EnCase Computer Forensics Software
EnCase is a series of proprietary forensic software products produced by Guidance Software. It is used by many law enforcement agencies and corporations around the world to support civil/criminal investigations, network investigations, data compliance and electronic discovery.
EnCase is designed to make forensic quality recordings of data stored on PCs, and to recover some insecurely deleted data. The network-enabled version of EnCase is capable of taking snapshots of RAM over time on a target computer. Special training is usually required to operate the software in a law enforcement capacity.
The first thing a user of EnCase will normally do is use the software to create images of suspect media (hard drives, CDs etc). Images are stored in proprietary formats and contain an MD5 or SHA-1 checksum to validate their authenticity. In the same way as dd (and unlike typical imaging software such as Norton Ghost), EnCase makes images that are exact copies of the original, byte for byte, in order to be able to fully examine unused parts of the media for deleted files and so forth.
After imaging, EnCase can be used to examine the files stored in the image using common tools such as a document viewer and hex editor. It can also examine parts of the filesystem not normally exposed to the user, such as deleted file entries, on-disk checksums and log/journaling data. It can also search for and attempt to recover deleted files.
Finally, any relevant files can be saved to the user's PC, along with checksums and other metadata, for use as evidence.
It should be noted that EnCase only uses common tools to perform its analysis, the main benefit to the user being that the tools are all tied together and are of supposedly forensic (i.e. verifiable) quality.
Data recovered by EnCase has been used successfully in various court systems around the world. Notably, the BTK Killer (Dennis Rader) was caught by FBI investigators using this software.
In 2001, Jessica M. Bair, a former U.S. Army Criminal Investigation Command Special Agent & computer forensics examiner, created the EnCase Certified Examiner (EnCE) program with John Colbert, to certify professionals in the use of Guidance Software's EnCase computer forensics software. By 2009, over 2,100 professionals were certified in EnCase. In 2006, Bair was the technical editor for the Sybex published Official EnCE Study Guide.
In 2009, Bair created the EnCase Certified eDiscovery Practitioner (EnCEP) program to certify professionals in the use of Guidance Software's EnCase eDiscovery software, as well as their proficiency in eDiscovery planning, project management and best practices spanning legal hold to load file creation.