EnCase Forensics v.6
April 01, 2007
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: This is the gold standard of computer forensic products, and it hasn't stood still. The provided documentation is vastly superior to most products of its type
- Weaknesses: It is expensive for what it does
- Verdict: This is a solid, well-proven product, if you can afford it
Of the straight (that is not over-the-network) computer forensic tools we examined, EnCase has made the most noticeable changes since last year, even if some of these are just cosmetic. We liked EnCase better this time for one important reason: it has kept pace with the needs of users.
There are some familiar things missing in this release. For example, the DOS version is no longer supported, so to image a computer you now use a Linux boot disk set up by downloading a Linux distribution and creating a bootable CD.
However, in a production computer forensics lab we usually see direct disk acquisition, and that is supported as usual in EnCase using the recommended Fast Block write blocker. This approach is clearly targeted at supporting the way computer forensics is being done in today's labs. Field imaging, computer-to-computer, is slow and cumbersome. Most forensic analysts prefer the controlled conditions of the lab.
Among the really useful new capabilities in this release are additional content extractors, indexing and the ability to parse Microsoft Exchange files. A good piece of evidence management, documentation of the hard drive serial number for acquired drives, is also new. Generally, we see EnCase returning to its roots in this release.
While the new features largely track things that we feel are simply necessary in any competent computer forensics tool, such as supported file systems, there are a few elements that stand out. The EnScript functionality, with its C++ and Java roots, is a staple of EnCase and it continues to be a solid capability in this release.
The documentation is, and always has been, one of the primary strengths of all Guidance Software products. This manual is no exception. Add the quick start guide, and you will have trouble going wrong.
However, we find that the product is over-priced. At £1,530 for a corporate licence, it is way too expensive for what it does. While Guidance has its roots in law enforcement, in recent years we have seen a significant shift to satisfying the corporate market. Support packages are available at extra cost and the manual is not shy about pitching other Guidance Software services such as training and consulting.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Met Police grab suspect with phone unlocked to get hold of data
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- Same fate befalls Post Office broadband as hit DT?
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Former Expedia IT employee admits to hacking execs from the inside
- Cyber-insurance: What will you be able to claim for and is it worth it?
- Levelling the playing field against targeted attacks
- India Supreme Court calls on tech giants to curb sexual assault, cyber-crime
- IoTSF conference: EU should become de facto regulator