COS413

Capstone – EnCase Software Review

Nathan Perkins

Project Description

• Review EnCase Forensics Software

• Explain integrated forensics tools

• Provide screenshots of the EnCase work environment – explain features

What is EnCase

• Computer Forensics Software

• Considered the Industry Standard for computer forensics

• Many powerful proprietary tools

EnCase Environment

Continued >

Proprietary Tools

• EnScript –– Mini-programming tools similar to C++– Mini Programs that can process evidence– Can be programmed to process many

small, tedious tasks quickly– EnCase contains a library of 100’s of

different EnScripts– CON > Used mostly by experienced

programmers.

Proprietary Tools Continued

• Timeline Tool– Outlines dates and times evidence was

modified– Easy-to-read graphical interface– Shows number of cluster modified in a

specific frame of time.

Timeline Tool

Other Useful Tools•Multi-View evidence window can view evidence as :

•Text

•Hexidecimal

•Picture (gallery view for picture files)

•Disk (view physical clusters that the evidence occupies)

•Console (view output of EnScript programs)

•Filters/Queries (specialized search criteria)

Other Useful Tools

• Uses MD5 hashing for evidence files and saved case files.

• Ability to generate detailed evidence reports – similar to ProDiscover and FTK

• BootDisk creation tool – creates bootable floppy disk

• Drive Wiper – secure erase of storage media.

Final Thoughts

• Tools are very in-depth, but can be more difficult to utilize when compared to entry-level tools such as ProDiscover.

• The proprietary tools such as the timeline can help create clearer evidence.

• Encase is a very powerful computer forensics program, complete with all the tools necessary to build a solid case.

Outcome

• I learned about the keyfeatures of the proprietary tools of EnCase

• I am now able to better gauge the quality of various computer forensics software

• I was not able to use EnCase to its full extent, as the copy I used was a demonstration copy

Lessons Learned

• Do not underestimate a program of such small file size- EnCase is very powerful.

• To anyone pursuing a project in this area:– Try to find literature or manuals written by

fellow users, as the documentation provided with the program is not thorough.