EnCase is, arguably, the best-known name in computer forensics. It has a long history in law enforcement and, in recent years, has moved strongly into the corporate world. In doing that, Guidance Software has tried several new innovations. Today's EnCase is a full-featured product with a lot included. Much of that was available in prior versions as separate products and now is an integral part of the core solution.
The current release of EnCase, while still a solid forensic tool, also has some strong fraud detection capabilities. The product includes a servlet that can sit on the target machine and gain access at the kernel level for live forensics. This allows insight into memory and other live functions, as well as such traditional dead-box forensic artifacts as email, internet history and deleted files - all accessible remotely by the investigator.
One improvement that we noticed this year is the ability to function on the same machine and at the same time as other forensic tools using the same licensing scheme (Codemeter). In prior years, when we attempted to run two different products, both using Codemeter, the EnCase installation would not recognize its dongle. This release has completely eliminated that issue and we ran two different products flawlessly at the same time. This is important because digital forensic analysts often use two different products to get comparison views of the same case. While it is not usual to run both on the same machine simultaneously, that now is an option.
Another thing that takes some of the bulk out of EnCase is that it does not require a backend database to be installed separately on a second computer. Also, the product comes with a smartphone module that can analyze iOS and Android devices. This is convenient for including images of mobile devices in an investigation on the same analysis as the computer(s).
The current version has some interesting integrations with third-party products, including Internet Evidence Finder, Wetstone C-TAK and the Belkasoft Evidence Center. This tool can consume evidence from these other systems allowing a complete integrated investigation all in one place.
Installation was simple and quite direct. We simply downloaded the product files from the EnCase website and installed. It found our Codemeter and its license dongle and started immediately. We used our test image and it had no trouble creating a case quickly and efficiently.
The user interface in current releases is a departure from the usual and it takes a bit of getting used to if you really want to get the most out of the tool. That said, once you master it you can gain a lot of insight into your case. EnCase really is an investigation-centered tool - with the caveat that it is more at home in the lab with forensic analysts than it is in the field with investigators. Guidance does offer a useful triage tool (not reviewed) and the Tableau duplicators allow rapid field imaging as well as imaging in the lab (not reviewed), so the company certainly has not ignored the field investigator.
Traditionally, EnCase has been seen as a bit pricey for the corporate world and that has affected marketability. However, EnCase pricing today is attractive and, of course, there are law enforcement options that serve the traditional EnCase market.
Support always has been good for Guidance products and this one is no exception. The website is complete and just about any support package one would want is available in one form or another. The EnCase scripting language still is part of the solution and is quite powerful. Third-party integrators usually use enScript to enable EnCase to consume their files.