EnCase Forensic Edition
Excellent set of tools with strong support.
Expensive, but you get what you pay for.
Sets the standard for other forensic products. Definitely the best option for professional forensics investigations.
EnCase from Guid-ance Software has been at the vanguard of forensics software for some time - and with good reason.
Now in version 4.14, the solution is a powerful collection of correlation and analysis tools, designed to make the forensic investigator's job as easy as possible.
The product demands respect from the start, with its complex process for setting up and capturing data, which is both thorough and consistent.
This pervades the interface: everything feels precise and machined, which can be frustrating when you want to hasten through a routine, but ensures that the end result is evidence-analyzed in accordance with accepted procedures.
EnCase supports most standard PC, Mac and Unix file systems, and can handle removable storage, including USB.
Licensing is now more accessible than before: a single licensed copy can be distributed on many machines in the field, which will run in 'acquisition' mode, able to acquire but not analyse data.
With a USB or parallel port dongle attached, the software starts in full forensic mode.
Searching has also been improved. Keyword searches (with full regular expression support) can now be applied to multiple cases, which will make the lives of both corporate and criminal investigators much easier.
The documentation is good and includes case studies of forensics investigations, although the online help lets it down. While the average EnCase user has probably been trained thoroughly, better (or any!) context help would be welcome.
One of EnCase's strong points is that of its open source ideology: a tight-knit user community which discusses challenges and shares scripts to solve problems or streamline procedures, helping investigators get the most out of its powerful scripting facilities.
EnCase Forensic Edition cannot do the sort of remote imaging produced by ProDiscover, but its Enterprise Edition can.
Version 4.14 introduces the ability to check the remote system's open network connections, as well as long-awaited support for non-Windows systems.
Although significantly more expensive than other products, EnCase is still a clear winner if you need industrial grade forensics.