EnCase Forensics v.6
Strengths: This is the gold standard of computer forensic products, and it hasn't stood still. The provided documentation is vastly superior to most products of its type
Weaknesses: It is expensive for what it does
Verdict: This is a solid, well-proven product, if you can afford it
Of the straight (that is not over-the-network) computer forensic tools we examined, EnCase has made the most noticeable changes since last year, even if some of these are just cosmetic. We liked EnCase better this time for one important reason: it has kept pace with the needs of users.
There are some familiar things missing in this release. For example, the DOS version is no longer supported, so to image a computer you now use a Linux boot disk set up by downloading a Linux distribution and creating a bootable CD.
However, in a production computer forensics lab we usually see direct disk acquisition, and that is supported as usual in EnCase using the recommended Fast Block write blocker. This approach is clearly targeted at supporting the way computer forensics is being done in today's labs. Field imaging, computer-to-computer, is slow and cumbersome. Most forensic analysts prefer the controlled conditions of the lab.
Among the really useful new capabilities in this release are additional content extractors, indexing and the ability to parse Microsoft Exchange files. A good piece of evidence management, documentation of the hard drive serial number for acquired drives, is also new. Generally, we see EnCase returning to its roots in this release.
While the new features largely track things that we feel are simply necessary in any competent computer forensics tool, such as supported file systems, there are a few elements that stand out. The EnScript functionality, with its C++ and Java roots, is a staple of EnCase and it continues to be a solid capability in this release.
The documentation is, and always has been, one of the primary strengths of all Guidance Software products. This manual is no exception. Add the quick start guide, and you will have trouble going wrong.
However, we find that the product is over-priced. At £1,530 for a corporate licence, it is way too expensive for what it does. While Guidance has its roots in law enforcement, in recent years we have seen a significant shift to satisfying the corporate market. Support packages are available at extra cost and the manual is not shy about pitching other Guidance Software services such as training and consulting.