its website. The standard software maintenance and support is 20 percent of the license cost on an annual basis. Assistance is offered at three levels - standard, extended and premium. Within the different levels of assistance on offer, phone, email, a knowledge base and a FAQ list are available.
As usual, this is a pricey selection. However, all of the products of this type are going up in price and we did not, for the first year, find it at all out of line with what we expect in the market. In fact, EnCase Forensic is priced at or a bit below most other similar products.