EnCase is the shared technology within a suite of digital investigations products by Guidance Software. The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. Encase is traditionally used in forensics to recover evidence from seized hard drives. Encase allows the investigator to conduct in depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information. The company also offers EnCase training and certification. Data recovered by EnCase has been used in various court systems, such as in the cases of the BTK Killer and the murder of Danielle van Dam. Additional EnCase forensic work was documented in other cases such as the evidence provided for the Casey Anthony, Unabomber, and Mucko cases.
Company and Product Overview
EnCase was originally created by Shawn McCreight the founder of Guidance Software in 1997 out of his home. In 1998 EnCase Forensic officially released. At the time there were no GUI forensic tools available. In 2002 EnCase Enterprise was released allowing the first network enabled digital forensic tool to be used in forensic, investigative, and security matters. In 2005 EnCase eDiscovery was released which further enabled the network abilities of EnCase to allow Identification, Collection, Preservation, and Analysis of ESI for Litigation and Investigative purposes. In 2007 EnCase AIRS was released to automate the scanning, documenting, and remediation abilities of EnCase Enterprise. Also in 2007 was the release of EnCase Information Assurance, EnCase Data Audit and Policy Enforcement. In 2008 EnCase Cybersecurity was released which combined many of the tools and automation from previous security functions an streamlined the workflow of incident response. In 2015 EnCase Endpoint Security was released which was the evolution of Endpoint Security into a more user friendlyweb interface as well as further integration with many other security tools to further expedite and shorten the response time from an attack or event. In 2016 EnCase Enterprise needed a face lift and the distributed agent was given more abilities with the redesign into EnCase Endpoint Investigator. Also in 2016 the release of EnCase Risk Manager for data risk assessment, audit, DLP-like services, and compliance. In 2017 Guidance Software was acquired by OpenText, and the company name "Guidance Software" is no longer used.
EnCase technology is available within a number of products, currently including: EnCase Forensic, EnCase Endpoint Investigator, EnCase eDiscovery, EnCase Endpoint Security and EnCase Portable. Guidance Software also runs training courses from Foundations in Computer Forensics, to several expert series courses to include an EnScripting course to automate various functions within EnCase. Further, certification os offered to train toward and prove knowledge within various fields to include EnCE, EnCEP, CFSR. The EnCase training team have trained over 100000 individuals to date.
Features
EnCase contains tools for several areas of the digital forensic process; acquisition, analysis and reporting. The software also includes a scripting facility called EnScript with various API's for interacting with evidence.
EnCase contains functionality to create forensic images of suspect media. Images are stored in proprietary Expert Witness File format; the compressible file format is prefixed with case data information and consists of a bit-by-bit copy of the media inter-spaced with CRC hashes for every 64K of data. The file format also appends an MD5 hash of the entire drive as a footer.
Mobile forensics
As of EnCase V7, Mobile Phone Analysis is possible with the addition some add-ons available from Guidance Software.
