Guidance Software EnCase 7.10
October 01, 2015
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Traditional EnCase quality enhanced with add-in modules and ties to third-party integrations.
- Weaknesses: Being traditionalists, we are still not quite comfortable with the user interface. However, we recognise that it gives a bit of flexibility that is an improvement over the traditional EnCase UI.
- Verdict: Regardless of what other tools you are using, this one really needs to be in your arsenal. It is best practice to use more than one tool to ensure that your analysis is complete. The long-time reputation, quality and comprehensive reporting functions make this an important tool no matter what else is in your lab.
EnCase is, arguably, the best-known name in computer forensics. It has a long history in law enforcement and, in recent years, has moved strongly into the corporate world. In doing that, Guidance Software has tried several new innovations. Today's EnCase is a full-featured product with a lot included. Much of that was available in prior versions as separate products and now is an integral part of the core solution.
The current release of EnCase, while still a solid forensic tool, also has some strong fraud detection capabilities. The product includes a servlet that can sit on the target machine and gain access at the kernel level for live forensics. This allows insight into memory and other live functions, as well as such traditional dead-box forensic artifacts as email, internet history and deleted files - all accessible remotely by the investigator.
One improvement that we noticed this year is the ability to function on the same machine and at the same time as other forensic tools using the same licensing scheme (Codemeter). In prior years, when we attempted to run two different products, both using Codemeter, the EnCase installation would not recognise its dongle. This release has completely eliminated that issue and we ran two different products flawlessly at the same time. This is important because digital forensic analysts often use two different products to get comparison views of the same case. While it is not usual to run both on the same machine simultaneously, that now is an option.
Another thing that takes some of the bulk out of EnCase is that it does not require a backend database to be installed separately on a second computer. Also, the product comes with a smartphone module that can analyse iOS and Android devices. This is convenient for including images of mobile devices in an investigation on the same analysis as the computer(s).
The current version has some interesting integrations with third-party products, including Internet Evidence Finder, Wetstone C-TAK and the Belkasoft Evidence Center. This tool can consume evidence from these other systems allowing a complete integrated investigation all in one place.
Installation was simple and quite direct. We simply downloaded the product files from the EnCase website and installed. It found our Codemeter and its license dongle and started immediately. We used our test image and it had no trouble creating a case quickly and efficiently.
The user interface in current releases is a departure from the usual and it takes a bit of getting used to if you really want to get the most out of the tool. That said, once you master it you can gain a lot of insight into your case. EnCase really is an investigation-centered tool - with the caveat that it is more at home in the lab with forensic analysts than it is in the field with investigators. Guidance does offer a useful triage tool (not reviewed) and the Tableau duplicators allow rapid field imaging as well as imaging in the lab (not reviewed), so the company certainly has not ignored the field investigator.
Traditionally, EnCase has been seen as a bit pricey for the corporate world and that has affected marketability. However, EnCase pricing today is attractive and, of course, there are law enforcement options that serve the traditional EnCase market.
Support always has been good for Guidance products and this one is no exception. The website is complete and just about any support package one would want is available in one form or another. The EnCase scripting language still is part of the solution and is quite powerful. Third-party integrators usually use enScript to enable EnCase to consume their files.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report