What is EncaseWho Can use EncaseFeaturesSlide 5How Encase worksFile systems supported by EnCase software:Encase Interface:Slide 9Case Management (1)Case Management (2)Working with EvidenceSlide 13Viewing FilesView Compound FilesReportingProject InformationSlide 18Encase OverviewWhat is Encase•EnCase Forensic is the industry standard in computer forensic investigation technology. •Encase is a single tool, capable of conducting large-scale and complex investigations from beginning to end. •By Guidance Software, Inc.•Version 6.10Who Can use Encase•Law enforcement officers•Government investigators•Corporate investigators •ConsultantsFeatures•Acquire data in a forensically sound manner using software with an unparalleled record in courts worldwide. •Investigate and analyze multiple platforms — Windows, Linux, AIX, OS X, Solaris and more — using a single tool. •Save days, if not weeks, of analysis time by automating complex and routine tasks with prebuilt EnScript® modules, such as Initialized Case and Event Log analysis. •Find information despite efforts to hide, cloak or delete.Features•Easily manage large volumes of computer evidence, viewing all relevant files, including "deleted" files, file slack and unallocated space. •Transfer evidence files directly to law enforcement or legal representatives as necessary. •Review options allow non-investigators, such as attorneys, to review evidence with ease. •Reporting options enable quick report preparationHow Encase worksFile systems supported by EnCase software:•FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD, NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, ad TiVo® 1 and TiVo 2 file systemsEncase Interface:Encase Interface:•System menu•Toolbar•Window containing panes•Status lineCase Management (1) •An evidence case includes: an evidence file a case fileEnCase® program configuration filesCase Management (2)The case file contains :pointers to one or more evidence files or previewed devices bookmarks search results sorts hash analysis results signature analysis reportsWorking with EvidenceEnCase applications support: •EnCase Evidence Files (E01): includes contents of an acquired device, investigative metadata and the device-level hash value. •Logical Evidence Files (LEF/L01): created from files seen in a preview or existing evidence file.•Raw images •Single files, including directoriesWorking with Evidence•Preview a device•Add a device•Acquire a device•Hashing a device•Restore: physical or logicalViewing FilesEncase Supports viewing the following files:•Text (ASCII and Unicode) •Hexadecimal •Doc, native formats for Oracle Outside In 8.2.2 technology supported formats•Transcript, extracted content with formatting and noise suppressed •Various image file formatsView Compound Files•Outlook Express (DBX) •Outlook (PST) •Exchange 2000/2003 (EDB) •Lotus Notes (NSF) for versions 4, 5, and 6 •Mac DMG Format •Mac PAX Format •JungUm and Hangul 97 and 2000 Korean Office documents •Zip files such as ZIP, GZIP, and TAR files •Thumbs.db files •Others not specifiedReportingProject Information•Project:Analyze one of evidence files and write a report. Choose one evidence file in C:\EvidenceFiles folder.Find User Manual in C:\Encase folder•Lab•Location: 4.101•Time: Make an appointment with Amy by email to
View Full Document
Unlocking...