Unbiased Testing Confirms: EnCase® Forensic is Fastest

Ken Mizota Ken Mizota, Product Manager, Forensic Solutions

Well, that didn’t take long.

A genuine, independent third party, Digital Intelligence, a company recognized and respected in the forensic community and a reseller of forensic-specific solutions, including EnCase® Forensic and AccessData’s Forensic Toolkit (FTK) software, recently published the results of its testing of both FTK and EnCase Forensic.

Numbers May Not Lie, But The AccessData Report Is Far From The Truth

Ken Mizota Ken Mizota, Product Manager, Forensic Solutions

A little over a year ago, back in March 2012, in a previous EnCase Forensic blog post, “A Development Perspective,” we discussed the improvements that we had made to EnCase, including evidence processing speeds and the comprehensiveness of the indexed results. Now, AccessData, after waiting over a year, has conducted testing at its facilities on its equipment (nominally conducted by an “independent” third party, Opus One), and has issued a report (the “AccessData Report”) which I’ll address in detail, below. The AccessData public relations campaign over the last few weeks calls to mind the famous quote from Mark Twain:

Feature Spotlight: Direct Network Preview

Guidance Software EnCase Version 7.06 introduces a new built in ability to perform remote forensics. If you are unfamiliar with the term “remote forensics”, take a moment to review the Gartner Remote Forensics Report for 2012. EnCase Forensic Version 7.06 brings remote forensics to the standard in digital investigations, and enables forensically sound investigation of live devices. In this post, we’ll walk through how to perform a network preview, and we’ll discuss some of the key differences between remote investigation in EnCase Forensic and EnCase Enterprise.

EnCase App Central is Just One Month Away!

Guidance Software

Guidance Software has developed a portal for EnCase customers to draw on the 40,000 user community for solutions. App Central will be a one-stop shop for users of the EnCase Forensic software to find add-on applications that enhance the effectiveness and efficiency of the software. For years, one of the most powerful and unique advantages of the EnCase software has been the EnScript programming language, which allows developers the ability to extend the functionality of EnCase with custom EnScript code. Dozens of apps have already been written in EnScript to help investigators who use the EnCase product solve cases more quickly. App Central will take those EnScript apps and community power and put it in one place for its users.

Guidance Software is encouraging its users to come to the App Central site to take advantage of both the free and paid apps that have been tested with the newest version of the EnCase software. Apps that solve fundamental issues for investigators like finding specific files or evidence, automating time-consuming tasks, or simply uncovering evidence that other investigators in the community have found useful will be available….and in most cases, for free. App Central is the next phase of Guidance Software’s commitment to helping Encase users get the most from their software.

Feature Spotlight: Embedding Hyperlinks in Exported Reports

Guidance Software EnCase version 7.05 provides the ability to include hyperlinks to original documents and images in reports and offers updated report templates that display more metadata than ever before. View important metadata such as dates, times, physical sector information for unallocated items and hash values. Continue reading to learn how to include hyperlinks in your exported reports.

v7.05 Is Here!

Guidance Software We are excited to announce the availability of EnCase Forensic v7.05. This release contains many new improvements that we think you will enjoy. Let’s take a look at what is now available.

1. Uncover Evidence Up to Nine Times Faster
   v7.05 is considerably faster than previous versions of EnCase Forensic. How fast you ask? Up to nine times faster! The following graph highlights the improvements that the evidence processor has made over time. With v7.05, processing large evidence files is not a problem.

EnCase v6 to v7 CEIC Session Recap

Steve Salinas

It is hard to believe CEIC 2012 was almost two months ago. Since CEIC we have been hard at work on EnCase, in fact recently we released an update to v7, v7.04.1. If you did not receive the email notification about this release you can request the software download links by registering your dongle. Look for another great update to v7 coming in the fall, v7.05.

As I mentioned a few posts ago, we are planning a v6 to v7 webinar series focused on helping users upgrade and get the most out of v7. This webinar series begins tomorrow so I wanted to share an abbreviated version of the v6 to v7 session that we held at CEIC as a bit of a teaser for what is to come. In this twenty minute video I cover the highlights from the CEIC session, from preparing hash libraries to using tags. Of course in this short video it is impossible to go into too much detail but hopefully this video can act as a primer for the upcoming v6 to v7 webinar series. If you stick around to the end of the video you will also get a quick preview of what we have planned for v7.05 and further down the road.

More v6 to v7 goodness to follow!

Examining Volume Shadow Copies – The Easy Way!

Simon Key

INTRODUCTION

The Volume Shadow Copy Service (VSS) is a framework that allows volume-backups to be created while file system writes continue to take place.

Originally implemented in Windows XP and Windows Server 2003, VSS was expanded with Windows Vista, resulting in an additional Windows Explorer Previous Versions properties-sheet.

Using Volatility with EnCase

Mark Morgan INTRODUCTION

Memory Analysis has come a long way and it is imperative that a good Incident Responder realize the valuable information that can be obtained in analyzing memory.

I have been conducting Incident Response investigation for a few years now and have always used Volatility as my tool of choice. I like it because first off it is open source and I have found it to be very user friendly in identifying possible malware and being able to understand the results that are being retrieved from memory.

CEIC and EnCase Essentials v7 Training

Steve Salinas Last week at CEIC we ran four Upgrading EnCase v6 to v7: Who Moved My Cheese? sessions. The sessions were packed with EnCase v6 users who were looking to get past the obstacles that were preventing their full transition to v7. In total we presented to close to 200 attendees and had some really great discussion. By the end of the sessions I could see many of the attendees were ready to get going with v7.

During the process of walking the users through v7 I learned that that quite a few of the folks in each session had yet to view the free EnCase Essentials Training. One of the reasons many had not taken advantage of this free training was that they did not have ready access to the internet at work. Even those who knew about the training were forced to view it during their off hours, when they were able to connect to the internet.

The first thing I did when I got to the office this week was ask our training department to create an offline version of the essentials training and they did. Now anyone that wants to get the basics of v7 can download this offline format of the EnCase Essentials Training and view the lessons anytime, anywhere. In addition, we also updated the companion EnCase Essentials Training Guide, incorporating the changes made in the latest release of EnCase, v7.04. Be sure to download these two files when you get a chance and keep them handy.

On a related note I am planning a v6 to v7 webinar series where we will cover many of the topics that were presented during the CEIC session. Look for more information about this webinar series soon.