As software has become more sophisticated, the technology and methods of computer forensic science and forensic software have had to evolve and keep pace.
And still, the discipline and methodology of forensic software has stayed the same.
It remains a matter of recovering, analyzing, organizing and presenting data with a methodical, forensically sound approach, leaving a clear audit trail for investigators to follow.
Forensic software and computer forensics are usually thought of as being tools for investigating computer crimes. But forensics are also used in civil proceedings as well as cases involving espionage, cyberstalking, fraud and much more.
- Computer forensics were vital to cracking and solving such high-profile cases as
- Dennis Rader, the “BTK Killer” of Wichita
- Serial killer Joseph E. Duncan III
- Murder victim Sharon Lopatka
- Michael Jackson’s doctor, Conrad Murray, M.D.
Methods of Computer Forensics
Several techniques have become standard procedure in computer forensics over the years.
An investigator can use cross-drive analysis to reference and compare information found on multiple hard drives. Live analysis uses sysadmin tools to extract and decrypt information, and deleted files can be recovered and carved out with the right tools.
The bottom line is this: even with a smashed hard drive and a partly-destroyed computer, there’s not much that can be hidden from a forensic investigator with the right qualifications and the right set of tools.
What is EnCase Forensic?
Over the years, EnCase Forensic has earned a reputation as “the gold standard in forensic investigations,” and for good reason.
Guidance Software practically defined the digital investigation category with EnCase Forensic back in 1998. Since then, EnCase was named Best Computer Forensic Solution for eight years in a row, by SC Magazine.
There are few solutions and systems that can rival EnCase Forensic’s features, functionality and innovation, and that’s all backed up by a stellar record of acceptance as evidence in court cases.
EnCase Forensic has kept up with technological advances by enabling investigators to acquire and extract the data they need from a wide variety of devices, including smartphones, tablets, GPS units and over 25 types of mobile devices in all. Their products are designed so investigators can produce comprehensive reports on their findings that are forensically sound and maintain the integrity of evidence.
First Phase: Triage
Any forensic investigation starts with triage, where the investigator begins to sift and search through potential evidence in computers and/or mobile devices and making initial calls as to what will be worthy of further analysis.
It’s a question of ranking and prioritizing findings in real-time, quickly and accurately. Whether in the lab or in the field, triage is designed to cut the backlog involved so the investigators or team can begin to move forward and get a little closer to “case closed.”
Second Phase: Data Collection
From triage, the investigators’ next phase will be the actual data collection. EnCase Forensic’s tools help acquire and gather more evidence than any other system on the market, with access to over 25 types of mobile devices across a wide range of file systems and OS’s, including iOS, Android and even obsolete devices like Blackberry. This type of flexibility is a necessity to be able to compile any potential evidence, regardless of where it might be stored.
Third Phase: Decryption
Once evidence is triaged and collected, decryption is the next step – and EnCase Forensic’s software is unbeatable when it comes to unlocking encrypted evidence.
You’ll find the broadest and most robust support of any forensic system, with products such as McAfee, Symantec, Dell Data Protection and much more.
In addition, you can unlock more decryption solutions with EnCase Forensic’s Tableau Password Recovery – a cost-effective system that’s purpose-built to find and unlock any files that are protected by password.
That sensitive information won’t do you any good unless you’re able to decrypt it and analyze it. EnCase Forensic can help ensure that you won’t be stopped dead by encrypted information.
Fourth Phase: Indexing
Next step: after the encryption solution is in place, you’ll need to be able to organize and index information so that it’s easily accessible for yourself, your team, and any others who will need access.
It can be a tedious and maddening job, akin to sorting through a haystack to find a needle – or you can use EnCase Forensic’s evidence processor to automate this task.
EnCase Forensic features an indexing engine that’s designed for performance and scale, making the task of complex queries across various fields of evidence much faster and more efficient.
As the case advances, a court of law or any other body that will be presented with the evidence has to have complete confidence not only in the findings, but in the investigator. That means being able to analyze and interpret evidence in order to build a compelling case, and the suite of capabilities that EnCase Forensic features is designed around the investigator. It’s robust enough to allow for deep forensic analysis as well as a fast, thorough and accurate triage.
The end game is always the same – helping you do what’s necessary to uncover evidence, compile it, present it and close cases. That includes organizing information into templates and frameworks that can be tailored and customized for the audience that will see them.
From your team and your organization to a judge or adjudicator, it’s essential that your information should be easy to grasp, and EnCase Forensics helps you toward that goal.
EnCase Forensic’s Hardware
- Tableau Forensic Imager (TX1): Whether in the lab or in the field, investigators need hardware that can tap into data from multiple media types without a compromise in portability or ease of use.
EnCase’s Tableau Forensic Manager supersedes their Tableau TD3 and is built around a custom Linux kernel, for speed and power. It’s compatible with IDE, Ethernet, FireWire, SAS, PCIe, USB and SATA and can support two active forensic tasks at a time with simultaneous imaging. This device outputs to raw .DD and .dmg formats, as well as .e01 or .ex01 compressed formats and includes a tablet-sized 7” touch-screen display that’s as simple to use as a smartphone.
Its Home tab includes Duplicate, Verify, Hash and Browse operations with just two touches, with a SideNav for quick access to logs, system settings, imaging defaults and network settings. Best of all, it features preconditions and rules that disable any destructive operations or deletion on drives while in use.
- Tableau Forensic Duplicator: It’s essential that an investigator should be able to accurately duplicate any findings, either in the field or in the lab. The Tableau Forensic Duplicator is designed for ease of operation, accuracy, reliability and speed when dealing with hard disks or solid-state drives.
It’s designed to make up to three duplicates of digital storage devices, all forensically sound enough to be used as evidence. Its imaging speeds are in excess of 15GB per minute, compressed with MD5 and SHA-1 hashing, and can support whole-disk encryption of destination drives.
- Tableau Password Recovery: Don’t let password-protected information be a roadblock to your investigative work. The Tableau Password Recovery unit streamlines and speeds up the process of unlocking password-protected files by actually recovering their passwords. It can be used either as a stand-alone device or can be integrated into CPU or GPU-based password recovery strategies.
- Tableau Forensic USB 3.0 Bridge: Suitable for both field and lab, this USB bridge features read/write mode capability thanks to an internal DIP switch and imaging speeds of up to 340 mp per second. This portable write-blocker paves the way for forensic acquisition of USB .0 devices. Forensic bridges are also available with compatibility for PCIe, SAS, FireWire and SATA/IDE connections.
EnCase Forensic’s Partners
EnCase Forensic has developed robust relationships with technology partners, allowing you to get the most out of your total investment by taking advantage of their investigative and security solutions. Partners include:
- Hewlett-Packard Enterprise
- Intel® Security
- Relativity One
- Project VIC
EnCase Forensics and Project VIC
Project VIC is a national network of investigators, application developers, victim identification specialists, scientists, engineers and strategic partners who are committed to developing innovative technologies and victim-centered tools to improve outcomes in child sexual exploitation and trafficking investigations.
Project VIC is centered around “crowdsourcing” police work by making it easier to share information and develop better data.
EnCase’s Forensic 8 suite is designed to be fully integrated into Project VIC, with improvements in reporting and investigation workflows, all driven by feedback from users. This latest iteration of EnCase Forensic is integrated with Project VIC’s hash library of victims of child exploitation. It is designed for users to be able to quickly identify these victims and zero in on finding yet-unknown victims.
EnCase regards users as an entire ecosystem, and has incorporated improved reporting, enhanced support for internet artifacts, improved bookmarking and other innovations into EnCase Forensic 8.
Investigators need to be able to clearly notify any concerned parties that they may be subject to a litigation matter. Executing this step in a sound, defensible way is key to reducing the chance of missing deadlines or other problems that can mean a tainted case and damage to your organization.
EnCase eDiscovery enables you to create and manage any litigation holds, all from a single control panel and automate anything in the process from legal notices to escalations.
It’s an ideal way to be sure that any preservation commitments are covered, and legal teams can compile and move data through the entire process, from collection to review.
EnCase eDiscovery is flexible and scalable for any type or size of case and can help streamline multiple phases of the eDiscovery process.
EnCase Mobile Investigator
PEW Research shows that over 90% of Americans own a cell phone, and over 70% own a smartphone. In just about every case, a mobile device can be a valuable and accurate source for evidence. EnCase Mobile Investigator can tap into smartphones, tablets, smart watches, GPS devices and even drones to yield valuable evidence for investigators.
Its tools can allow investigators to take a close, detailed look at acquired mobile device evidence and add it to a new or existing case easily. It’s continually updated to keep pace with advances in mobile devices, and includes several built-in functions that can easily get around a password-protected or locked device.
Evidence on a mobile device literally has no place to hide with EnCase Mobile Investigator.
Why EnCase Forensic?
The work that forensic investigators do is important and sensitive, and it’s vital that they be able to do thorough research, compile information and put together a case that’s going to be airtight.
EnCase Forensic’s suite of products gives investigators tools and software that give them a huge advantage when it comes to successfully meeting these goals.
Along with a user-driven set of innovations and constant updates to keep pace with technology, they offer customer support that’s unrivaled, either through phone, email or a customer community.
Training teams are available to make sure investigators are getting the best use out of EnCase products, either through training centers, online classes, on-demand classes or live classrooms. Trainers can even visit on-site at your location to make sure your team is fully up to speed.
Don’t take chances when you’re working your way through a computer forensics investigation. You need forensic rigor and an outcome that will stand up in court.
The people at EnCase Forensic want to make sure that your organization or your team has what they need to wrap things up with a successful outcome.